Lightsail Webserver Setup

Create a Lightsail instance using Linux and the Bitnami LAMP stack. If there isn't already one, create a key-pair that will be used for SSH authentication in PuTTY; download the private key and add it to PuTTY's configuration.

Enable Lightsail to connect to RDS and S3 resources

Go to the Lightsail Console -> Account -> Advanced -> Enable VPC ~~peering,~~peering for the region of RDS/S3 resources. This only needs to be done once for a given Lightsail region, and applies to all Lightsail servers in that region.

Setting up Lightsail web server instances

Step 1: Modify the Apache httpd.conf files

Modify the bitnami.conf, bitnami-ssl.conf, and main httpd.conf and httpd-ssl.conf files. The necessary modifications are listed on this page: Apache httpd configuration.

Step 2: Deploy SSL Certificates

Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

In the below commands, replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS-01 challenge type). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".

Attempting to get the SSL certificates directly on ~~the~~Lightsail webservers themselves does not work, presumably due to VPC peering. ~~Request~~You will need to request the certificates you need on a local machine, then deploy them to the webservers manually.

~~Install~~To ~~Go,~~do ~~which~~this, ~~is required for Lego to work:~~ ~~https://go.dev/doc/install~~

~~Install~~follow the ~~Lego~~instructions ~~client:~~ ~~https://github.com/go-acme/lego/releases~~ ~~(click "show all assets" to see the Windows releases).~~

With these installed, run the following command in Windows command prompt, substituting the necessary variables with the IAM keys for a user with Route 53 permissions, and the Hosted Zone ID for the domain (visible in the Route 53 console). Make sure you doon this ~~from~~page: aGenerating ~~command~~SSL/TLS ~~prompt~~Certificates ~~with~~via ~~administrator privileges or you will get "missing endpoint" errors.~~LetsEncrypt.

set AWS_ACCESS_KEY_ID=<access key for Route 53 IAM user> \
set AWS_SECRET_ACCESS_KEY=<secret key for Route 53 IAM user> \
set AWS_REGION=eu-west-3 \
set AWS_HOSTED_ZONE_ID=<hosted zone ID> \
lego.exe --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run

Step 3: Update the certificates for Apache to use

Stop all web services on the server:

sudo /opt/bitnami/ctlscript.sh stop

Move the current certificates to .old filenames, and create a symlink to the new certificates:

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*

Step 4: changeChange file ownership to daemon, so that Apache can access them and write to them

daemon

Change the htdocs folder's owner to daemon (which Apache runs as)., so Apache can access files and write to logs.

sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs

Make phpMyAdmin config modifications, as detailed on this page: phpMyAdmin Configuration.

Restart all Bitnami services:

sudo /opt/bitnami/ctlscript.sh restart

Step 5: Change executable script permissions

Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts

Step 6: InstallAdd cronjobs

To modify the bitnami crontab for the server, run the following command whilst logged in as the bitnami user:

crontab -e

The first time you run this, you are asked to choose an editor (if you aren't familiar with the others, nano is definitely simplest). You can then add any cronjobs onyou want to ~~server,~~run ~~depending~~into onthe ifbitnami itcrontab isfile.

Deserted Chateau: All Webservers

All webservers for Deserted Chateau should have the following cronjobs added:

# Add the below lines to your Bitnami LAMP server's non-root Crontab (specifically, the bitnami user crontab).
# These lines should be added to ALL servers, including the primary cronjob server.

# Delete temporary server oruploads.
a0 normal1 web* server* * /opt/bitnami/apache/htdocs/src/Cronjobs/DeleteTempUploads.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/DeleteTempUploads.log 2>&1

Deserted Chateau: Primary Webserver (one only)

~~Use~~One webserver (and one only) should also have the ~~Crontab~~following ~~Addition~~cronjobs ~~text~~added ~~instructions~~to init:

# Add the instructions/aws/lightsailbelow folder.
lines to your Bitnami LAMP server's non-root Crontab (specifically, the bitnami user crontab).
# NOTE: These cronjobs are only to be run on one server, to ensure database consistency.
# The individual server crontab should be added to this for the primary cronjob server.

0 * * * * /opt/bitnami/apache/htdocs/src/Cronjobs/CheckEmailErrorQueue.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/CheckEmailErrorQueue.log 2>&1

0 0 1 * * /opt/bitnami/apache/htdocs/src/Cronjobs/RemoveOldLoginHistory.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/RemoveOldLoginHistory.log 2>&1

0 0 2 * * /opt/bitnami/apache/htdocs/src/Cronjobs/DeactivateUsersDueForDeactivation.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/DeactivateUsersDueForDeactivation.log 2>&1

Step 7: Add logrotate configuration to server.server NOTE:

~~switch~~

By default, logrotate includes every file in the /etc/logrotate.d directory in its daily cronjob. The commands below add our own logrotate configuration to ~~superuser~~that ~~(sudo su) before doing this, as logrotate is only installed for superuser.~~folder.

sudo su
chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau
cp /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau /etc/logrotate.d/desertedchateau

Step 8: Update APT, PECL, and PHPRedis

YAML is required for PHPRedis to function properly. PECL may not install correctly without the proper update commands first.

sudo apt-get update
sudo pecl channel-update pecl.php.net
sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yaml

Step 10: Update AWS security groups to allow this Lightsail server to access RDS/Redis

VPC peering ~~won't~~on doits ~~the~~own ~~job~~does ~~alone~~not ~~here,~~give your Lightsail servers access to other AWS resources, as the Lightsail server is ~~not~~ in ~~the~~a ~~same~~different security group ~~as other AWS resources~~ (and the security group's "allow all" setting only applies to requests from inside the security group).

Update ~~the~~your security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have). These IPs are shown in the Lightsail ~~console.~~console.

Step 11: Add IPTables restrictions (only for test environments)

~~Use~~If ~~iptables-script.sh~~you want to ~~update~~restrict ~~with~~access ~~an IP list containing~~to your ~~own~~test ipwebservers, ~~address~~you ~~and~~can ~~all~~do ~~current~~this ~~Stripe~~by IPconfiguring ~~addresses.~~iptables. Details are on this page: Configuring iptables .