Last active
July 19, 2022 09:55
-
-
Save nunomorgadinho/17327edb83d40adeac7851a42a64b2fa to your computer and use it in GitHub Desktop.
Install PHP56-FPM, Nginx, MySQL on EC2 with Amazon Linux AMI and SSL with letsencrypt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # adduser nginx | |
| adduser nginx | |
| # Install linux update, followed by GCC and Make | |
| sudo yum -y update | |
| sudo yum install -y gcc make | |
| # Install Nginx and PHP-FPM | |
| sudo yum install -y nginx php56-fpm | |
| # Install PHP extensions | |
| sudo yum install -y php56-devel php56-pdo \ | |
| php56-pear php56-mbstring php56-cli php56-odbc \ | |
| php56-imap php56-gd php56-xml php56-soap | |
| # Install PHP-APC | |
| sudo yum install -y php56-pecl-apc | |
| # Install MySQL | |
| sudo yum -y install php56-mysqlnd | |
| sudo yum -y install mysql-server mysql | |
| # Configure NGINX | |
| cd /etc | |
| mv nginx nginx.orig | |
| # Get our boilerplate NGINX configuration | |
| wget http://widgilabs.com/static/nginx.tar.gz | |
| tar -zxvpf nginx.tar.gz | |
| # Edit your domain nginx config (see also nginx-your-domain-config below) | |
| nano /etc/nginx/sites-available/<your_website_domain> | |
| cd ../sites-enabled | |
| ln -s ../sites-available/<your_website_domain> . | |
| # Configure php-fpm (see www.conf below) | |
| vim /etc/php-fpm-5.6.d/www.conf | |
| # Create paths | |
| mkdir -p /srv/www | |
| mkdir -p /usr/share/nginx/logs/ | |
| # Start nginx and php-fpm | |
| /etc/init.d/nginx start | |
| /etc/init.d/php-fpm-5.6 start | |
| # Start mysqld | |
| /etc/init.d/mysqld start | |
| /usr/libexec/mysql55/mysql_secure_installation | |
| # Create MySQL user | |
| mysql -u root -p | |
| # Enter MySQL console | |
| CREATE USER 'finley'@'localhost' IDENTIFIED BY 'some_pass'; | |
| GRANT ALL PRIVILEGES ON *.* TO 'finley'@'localhost' WITH GRANT OPTION; | |
| FLUSH PRIVILEGES; | |
| ##### Add SSL with letsencrypt | |
| yum -y install git bc | |
| git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt | |
| cd /opt/letsencrypt/ | |
| ## Using letsencrypt and Obtaining a Certificate | |
| ## based on: https://www.mitchcanter.com/lets-encrypt-ssl-amazon-aws/ | |
| /etc/init.d/nginx stop | |
| ./letsencrypt-auto certonly --standalone --debug | |
| ## Setting up Nginx with SSL (see below nginx-your-domain-config-with-ssl) | |
| nano /etc/nginx/sites-available/<your_domain> | |
| ## Post-Setup for WordPress | |
| # Edit your wp-config.php file and adding these variables: | |
| define('WP_HOME','https://yourdomain.com'); | |
| define('WP_SITEURL','https://yourdomain.com'); | |
| ## Auto-Renewals of SSL Certificates | |
| sudo nano /etc/nginx/sites-enabled/yourdomain.com | |
| # In the “server” block, add the following: | |
| location ~ /.well-known { | |
| allow all; | |
| } | |
| cd /opt/letsencrypt | |
| export LC_ALL="en_US.UTF-8" | |
| export LC_CTYPE="en_US.UTF-8" | |
| ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/srv/www -d <your_domain> | |
| sudo service nginx reload | |
| # Now let's create a cron job to automate this process. | |
| sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini | |
| sudo nano /usr/local/etc/le-renew-webroot.ini | |
| # Test the config | |
| cd opt/letsencrypt | |
| $ ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini | |
| # Set up cron job | |
| sudo curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot | |
| sudo chmod +x /usr/local/sbin/le-renew-webroot | |
| # Test this script before we set up the cron | |
| /usr/local/sbin/le-renew-webroot | |
| # Edit crontab | |
| crontab -e | |
| 30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use a 4096 bit RSA key instead of 2048 | |
| rsa-key-size = 4096 | |
| # Registered Email | |
| email = [email protected] | |
| # Domain(s) to Secure | |
| domains = yourdomain.com, www.yourdomain.com | |
| # Webroot Authentication and Path | |
| authenticator = webroot | |
| webroot-path = /sites/yourdomain.com/htdocs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # configure the max_body_size and max_temp_file_size accordingly to your needs | |
| client_max_body_size 20M; | |
| fastcgi_max_temp_file_size 10M; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen [::]:80; | |
| listen 80; | |
| listen 443 ssl; #### this is new | |
| ##### this is new - change yourdomain.com to <your_domain> | |
| ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lives in /etc/php-fpm-5.6.d/www.conf | |
| [...] | |
| user = nginx | |
| group = nginx | |
| [...] |
sudo root
/usr/local/sbin/le-renew-webroot
/etc/init.d/nginx restart
ou
export PATH=$PATH:/opt/letsencrypt/venv27/bin
./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/srv/www --debug -d eco.pt -d www.eco.pt
openssl x509 -noout -dates -in /etc/letsencrypt/live/eco.pt-0001/cert.pem
what happened in line 27 and 27, which are not consistent
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
certbot/certbot#2872