neonexus/1ubuntu-server.md

## 1ubuntu-server.md

      
    Raw
  

              1ubuntu-server.md
            
          
    Neo's AWS Guide for Nginx, PHP, MySQL

Foreword

This guide assumes you've created an EC2 instance on AWS, with 2 drives (1 for the OS, 1 where the actual site(s) live). The 2 drive system allows for easier replacement of the OS/software side if something breaks, while keeping site data intact.
Install PHP5-FPM, Nginx, MySQL, Git

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install php5.6-fpm php5.6-mysql php5.6-gd php5.6-mcrypt nginx git ntp
sudo reboot

Fix PHP settings

sudo nano /etc/php/5.6/fpm/php.ini

Find cgi.fix_pathinfo=1 change to cgi.fix_pathinfo=0
sudo nano /etc/php/5.6/fpm/pool.d/www.conf

Find listen = 127.0.0.1:9000 change to listen = /run/php/php5.6-fpm.sock (may already be done)
sudo service php5.6-fpm restart

Enable AWS SES with Postfix

Postfix Manual
sudo apt-get install postfix

Select No Configuration
sudo nano /etc/postfix/main.cf

Paste the following
relayhost = [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
inet_protocols=ipv4

sudo nano /etc/postfix/sasl_passwd

Paste in the following (replacing user/pass)
[email-smtp.us-east-1.amazonaws.com]:25 USERNAME:PASSWORD

Run the following commands
sudo postmap hash:/etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
sudo postfix start

Update PHP
sudo nano /etc/php5/fpm/php.ini

Change the sendmail path
sendmail_path = "/usr/sbin/sendmail -t -i"

Test the email sending
sendmail -f from@example.com to@example.com

Note final line is a full-stop (single period)
From: from@example.com

Subject: Test

This email was sent through Amazon SES!

.

Attach second drive (Optional)

sudo file -s /dev/xvdb
sudo mkfs -t ext4 /dev/xvdb
sudo mkdir /var/www
sudo mount /dev/xvdb /var/www
sudo chown www-data:www-data /var/www
sudo cp /etc/fstab /etc/fstab.orig
sudo nano /etc/fstab

Add:     /dev/xvdb       /var/www   ext4    defaults,nofail        0       2

sudo mount -a

Update Nginx Config

sudo nano /etc/nginx/nginx.conf

Use: nginx.conf
sudo nano /etc/nginx/ssl.conf

Use: ssl.conf
sudo nano /etc/nginx/gzip.conf

Use: gzip.conf
sudo nano /etc/nginx/php.conf

Use: php.conf
sudo nano /etc/nginx/security.conf

Use: security.conf
sudo nano /etc/nginx/sites-available/{domain.com}

Use: server.com
sudo ln -s /etc/nginx/sites-available/{domain.com} /etc/nginx/sites-enabled/
sudo service nginx restart

Install MySQL Server (Optional)

sudo apt-get install mysql-server
sudo mysql_install_db
sudo /usr/bin/mysql_secure_installation


## gzip.conf
gzip on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1000;
gzip_disable "msie6";

## nginx.conf
user www-data;
worker_processes 8;
pid /run/nginx.pid;

events {
        worker_connections 768;
        multi_accept on;
        use epoll;
}

http {
        ##
        # Basic Settings
        ##
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # SSL Security
        ##
        include ssl.conf;

        index index.php index.html index.htm;

        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

## php.conf
index index.php index.html index.htm;

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php5.6-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
}

## security.conf
location ~ /\.ht {
    deny all;
}

location /ssl {
    deny all;
}

location ~ \.nginx {
    deny all;
}

location ~ \.bak$ {
    deny all;
}

location ~ \.ssh {
    deny all;
}

## server.com
server {
    listen 80;
    server_name *.server.com;

    return http://server.com$request_uri;
}

server {
    server_name server.com;

    listen 80 default_server; # remove default_server if this isn't a catch-all server
    #listen 443 ssl; #uncomment if SSL is needed (if not using ELB)

    #ssl_certificate /var/www/server.com/ssl/chain.crt; #uncomment if SSL is needed (if not using ELB)
    #ssl_certificate_key /var/www/server.com/ssl/server.key; #uncomment if SSL is needed (if not using ELB)

    #ssl_verify_client on; # Used to verify request originiated from CloudFlare's network
    #ssl_client_certificate /etc/nginx/certs/cloudflare.crt;

    root /var/www/server.com;

    access_log  /var/log/nginx/server.com.access.log;
    error_log   /var/log/nginx/server.com.error.log;

    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    include security.conf;
    include php.conf;
    include gzip.conf;
}

## ssl.conf
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
	gzip on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_min_length 1000;
	gzip_disable "msie6";
	user www-data;
	worker_processes 8;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	multi_accept on;
	use epoll;
	}

	http {
	##
	# Basic Settings
	##
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# SSL Security
	##
	include ssl.conf;

	index index.php index.html index.htm;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	index index.php index.html index.htm;

	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_pass unix:/run/php/php5.6-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}

	location / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	location ~ /\.ht {
	deny all;
	}

	location /ssl {
	deny all;
	}

	location ~ \.nginx {
	deny all;
	}

	location ~ \.bak$ {
	deny all;
	}

	location ~ \.ssh {
	deny all;
	}
	server {
	listen 80;
	server_name *.server.com;

	return http://server.com$request_uri;
	}

	server {
	server_name server.com;

	listen 80 default_server; # remove default_server if this isn't a catch-all server
	#listen 443 ssl; #uncomment if SSL is needed (if not using ELB)

	#ssl_certificate /var/www/server.com/ssl/chain.crt; #uncomment if SSL is needed (if not using ELB)
	#ssl_certificate_key /var/www/server.com/ssl/server.key; #uncomment if SSL is needed (if not using ELB)

	#ssl_verify_client on; # Used to verify request originiated from CloudFlare's network
	#ssl_client_certificate /etc/nginx/certs/cloudflare.crt;

	root /var/www/server.com;

	access_log /var/log/nginx/server.com.access.log;
	error_log /var/log/nginx/server.com.error.log;

	location / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	include security.conf;
	include php.conf;
	include gzip.conf;
	}
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";