Skip to main content

General Webserver Setup

This page focuses on setting up webservers in AWS Lightsail using the Bitnami LAMP stack image, but many of the basic principles apply to setting up similar webservers elsewhere.

Setting up Lightsail Bitnami LAMP web servers

Step 1: Create a Lightsail LAMP Stack instance

Create a Lightsail instance using Linux and the Bitnami LAMP stack. If there isn't already one, create a key-pair that will be used for SSH authentication in PuTTY; download the private key and configure a new PuTTY saved session for connecting to your webserver. You can find instructions for that here.

Step 2: Modify the Apache configuration

Modify the httpd.conf, bitnami.conf and bitnami-ssl.conf configuration files, to ensure Apache is secure and also that any redirects you need are set up properly. The necessary modifications are detailed on this page.

Step 3: Deploy SSL Certificates

Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

In the below commands, replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS-01 challenge type).

Be aware that wildcards can cause TLS challenges to fail, which can also mess up cronjobs that renew your certificates - unless you specifically need it, just use your domain name and any required subdomains instead.

Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".

Attempting to get the SSL certificates directly on Lightsail webservers themselves will fail if your servers are behind a load balancer. You will need to request the certificates you need on a local machine, then deploy them to the webservers manually. To do this, follow the instructions here. Bear in mind this also means manually keeping a schedule to renew certificates from time to time, as they won't be renewed automatically.

Step 4: Update the certificates for Apache to use

Stop all web services on the server:

# This script is only on Bitnami instances.
sudo /opt/bitnami/ctlscript.sh stop

Move the current certificates to .old filenames, and create a symlink to the new certificates:

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*

Step 5: Change file ownership to daemon

Change the htdocs folder's owner to daemon (which Apache runs as), so Apache can access files and write to logs.

sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs

Make phpMyAdmin config modifications, as detailed on this page, then restart all Bitnami services:

sudo /opt/bitnami/ctlscript.sh restart

Step 6: Change executable script permissions

Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts

Step 7: Add cronjobs

To modify the bitnami crontab for the server, run the following command whilst logged in as the bitnami user:

crontab -e

The first time you run this, you are asked to choose an editor (if you aren't familiar with the others, nano is definitely the easiest one to use). You can then add any cronjobs you want to run into the bitnami crontab file.

Go to the crontabs page here to see the specific changes you need to make.

Step 8: Add logrotate configuration to server 

By default, logrotate includes every file in the /etc/logrotate.d directory in its daily cronjob. The commands below add our own logrotate configuration to that folder.

sudo su
chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau
cp /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau /etc/logrotate.d/desertedchateau
Step 9: Update APT, PECL, Redis, and PHPRedis

YAML is required for PHPRedis to function properly. PECL may not install correctly without the proper update commands first.

PHPRedis is just a PHP client for Redis; the actual Redis package still needs to be installed for it to work, as well as to use the redis-cli command.

sudo apt-get update
sudo pecl channel-update pecl.php.net
sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yaml
sudo apt-get install redis
Step 10: Update AWS security groups (Lightsail only)

VPC peering on its own does not give your Lightsail servers access to other AWS resources, as the Lightsail server is in a different security group (and the security group's "allow all" setting only applies to requests from inside the security group).

Update your security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (not its public IP!). These IPs are shown in the Lightsail console.

Step 11: Add IPTables restrictions (only for test environments not using WAF)

If you are using WAF in your test environment, then restricting access to specific IP addresses is much easier there. If you are not using WAF, and you want to restrict access to your test webservers from the webservers themselves, you can do this by configuring iptables. Details are on this page

This is preferable to e.g. using the Lightsail console, as if you are testing Stripe functionality for instance, you will need to whitelist a large number of Stripe IPs that is very tedious to do in the console interface.

Back to top