Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save irman/22ae655fc3f8aa20bc1d82a776065fd3 to your computer and use it in GitHub Desktop.
Save irman/22ae655fc3f8aa20bc1d82a776065fd3 to your computer and use it in GitHub Desktop.
Setting up Nginx-Apache Reverse Proxy, PHP, & MariaDB with SSL on EC2/Lightsail with Amazon Linux

Setting up Nginx-Apache Reverse Proxy, PHP, & MariaDB with SSL on EC2/Lightsail with Amazon Linux

Final setup should consists of:

  1. NGINX (reverse proxy & static contents)
  2. Apache 2.4 (Dynamic content: PHP)
  3. PHP 7.1
  4. MariaDB 10.1

You can skip certain parts if you don't need it.

Preparations

  1. Create www directory if not exists yet: sudo mkdir -p /var/www
  2. Give write permission: sudo chmod -R 755 /var/www
  3. Create new directory for your subdomain: sudo mkdir -p /var/www/domain.com/sub1/public
  4. Give ownership to current logged in user: sudo chown $USER:$USER -R /var/www/domain.com/sub1/

NGINX

  1. Install: sudo yum install nginx -y
  2. Configure this file: /etc/nginx/conf.d/default.conf to something like this:
    server {
        listen 80;
        server_name sub1.domain.com;
        root /var/www/domain.com/sub1/public/;
        index index.php index.html index.htm;
        
        location / {
            try_files $uri $uri/ /index.php$uri$is_args$args;
        }
    
        location ~ \.php {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port 443;
            proxy_pass http://127.0.0.1:8080;
         }
    
        location ~ /\.ht {
            deny all;
        }
    }
    
  3. Auto-start NGINX on system start: sudo chkconfig nginx on

Apache

  1. Install: sudo yum install httpd24 -y
  2. Configure /etc/httpd/conf/httpd.conf as follows:
    Listen 8080
    
  3. Configure virtual hosts at /etc/httpd/conf.d/vhosts.conf:
    <VirtualHost 127.0.0.1:8080>
        ServerAdmin email@sub1.domain.com
        DocumentRoot /var/www/domain.com/sub1/public/
        ServerName sub1.domain.com
        ErrorLog logs/sub1.domain.com-error_log
        CustomLog logs/sub1.domain.com-access_log common
    </VirtualHost>
    
  4. Auto-start Apache on system start: sudo chkconfig httpd on

SSL (Let's Encrypt)

EC2 - Amazon Linux 2

Follow: https://certbot.eff.org/lets-encrypt/centosrhel7-nginx

  1. Enable optional channel:
    sudo yum -y install yum-utils
    sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
    
  2. Install certbot:
    sudo yum install certbot-nginx
    
  3. Request cert:
    sudo certbot --nginx
    
    • Go through the wizard carefully.
  4. If all went well, your certs will be at /etc/letsencrypt/live/sub1.domain.com/ and your /etc/nginx/conf.d/default.conf has been updated by cerbot automatically.
  • In the future, to renew:
    certbot renew
    

Lightsail

  1. Install Certbot:
    sudo yum install python27-devel git -y
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
    sudo /opt/letsencrypt/letsencrypt-auto --debug
    
  2. Request cert:
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
    
    • Go through the wizard carefully.
  3. If all went well, your certs will be at /etc/letsencrypt/live/sub1.domain.com/ and your /etc/nginx/conf.d/default.conf has been updated by cerbot automatically.
  • In the future, to renew:
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx" renew
    

MariaDB

  1. Add yum repository. Create this file: /etc/yum.repos.d/mariadb.repo:
  2. Install:
    sudo yum makecache
    sudo yum install MariaDB-server MariaDB-client -y
    
  3. If you install version 10.2 and above, the service name is mariadb, otherwise it's mysql
  4. Start service:
    sudo service mysql(or mariadb) start
    
  5. Secure your MariaDB installation: sudo mysql_secure_installation
  6. Auto-start MariaDB on system start: sudo chkconfig mysql(or mariadb) on

PHP 7.1

  1. Install: sudo yum install php71 -y
  2. Install PHP Modules
    • Run yum search php71- to search for available modules and just yum install it.

Start All Services

  1. sudo service nginx start
  2. sudo service httpd start
  3. sudo service mysql(or mariadb) start

Add More (Sub)Domains

Once everything is working, you can start adding more (sub)domains.

  1. Create new directory for your subdomain: sudo mkdir -p /var/www/domain.com/sub2/public
  2. Give ownership to current logged in user: sudo chown $USER:$USER -R /var/www/domain.com/sub2/
  3. Edit /etc/nginx/conf.d/default.conf to add more domains, but without the ssl settings:
    # 1st domain settings are up here, don't remove
    server { ... }
    # 1st domain settings are up here, don't remove
    
    server {
        listen 80;
        server_name sub2.domain.com;
        root /var/www/domain.com/sub2/public/;
        index index.php index.html index.htm;
        
        location / {
            try_files $uri $uri/ /index.php$uri$is_args$args;
        }
    
        location ~ \.php {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port 443;
            proxy_pass http://127.0.0.1:8080;
         }
    
        location ~ /\.ht {
            deny all;
        }
    }
    
  4. Edit Apache virtual hosts at /etc/httpd/conf.d/vhosts.conf to add more virtual host:
    # 1st domain settings are up here, don't remove
    <VirtualHost 127.0.0.1:8080> ... </VirtualHost>
    # 1st domain settings are up here, don't remove
    
    <VirtualHost 127.0.0.1:8080>
        ServerAdmin email@sub2.domain.com
        DocumentRoot /var/www/domain.com/sub2/public/
        ServerName sub2.domain.com
        ErrorLog logs/sub2.domain.com-error_log
        CustomLog logs/sub2.domain.com-access_log common
    </VirtualHost>
    
  5. Request SSL cert using certbot again, but this time pick the new domain:
    • EC2 - With Amazon Linux 2
    sudo certbot --nginx
    
    • Lightsail
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
    
    • If all went well, your certs will be at /etc/letsencrypt/live/sub2.domain.com/ and your /etc/nginx/conf.d/default.conf has been updated by cerbot automatically.
  6. Restart NGINX & Apache:
    sudo service nginx restart
    sudo service httpd restart
    
  7. ???
  8. Profit. :D

Final Files for References

You can view the final files down below.

References:

server {
listen 80;
server_name sub1.domain.com;
root /var/www/domain.com/sub1/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php$uri$is_args$args;
}
location ~ \.php {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub1.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub1.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https"){
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name sub2.domain.com;
root /var/www/domain.com/sub2/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php$uri$is_args$args;
}
location ~ \.php {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub2.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub2.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https"){
return 301 https://$host$request_uri;
} # managed by Certbot
}
<VirtualHost 127.0.0.1:8080>
ServerAdmin email@sub1.domain.com
DocumentRoot /var/www/domain.com/sub1/public/
ServerName sub1.domain.com
ErrorLog logs/sub1.domain.com-error_log
CustomLog logs/sub1.domain.com-access_log common
</VirtualHost>
<VirtualHost 127.0.0.1:8080>
ServerAdmin email@sub2.domain.com
DocumentRoot /var/www/domain.com/sub2/public/
ServerName sub2.domain.com
ErrorLog logs/sub1.domain.com-error_log
CustomLog logs/sub1.domain.com-access_log common
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment