Lightsail Webserver Setup
Create a Lightsail instance using Linux and the Bitnami LAMP stack. If there isn't already one, create a key-pair that will be used for SSH authentication in PuTTY; download the private key and add it to PuTTY's configuration.
Enable Lightsail to connect to RDS and S3 resources
Go to the Lightsail Console -> Account -> Advanced -> Enable VPC peering for the region of RDS/S3 resources. This only needs to be done once for a given Lightsail region, and applies to all Lightsail servers in that region.
Setting up Lightsail LAMP web server instances
Step 1: Modify the Apache httpd.conf files
Modify the bitnami.conf, bitnami-ssl.conf, and main httpd.conf and httpd-ssl.conf files. The necessary modifications are listed on this page: Apache httpd configuration.
Step 2: Deploy SSL Certificates
Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)
In the below commands, replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS-01 challenge type). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".
Attempting to get the SSL certificates directly on Lightsail webservers themselves does not work, presumably due to VPC peering. You will need to request the certificates you need on a local machine, then deploy them to the webservers manually. To do this, follow the instructions on this page: Generating SSL/TLS Certificates via LetsEncrypt.
Step 3: Update the certificates for Apache to use
Stop all web services on the server:
sudo /opt/bitnami/ctlscript.sh stopMove the current certificates to .old filenames, and create a symlink to the new certificates:
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*Step 4: Change file ownership to daemon
Change the htdocs folder's owner to daemon (which Apache runs as), so Apache can access files and write to logs.
sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocsMake phpMyAdmin config modifications, as detailed on this page: phpMyAdmin Configuration.
Restart all Bitnami services:
sudo /opt/bitnami/ctlscript.sh restartStep 5: Change executable script permissions
Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/ScriptsStep 6: Add cronjobs
To modify the bitnami crontab for the server, run the following command whilst logged in as the bitnami user:
crontab -eThe first time you run this, you are asked to choose an editor (if you aren't familiar with the others, nano is definitely simplest). You can then add any cronjobs you want to run into the bitnami crontab file.
Deserted Chateau: All Webservers
All webservers for Deserted Chateau should have the following cronjobs added:
# Add the below lines to your Bitnami LAMP server's non-root Crontab (specifically, the bitnami user crontab).
# These lines should be added to ALL servers, including the primary cronjob server.
# Delete temporary server uploads.
0 1 * * * /opt/bitnami/apache/htdocs/src/Cronjobs/DeleteTempUploads.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/DeleteTempUploads.log 2>&1Deserted Chateau: Primary Webserver (one only)
One webserver (and one only) should also have the following cronjobs added to it:
# Add the below lines to your Bitnami LAMP server's non-root Crontab (specifically, the bitnami user crontab).
# NOTE: These cronjobs are only to be run on one server, to ensure database consistency.
# The individual server crontab should be added to this for the primary cronjob server.
0 * * * * /opt/bitnami/apache/htdocs/src/Cronjobs/CheckEmailErrorQueue.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/CheckEmailErrorQueue.log 2>&1
0 0 1 * * /opt/bitnami/apache/htdocs/src/Cronjobs/RemoveOldLoginHistory.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/RemoveOldLoginHistory.log 2>&1
0 0 2 * * /opt/bitnami/apache/htdocs/src/Cronjobs/DeactivateUsersDueForDeactivation.sh >> /opt/bitnami/apache/htdocs/logs/cronexlogs/DeactivateUsersDueForDeactivation.log 2>&1Step 7: Add logrotate configuration to server server
By default, logrotate includes every file in the /etc/logrotate.d directory in its daily cronjob. The commands below add our own logrotate configuration to that folder.
sudo su
chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau
cp /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau /etc/logrotate.d/desertedchateauStep 8: Update APT, PECL, and PHPRedis
YAML is required for PHPRedis to function properly. PECL may not install correctly without the proper update commands first.
sudo apt-get update
sudo pecl channel-update pecl.php.net
sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yamlStep 10: Update AWS security groups
VPC peering on its own does not give your Lightsail servers access to other AWS resources, as the Lightsail server is in a different security group (and the security group's "allow all" setting only applies to requests from inside the security group).
Update your security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have). These IPs are shown in the Lightsail console.
Step 11: Add IPTables restrictions (only for test environments)
If you want to restrict access to your test webservers, you can do this by configuring iptables. Details are on this page: Configuring iptables .
This is preferable to e.g. using the Lightsail console, as if you are testing Stripe functionality for instance, you will need to whitelist a large number of Stripe IPs that is very tedious to do in the console interface.