EC2 Debian

Explanation

Create EC2 Instance

Go to aws.amazon.com. Here you can set up a root account and password. Note that the email you use for your account can not be reused for another account if you close the first account. Creepy or what? Maybe use an email address you don't mind getting rid of. You could change your email address to a temporary one before closing your account so your main email address can still be used to open a new account in the future. Presumably the email address you change to has to be accessible to you so you can complete the change email procedure. At this point you could also set up an Identity and Access Management account and assign priveledges to it. This would be important for a production server but unnecessary for training. Search for EC2. On the EC2 Dashboard click Launch instance. I chose the Debian 10 Amazon Machine Image, 64-bit (x86) and t2.micro (Free tier eligible). At this point you can create a new key pair for securely logging into your account. If you have already created a key pair for another EC2 instance you can use that for your new instance.

Under Network settings you are asked for a security group which is a group of firewall rules. As with the key pair you can either create a new security group or use one you created previously. It is good to have SSH, HTTP AND HTTPS from anywhere (you are not securing the crown jewels). Even if you do not intend to enable HTTP it is useful to start with it as it is easier to configure than HTTPS and therefore helpful as a stepping stone in setting up your server. You could select the default security group although check what it allows as it may be too restrictive to be able to test your server. For storage you could select the default. In the Summary panel check the configuration you have selected and then click 'Launch instance'.

When you create a key pair you should choose a name, RSA and .pem. Then click on 'Create Key Pair' and you will be able to save the .pem file on your local machine. This file will be used when you connect to your EC2 instance using SSH. You will specify the path to the file so that is worth noting.

Hopefully you will see a Success message and advice on Next Steps. Click View Instances and check out the table of information relating to your instance. We will configure the EC2 instance from a local Linux machine using SSH. The key pair we made is used to secure our connection with the EC2 instance.

Connect to EC2 using SSH

From a terminal on our local Linux machine navigate to the directory with the .pem key-pair file in it and run the command: chmod 400 my-key-pair.pem

Now run: ssh -i /path/my-key-pair.pem my-instance-user-name@my-instance-public-dns-name

Note that on Debian, my-instance-user-name will be 'admin'. The public DNS name for the EC2 instance is found from the instances table in the column labelled: 'IPv4 Public IP'. An example of an actual SSH command which I used to access an ES2 instance is: ssh -i /home/steve/Documents/ec2-1-key-pair.pem admin@18.134.6.175

After issuing the SSH command the prompt on your terminal should have changed from representing a directory on your local computer to a directory on your EC2 instance. You can now configure your EC2 instance.

Stopping and Starting EC2

While an EC2 instance is running it is either costing money or using up your free tier allowance. Until it actually operating as a server which other people may want to visit at any time it may as well be stopped when you are not actively working on it. In the Instances page at the top of the table you can click on the Actions drop down and select 'Instance State' and then 'Stop'. You will also see 'Start' there for when you want to start the instance.

The only slight disadvantage of stopping and restarting the server is that the IPv4 Public IP address will change. So when you use SSH or, later, when you are using a browser to make requests from the server, you will need to change the value you use for the IPv4 Public IP address.

Install Apache

Firstly, update the software on Debian: sudo apt update. This worked for the first instance I made. Then, even thought I think I was using the same Security Group, it did not work for some other EC2 instances I made. Finally I added another outbound rule to the Security Group allowing All TCP and now the update command did work. The update command updates the lists of packages in the repositories but does not actually update the packages themselves. We do that next.

Now run sudo apt upgrade to upgrade all packages.

Now run sudo apt install apache2.

At this stage firewall settings might be applied by running for example with Uncomplicated Firewall or ufw commands. The Security Group we specified when we created the EC2 instance should provide this functionality. Security Groups are an Amazon specific, rather than general Linux approach.

We can check to see if Apache is running with the command: sudo systemctl status apache2. Hopefully, the output of this command will clearly indicate that Apache is running

Now we will see if we can navigate to the default web page provided by Apache from a web browser. Use the instances table to find the IPv4 Public IP address and copy it into a browser address bar. In this case I simply typed the following into the browser's address bar: 18.132.248.34

Remember that the address will change every time you stop and then start the EC2 instance. All being well you are now seeing the Apache2 Debian Default Page. You will probably also see an indication that the connection to the website is not secure. For example there may be a padlock with a line through it in the address bar. This is because we have connected with HTTP. In order to enable HTTPS we need to make some configuration changes to Apache. We also need to configure a number of other aspects of Apache depending on our required usage.

Configure Apache

X.509 Certificate

In order to utilize HTTPS we need to have a signed X.509 certificate. These need to be issued by a Certificate Authority which is on the browser's list of trusted CAs. CAs will only issue an X.509 certificate for a domain name which costs money to register. It is possible to create your own self-signed certificate which will allow HTTPS access to your website but with warnings that the certificate is not trusted by the browser. We will use a self-signed certificate in order to avoid the expense of registering a domain name. Another way of expressing 'allow HTTPS access' is 'enable TLS'. It is Transport Layer Security which puts the 's' in HTTPS.

Problem: I think self signed cert is bound to IP address. If this keeps changing, as it will whenever we stop the EC2 instance, we will get a new IP address when we restart the instance and then have to create a new self signed cert??? For this (possible) reason we will just stick with HTTP for now. I will look into certificates when I have registered a domain name. See (https://nodeployfriday.com/posts/self-signed-cert/).

Uploading web pages and Create Virtual Host

The Apache2 Debian Default Page that we can now navigate to using HTTP is in /var/www/html/index.php. We can edit that file and see the changes when we navigate to the server from a browser. If we only wanted to serve one website from our EC2 instance we could replace the index.php file in /var/www/html/ with the files for our website. However, if we want to run more than one website from the same EC2 instance we need to create new directorie(s): one for each website. For example, we could create a directory called test: /var/www/html/test

Run sudo mkdir -p /var/www/html/test. We now have a directory called test. This directory is owned by root user and the group owner is also root. We will want to have access to it as the admin user so we can upload files to it without having to obtain root access eg using sudo. So, we run sudo chown -R $USER:$USER /var/www/html/test so that now the owner is the admin user and the group owner is also admin. Next we give the directory the appropriate permissions: sudo chmod -R 755 /var/www/html/test (in fact that did not change the permissions!).

Now open FileZilla (for instructions on this see: https://stackoverflow.com/questions/16744863/connect-to-amazon-ec2-file-directory-using-filezilla-and-sftp). File -> Site Manager -> General then choose Protocol: SFTP, Host: (use IPv4 Public IP), Port 22, Logon Type: Normal, User: Admin, Password: (leave blank), OK. When you connect your pem file will be used for authentication. Read the Stackoverflow link!! So, now we can use FileZilla to upload files to our /var/www/html/test/ directory. If we put an index.html (or index.php even though the PHP code presumably won't get executed) in that directory and navigate to our IPv4 Public IP address with '/test/' appended to it (eg. 18.132.248.34/test) we will see the rendered page in the browser.

I think the last paragraph is wrong!! We should have created: /var/www/test/. I will do this with /var/www/your_domain/. OK, I have done most of the last para again but with 'your_domain' and now there is an index.php file in it and it is admin:admin.

In order to configure Apache to serve this index.php file we create a .conf file in the sites-available directory: sudo vim /etc/apache2/sites-available/your_domain.conf. Into that we put: 



    ServerAdmin admin@your_email_domain
    ServerName your_domain
    ServerAlias www.your_domain
    DocumentRoot /var/www/your_domain
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Now enable that file with: sudo a2ensite your_domain.conf. To disable the default we run sudo a2dissite 000-default.conf. Test for config errors: sudo apache2ctl configtest. To implement the changes: systemctl reload apache2. Now we could browse to http://your_domain. Except we don't own that domain and have our server configured to use it (how do you do that ??).

Now we cant see the index files in /var/www/html. Presumable because of the command: sudo a2dissite 000-default.conf. So I ran sudo a2ensite 000-default.conf and reloaded Apache and now we can see our test page and the Apache2 Debian Default Page at their respective URLs. Enough wading through treacle for now!

Apache Modules

The command, apache2ctl -M, shows which modules are enabled. If we make a simple web page in a .php file with a block of PHP code in it such as, $x = 'hello'; echo $x . 'world!';. The next paragraph implements those two PHP statements in this file:

helloPHP!

Currently our EC2 Debian Apache server is not set up to handle PHP so it completely ignores the PHP code shown above (unlike the server with this web page on it). This is not surprising as when we showed the enabled Apache modules no PHP module was present.

Now we run sudo apt install php libapache2-mod-php. In this case I did not restart Apache and on refreshing the test web page I could see that the PHP was being processed ie. helloPHP! appeared on the page.

I added a file with phpinfo(); in it. This shows a lot of information about the PHP version and its configuration that you have installed.

Update PHP

The phpinfo() script showed that I have PHP 7.3.31-1~deb10u1 installed. I can see this also by running php -v. This is outdated. First of all Debian 10 is not the latest LTS and secondly Linux distributions include outdated versions of PHP (and most software) in the repositories they ship with. If you trust another individual or organization's repository or Personal Package Archive then you can use that. We will use Ondřej Surý's PPA at https://launchpad.net/~ondrej/+archive/ubuntu/php

Using instructions on that page we run: sudo add-apt-repository ppa:ondrej/php. This came up with command not found so I first had to run sudo apt-get install software-properties-common followed by sudo apt-get update and then the add-apt-repository command. Then run: sudo apt update again.

Links