After gaining SSH access to your Amazon virtual machine, perform the following:
# Change to root user sudo su - # Update your machine for any important patches yum update -y # Install required packages amazon-linux-extras install nginx1.12 amazon-linux-extras install php7.2 yum install -y php-xml yum install -y mariadb-server mariadb # Enable NGINX, PHP-FPM and MySQL (MariaDB) on startup: systemctl enable nginx systemctl enable php-fpm systemctl enable mariadb # Start the services systemctl start nginx systemctl start php-fpm systemctl start mariadb # Secure installation of mysql and specify (and remember!) the password you supply for mysql's root user: Run the following command: mysql_secure_installation Output: mysql_secure_installation ... Set root password? [Y/n] Y New password: ***** Re-enter new password: ***** ... Remove anonymous users? [Y/n] Y ... Disallow root login remotely? [Y/n] Y ... Success! ... Remove test database and access to it? [Y/n] Y ... Reload privilege tables now? [Y/n] Y ... # Modify php-fpm to run under nginx user vi /etc/php-fpm.d/www.conf # Search for the lines: user = apache --- MODIFY TO ---> user = nginx group = apache --- MODIFY TO ---> user = nginx # Restart php-fpm systemctl restart php-fpm # Get the public IP address by running this command curl http://169.254.169.254/latest/meta-data/public-ipv4 # Add a DNS record to map your domain to this command (by contacting your administrator) eg. In this example, I'll map demo.lessonslearned.io to the public ip address which is 3.16.169.47 demo.lessonslearned.io --> 3.16.169.47 # In some cases, wait for about 5 minutes for the DNS to propagate this entry. # You can verify by running "ping your domain" or "dig command" ping yourdomain.com OR dig +short demo.lessonslearned.io # Issue an SSL certificate using Let's Encrypt for your server amazon-linux-extras install epel -y yum install certbot-nginx -y # Create a file named /etc/nginx/conf.d/lessonslearned.conf and paste the following into it (Make sure to replace demo.lessonslearned.io with your domain name): server { listen 80; listen [::]:80; server_name demo.lessonslearned.io; return 301 https://$host$request_uri; } # Settings for a TLS enabled server. server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name demo.lessonslearned.io; root /usr/share/nginx/lessonslearned; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } # Run the following command to validate the configuration is valid nginx -t Expected output on all valid: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # Restart nginx systemctl restart nginx # Generate SSL cert certbot --nginx -d demo.lessonslearned.io Output: ... Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your@email.com ... Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for demo.lessonslearned.io Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/lessonslearned.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://demo.lessonslearned.io ... # Schedule the SSL Let'sEncrypt certificate renewal script crontab -e # This opens up the vi editor, now do the following: 1. Copy the following line: 15 3 * * * /usr/bin/certbot renew --quiet 2. In the editor, click the "a" button 3. Click the right click button to paste 4. Type the following to save and exit ':wq' (without single quotes). # Now download and install lessons learned server cd /usr/share/nginx wget https://www.lessonslearnedserver.com/downloadfile.php?name=lessonslearned_linux64_v3_0_3.tar.gz -O lessonslearned.tar.gz tar -zxvf lessonslearned.tar.gz chown -R nginx:nginx lessonslearned chmod 755 lessonslearned/private/conf # Now access your site at https://demo.lessonslearned.io # Go through the wizard installation steps, once done run the following command to guarantee LessonsLearnedServer always uses full encryption mysql -u root -p lessons_learned_demo -e 'update setting SET value="full" where NAME="web.use_https";' # (Issue in PHP 7.2) Edit the following line to suppress DEPRECATED errors in PHP 7.2: vim lessonslearned/llssrc/lls_comm_inc.php Type ':64' to go to line 64. Move the cursor at the last 'L' character in the word 'E_ALL' Type 'a' then type ' & ~E_DEPRECATED' Press 'Esc' then type ':wq' to save and quit.
You are now ready to go.