aws-deployment-ec2

aws-deployment.md

EC2 Deployment for DevLeague

{username} = your username
{ip} = your EC2 ip address
{repo} = your repo address
{email} = your email

AWS

Go to https://aws.amazon.com/
Sign up for an account
Create new EC2 instance Expose port 80 in the security group rules

GETTING ON YOUR SERVER

ssh ubuntu@{ip}
Enter yes to prompt

CREATE USER

sudo adduser {username} and follow prompts

SET SSH KEY FOR NEW USER

sudo mkdir /home/{username}/.ssh
cd /home/{username}/.ssh
sudo touch authorized_keys
sudo vim authorized_keys
Paste your .ssh/id_rsa.pub key from your laptop into this file
:wq to leave vim
cd .. to leave .ssh folder
sudo chown -R {username}:{username} .ssh
exit

SMOKE TEST NEW ACCOUNT

ssh {username}@{ip}
exit

MAKE NEW ACCOUNT A SUDOER

ssh root@{ip} // Get back in as root
sudo usermod -aG sudo {username}
su - {username} // switch to new account
sudo ls -lah /root // smoke test sudo capabilities

RE-ENTER AS NEW ACCOUNT

exit
exit
ssh {username}@{ip}

INSTALL N (https://github.com/creationix/nvm)

sudo apt update
sudo apt install npm
sudo npm install -g n
sudo n latest
node --version

INSTALL REDIS, NGINX

sudo apt install redis-server
redis-cli // smoke test reds
sudo apt install nginx
nginx -v // smoke test nginx

INSTALL PG

sudo apt install postgresql
sudo apt install postgresql-contrib
sudo -u postgres createuser --interactive
createdb {username}
psql

GENERATE SSH KEY (ONLY IF GOING WITH A DEPLOY KEY)

ssh-keygen -t rsa -b 4096 -C “{email}” // just stick with defaults
cat /home/{username}/.ssh/id_rsa.pub // smoke test new key

SETUP DEPLOY KEY WITH GITHUB REPO (ONLY IF GOING WITH A DEPLOY KEY)

Go to github.com
Go to your repo
Click on Settings -> Deploy Keys -> Add Deploy Key
Give this deploy key a name (should relate to the server)
Copy paste the id_rsa.pub from above into the field
Make sure ‘Write Access’ is unchecked
Click Add

GRAB PROJECT FROM GITHUB

cd /home/{username}
mkdir projects
cd projects
git clone {repo}

CONFIGURE PROJECT AND DB

Configure the config file and db database and tables as needed
Running nodemon server.js should bring up a working server on port X
Still won’t be able to hit the server until nginx is running smoothly

NGINX

cd /etc/nginx/sites-available
sudo touch {name}
sudo vi {name}

Paste in this:

server {
  listen 80;

  server_name {ip};

  client_max_body_size 100m;
  client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads

  location / {
      proxy_pass http://localhost:8080;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host;
      proxy_cache_bypass $http_upgrade;
  }
}

sudo cp {name} ../sites-enabled/
sudo nginx -t // smoke test the new config file we made
sudo service nginx reload
Smoke test by going to your {ip}

INSTALL PM2

npm install -g pm2 // this installs pm2 as a global
pm2 start server.js --name {appName}
pm2 list // to list running processes

Domain

Update your nginx config to handle that new domain Test your nginx file Smoke test the new domain

Let's Encrypt (Free SSL Cert)

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Firewall

sudo ufw deny 5432
sudo ufw deny 3000
sudo ufw deny 8080
sudo ufw enable
sudo ufw allow 80
sudo ufw allow 443

SSH Hardening

Port 2222
PermitRootLogin no
PasswordAuthentication no
UsePAM no
sudo ufw allow 2222
sudo ufw deny 22
sudo service sshd restart

Auto upgrades

sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

SSH Config on Laptop

Edit your ~/.ssh/config file to add this:

Host {domain}
  Port 2222
  User {username}
  ForwardAgent yes
  IdentityFile ~/.ssh/id_rsa

TODO

• Add user to posters db that isn’t based on system user