Installing Lessons Learned on an AWS EC2 Instance (Amazon AMI Linux 2)

After gaining SSH access to your Amazon virtual machine, perform the following:

# Change to root user
 sudo su -

# Update your machine for any important patches
 yum update -y

# Install required packages
 amazon-linux-extras install nginx1.12
 amazon-linux-extras install php7.2
 yum install -y php-xml
 yum install -y mariadb-server mariadb

# Enable NGINX, PHP-FPM and MySQL (MariaDB) on startup:
 systemctl enable nginx
 systemctl enable php-fpm
 systemctl enable mariadb

# Start the services
 systemctl start nginx
 systemctl start php-fpm
 systemctl start mariadb

# Secure installation of mysql and specify (and remember!) the password you supply for mysql's root user:
 Run the following command:

mysql_secure_installation

Output:

mysql_secure_installation
 ...

Set root password? [Y/n] Y
 New password: *****
 Re-enter new password: *****
 ...
 Remove anonymous users? [Y/n] Y
 ...
 Disallow root login remotely? [Y/n] Y
 ... Success!
 ...
 Remove test database and access to it? [Y/n] Y
 ...
 Reload privilege tables now? [Y/n] Y
 ...

# Modify php-fpm to run under nginx user vi /etc/php-fpm.d/www.conf 
# Search for the lines: 
user = apache --- MODIFY TO ---> user = nginx 
group = apache --- MODIFY TO ---> user = nginx

# Restart php-fpm systemctl restart php-fpm 
# Get the public IP address by running this command curl http://169.254.169.254/latest/meta-data/public-ipv4 
# Add a DNS record to map your domain to this command (by contacting your administrator) 
eg. In this example, I'll map demo.lessonslearned.io to the public ip address which is 3.16.169.47 
demo.lessonslearned.io --> 3.16.169.47 
# In some cases, wait for about 5 minutes for the DNS to propagate this entry. 
# You can verify by running "ping your domain" or "dig command" 

ping yourdomain.com 

OR 

dig +short demo.lessonslearned.io

# Issue an SSL certificate using Let's Encrypt for your server
 amazon-linux-extras install epel -y
 yum install certbot-nginx -y

# Create a file named /etc/nginx/conf.d/lessonslearned.conf and paste the following into it (Make sure to replace demo.lessonslearned.io with your domain name):

server {
    listen 80;
    listen [::]:80;
    server_name demo.lessonslearned.io;

    return 301 https://$host$request_uri;
}

# Settings for a TLS enabled server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name demo.lessonslearned.io;

    root /usr/share/nginx/lessonslearned;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
}

# Run the following command to validate the configuration is valid
nginx -t

Expected output on all valid:
 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
 nginx: configuration file /etc/nginx/nginx.conf test is successful

# Restart nginx
 systemctl restart nginx

# Generate SSL cert
 certbot --nginx -d demo.lessonslearned.io

Output:
 ...
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): your@email.com
 ...
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
 agree in order to register with the ACME server at
 https://acme-v02.api.letsencrypt.org/directory
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (A)gree/(C)ancel: A
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about our work
 encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (Y)es/(N)o: N
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for demo.lessonslearned.io
 Waiting for verification...
 Cleaning up challenges
 Deploying Certificate to VirtualHost /etc/nginx/conf.d/lessonslearned.conf
 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 1: No redirect - Make no further changes to the webserver configuration.
 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
 new sites, or if you're confident your site works on HTTPS. You can undo this
 change by editing your web server's configuration.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Congratulations! You have successfully enabled https://demo.lessonslearned.io
 ...

# Schedule the SSL Let'sEncrypt certificate renewal script
 crontab -e

# This opens up the vi editor, now do the following:
 1. Copy the following line:
 15 3 * * * /usr/bin/certbot renew --quiet

2. In the editor, click the "a" button
 3. Click the right click button to paste
 4. Type the following to save and exit ':wq' (without single quotes).

# Now download and install lessons learned server
 cd /usr/share/nginx
 wget https://www.lessonslearnedserver.com/downloadfile.php?name=lessonslearned_linux64_v3_0_3.tar.gz -O lessonslearned.tar.gz
 tar -zxvf lessonslearned.tar.gz
 chown -R nginx:nginx lessonslearned
 chmod 755 lessonslearned/private/conf
 # Now access your site at https://demo.lessonslearned.io
 # Go through the wizard installation steps, once done run the following command to guarantee LessonsLearnedServer always uses full encryption
 mysql -u root -p lessons_learned_demo -e 'update setting SET value="full" where NAME="web.use_https";'

# (Issue in PHP 7.2) Edit the following line to suppress DEPRECATED errors in PHP 7.2:
 vim lessonslearned/llssrc/lls_comm_inc.php
 Type ':64' to go to line 64.
 Move the cursor at the last 'L' character in the word 'E_ALL'
 Type 'a' then type ' & ~E_DEPRECATED'
 Press 'Esc' then type ':wq' to save and quit.

You are now ready to go.

 

 

 

 

Read More