Not so long ago, Mail.Ru Cloud Solutions (MCS) and the Dobro Mail.Ru service launched the project "
After passing the validation, the NPO can receive virtual capacities from the MCS, but further configuration requires certain qualifications. In this article, we want to share specific instructions for setting up an Ubuntu Linux-based server to run the foundation's main website and a number of subdomains using free SSL certificates. For many, this will be a simple guide, but we hope that our experience will be useful for other non-profit organizations, and not only.
FYI: what can you get from MCS? 4 CPUs, 32 GB RAM, 1 TB HDD, Ubuntu Linux OS, 500 GB object storage.
Step 1: start the virtual server
Let's get down to business and create our virtual server (aka "instance") in your MCS account. In the app store, you need to select and install a ready-made LAMP stack, which is a set of server software (LAMP = Linux, Apache, MySQL, PHP) required to run most websites.
Select the appropriate configuration for the server and create a new SSH key. After clicking on the "Install" button, the installation of the server and the LAMP stack will begin, it will take some time. The system will also offer to download a private key to the computer to manage the virtual machine through the console, save it.
After installing the application, let's immediately configure the firewall, this is also done in your personal account: go to the "Cloud computing -> Virtual machines" section and select the "Firewall settings" item:
You need to add permission for incoming traffic through ports 80 and 9997. This is required later to install SSL certificates and to work with phpMyAdmin. As a result, the set of rules should look like this:
Now you can connect to your server through the command line using the SSH protocol. To do this, type the following command, specifying the path to the SSH key on your computer and the external IP address of your server (you can find it in the "Virtual machines" section):
$ ssh -i /путь/к/ключу/key.pem ubuntu@<ip_сервера>
During the first connection to the server, it is recommended to install all the latest updates on it and reboot it. To do this, run the following commands:
$ sudo apt-get update
The system will receive a list of updates, install them using this command and follow the instructions:
$ sudo apt-get upgrade
After installing the updates, restart the server:
$ sudo reboot
Step 2: Set Up Virtual Hosts
Many NGOs need to maintain several domains or subdomains at the same time (for example, the main site and several landing pages for promotional campaigns, etc.). All this can be conveniently placed on one server by creating multiple virtual hosts.
First we need to create a directory structure for the sites that will be displayed to visitors. Let's create some directories:
$ sudo mkdir -p /var/www/a-dobra.ru/public_html
$ sudo mkdir -p /var/www/promo.a-dobra.ru/public_html
And specify the owner of the current user:
$ sudo chown -R $USER:$USER /var/www/a-dobra.ru/public_html
$ sudo chown -R $USER:$USER /var/www/promo.a-dobra.ru/public_html
Variable $USER
contains the username under which you are currently logged in (by default, this is the user ubuntu
). The current user now owns the public_html directories where we will store the content.
We also need to edit the permissions a bit to make sure that read access is allowed to the shared web directory and all the files and folders it contains. This is necessary for the site pages to display correctly:
$ sudo chmod -R 755 /var/www
Your web server should now have the permissions it needs to display the content. In addition, now your user has the ability to create content in the required directories.
There is already an index.php file in the /var/www/html directory, let's copy it to our new directories - this will be our content for now:
$ cp /var/www/html/index.php /var/www/a-dobra.ru/public_html/index.php
$ cp /var/www/html/index.php /var/www/promo.a-dobra.ru/public_html/index.php
Now you need to make sure that the user can go to your site. To do this, we will first set up virtual host files, which determine how the Apache web server will respond to requests to different domains.
By default, Apache has a 000-default.conf virtual host file that we can use as a starting point. We are going to copy it over to create virtual host files for each of our domains. We'll start with one domain, configure it, copy it to another domain, and then make the necessary edits again.
Ubuntu's default configuration requires that each virtual host file has a *.conf extension.
Let's start by copying the file for the first domain:
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/a-dobra.ru.conf
Open a new file in a root editor:
$ sudo nano /etc/apache2/sites-available/a-dobra.ru.conf
Edit the data as follows, specifying port 80, your data for ServerAdmin
, ServerName
, ServerAlias
, as well as the path to the root directory of your site, save the file (Ctrl + X, then Y):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName a-dobra.ru
ServerAlias www.a-dobra.ru
DocumentRoot /var/www/a-dobra.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/a-dobra.ru/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch .php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
ServerName
sets the primary domain, which must match the name of the virtual host. This must be your domain name. Second, ServerAlias
, defines other names that should be interpreted as if it were the primary domain. This is useful for using additional domain names, such as using www.
Copy this config for another host and also edit it by analogy:
$ sudo cp /etc/apache2/sites-available/a-dobra.ru.conf /etc/apache2/sites-available/promo.a-dobra.ru.conf
You can create as many directories and virtual hosts as you like for your websites! Now that we've created our virtual host files, we need to enable them. We can use the a2ensite utility to enable each of our sites like this:
$ sudo a2ensite a-dobra.ru.conf
$ sudo a2ensite promo.a-dobra.ru.conf
By default, port 80 is closed in LAMP, and we will need it later to install an SSL certificate. Therefore, let's immediately edit the ports.conf file and then restart Apache:
$ sudo nano /etc/apache2/ports.conf
Add a new line and save the file so it looks like this:
Listen 80
Listen 443
Listen 9997
After completing the settings, you need to restart Apache for all changes to take effect:
$ sudo systemctl reload apache2
Step 3: Set Up Domain Names
Next, you need to add DNS records that will point to your new server. To manage domains, our Arithmetic of Good Foundation uses the dns-master.ru service, we will show it with an example.
The A-record setting for the main domain is usually specified as follows (sign @
):
A-record for subdomains is usually specified like this:
The IP address is the address of the Linux server we just created. TTL you can specify = 3600.
After some time, it will be possible to enter your site, but so far only through http://
. In the next step we will add support https://
.
Step 4: Set Up Free SSL Certificates
You can get free Let's Encrypt SSL certificates for your main site and all subdomains. You can also set them to auto-renew, which is very convenient. To obtain SSL certificates, install Certbot on your server:
$ sudo add-apt-repository ppa:certbot/certbot
Install Certbot package for Apache with apt
:
$ sudo apt install python-certbot-apache
Now Certbot is ready to use, run the command:
$ sudo certbot --apache -d a-dobra.ru -d www.a-dobra.ru -d promo.a-dobra.ru
This command starts certbot, keys -d
define the names of the domains for which the certificate is to be issued.
If this is the first time you are running certbot, you will be prompted to enter an email address and agree to the terms of service. After that, certbot will contact the Let's Encrypt server and then verify that you really control the domain for which you requested the certificate.
If everything went well, certbot will ask you how you want to set up the HTTPS configuration:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
We recommend choosing option 2 and pressing ENTER. The configuration will be updated and Apache restarted to apply the changes.
Your certificates are now downloaded, installed and working. Try reloading your site using https:// and you will see the security icon in your browser. If you test your server
Let's Encrypt certificates are only valid for 90 days, but the certbot package we just installed will renew the certificates automatically. To test the update process, we can dry run certbot:
$ sudo certbot renew --dry-run
If you don't see any errors as a result of running this command, then everything is working!
Step 5: Access MySQL and phpMyAdmin
Many websites use databases. The phpMyAdmin tool for managing the database is already installed on our server. To access it, go to your browser using the following link:
https://<ip-адрес сервера>:9997
The password for root access can be obtained in the MCS personal account (
Step 6: Set Up File Upload via SFTP
It will be convenient for developers to upload files for your website via SFTP. To do this, we will create a new user, call it webmaster:
$ sudo adduser webmaster
The system will ask you to set a password and enter some other data.
Change the owner of the directory with your website:
$ sudo chown -R webmaster:webmaster /var/www/a-dobra.ru/public_html
Now let's change the SSH config so that the new user only has access to SFTP and not the SSH terminal:
$ sudo nano /etc/ssh/sshd_config
Scroll through the configuration file to the very end and add the following block:
Match User webmaster
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/a-dobra.ru
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Save the file and restart the service:
$ sudo systemctl restart sshd
Now you can connect to the server through any client for SFTP, for example, through FileZilla.
Сonclusion
- Now you know how to create new directories and set up virtual hosts for your websites within a single server.
- You can easily create the necessary SSL certificates - it's free, and they will be updated automatically.
- The MySQL database can be conveniently worked through the familiar phpMyAdmin.
- Creating new SFTP accounts and setting up access rights will not require much effort. Such accounts can be transferred to third-party web developers and site administrators.
- Do not forget to update the system periodically, and we also recommend making backups - in MCS, you can take “snapshots” of the entire system with one click, and then, if necessary, launch entire images.
Used resources that might be helpful:
Incidentally,
Source: habr.com