- Pre-usage:
sudo apt-get update && sudo apt-get upgrade -y
- Add
ubuntu
or the user used tosudo
group:
sudo usermod -aG sudo ubuntu
- Check if ssh connection allows root access (if yes, change
PermitRootLogin
tono
orprohibit-password
:
sudo vi /etc/ssh/sshd_config
PermitRootLogin prohibit-password
- Install Nginx:
sudo apt-get install nginx
- Add ssh connections as an allow option for firewall:
sudo ufw allow ssh
- Add nginx server as an allow option for firewall:
sudo ufw allow 'Nginx HTTP'
- Enable the firewall:
sudo ufw enable
- Check status of firewall:
sudo ufw status
- Add PHP repository from Ondrej:
sudo add-apt-repository ppa:ondrej/php
- Update:
sudo apt-get update
- Install PHP 7.1 FPM and most used extensions:
sudo apt-get install php7.1-fpm php7.1-curl php7.1-soap php7.1-pgsql php7.1-mysql php7.1-sqlite3 php7.1-mbstring php7.1-xml php7.1-mcrypt php7.1-zip
- Config PHP to make it safer:
Before doing it, check where its the php.ini
file by typing: php -i | grep "Loaded Configuration File"
sudo vi /etc/php/7.1/fpm/php.ini
Edit cgi.fix_pathinfo
:
cgi.fix_pathinfo=0
Edit expose_php
:
expose_php = off
- Config Nginx:
sudo vi /etc/nginx/sites-available/default
Add index.php
to list of files to interpret when the sites is rendered
Hide nginx version in http header:
sudo vi /etc/nginx/nginx.conf
Edit:
server_tokens off
Restart it:
sudo service nginx restart
- Install Composer:
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
mv composer.phar /usr/local/bin/composer
- Clone/deploy the project into EC2, enter the project folder and install dependencies:
composer install
- Start services:
sudo service php7.1-fpm start && sudo service nginx restart
- Enable HTTP and HTTPS on firewall:
sudo ufw allow http && sudo ufw allow https
- Add folder/file permissions into
cache
directory:
sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache
- Use Let's Encrypt to install TLS certificates:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
In case of using MySQL in EC2 instance instead of using a RDS service:
- Install MySQL Server:
sudo apt-get install mysql-server
- Run secure installation of MySQL:
mysql_secure_installation
-
Example of LEMP installation in Ubuntu 16.04: https://www.youtube.com/watch?v=iUNnw8A9LLw
-
Digital Ocean post of LEMP in Ubuntu 16.04: https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04
-
Example of RDS usage: https://www.youtube.com/watch?v=g3gKF_Li1WM
-
Explanation of UFW essentials (firewall): https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
-
Mapping a domain/subdomains to EC2 instance: https://www.youtube.com/watch?v=pjA9MyzUJNQ
-
Installing TLS certificates with Nginx: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
-
Digital Ocean post of installing TLS with Nginx in Ubunt 16.04: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
-
Guide of building sage PHP applications in 2018: https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software
-
With and without
www
redirecting to https version: https://www.youtube.com/watch?v=6QYJUvrb7m8