You can read the previous part of the series, by clicking here
Other stuff in the series:
In the webserver series, we will configure a web server. We will install Apache, PHP 7.1 and MySQL, we will setup a Let's Encrypt bot, and a bandwidth monitor. We will also setup Wordpress, phpMyAdmin and we will open the needed ports on UFW.
What we WON'T do, is to install an FTP server. When time comes, I will help you configure Filezilla to use your private key (the one we made on the 3rd part of the "Basic Server Security" series), and you will upload anything you want via this.
This series will be split into 3 or 4 parts, as it is large as well. Writing everything in one post is counter productive for me.
On the previous part we configured our server software (Apache, MySQL, PHP etc..) On this part we will only install a certificate and make it auto-renew with Let's Encrypt!
Install Let's Encrypt's certbot:
sudo apt-get install python-certbot-apache
Prepare Apache
Before we begin, we must configure a hostname on Apache default config. Go ahead and do that:
sudo nano /etc/apache2/sites-available/000-default.conf
Just above ServerAdmin webmaster@localhost put these lines, but change them to read your domain name:
ServerName exampledomain.com
ServerAlias www.exampledomain.com
If you are just hosting a subdomain, for example this.exampledomain.com, and you don't want to add the "www." infront, just skip ServerAlias and you are good to go
Save, exit and test your config changes
sudo apache2ctl configtest
If you get Syntax OK, then you are good to go. Otherwise you've got an error. Recheck what you typed in!
Generate and install a certificate!
Run this command to start Certbot
sudo certbot --apache
You will get something like this:
Press 1 (or the number corresponding to the domain name you want to install a certificate for) and then Enter.
First, we need to give an email for expiry and renewal notifications.
We also need to read the terms and confirm we agree.
Then we will get asked if we only want HTTPS access, or if it is optional.
I strongly suggest that you say "Secure" (Everything goes HTTPS), by typing 2 and then enter
Autorenewing Let's Encrypt
Let's Encrypt certificates are valid for 90 days. This is something done to make sure that all certificates, especially ones maliciously generated, are expiring fast.
In order to have peace of mind, and not renewing your certificate manually every 90 days, we will setup certbot to check your certificates twice every week (on my servers, this runs every Monday and Thursday)
The renew command is this:
sudo certbot renew
If you run it, the check will run immediately and if any certificate is near its expiration date (that is, less than 30 days before expiration date), it will be renewed.
To make it automated, we will use crontab! crontab means "cron table". A table is a table (duh!), and cron is a job scheduler in Linux and other Unix-like operating systems. To start the editor, type
crontab -e
If it is the first time you run crontab, you will get this prompt:
no crontab for root - using an empty one
Select an editor. To change later, run 'select-editor'.
- /bin/ed
- /bin/nano <---- easiest
- /usr/bin/vim.basic
- /usr/bin/vim.tiny
Choose 1-4 [2]:
Choose nano (input 2 and press enter), unless you prefer any of the other editors that exist in the list.
A cronjob syntax is this:
Minute Hour DayOfMonth Month DayOfWeek Command To Execute
Filling something with an asterisk means that you want to run this on every instance of the field. For example, this:
* 1 * * * ls /var/www
will list the contents of /var/www every minute, when it is 1 hour after midnight, every day.
So, I want to run the renew command every Monday (day 1) and every Thursday (day 4) at 3:35:
35 3 * * 1,4 /usr/bin/certbot renew >> /var/log/le-renew.log
Put this inside the crontab nano, (change the minutes/hours/days if you want to) and save it. When time comes, the check will happen. You can review the log file every now and then to make sure everything went fine by typing
sudo nano /var/log/le-renew.log
That's it for now! What we have left to do, is make Apache to use multiple virtual hosts and create a password protected directory where we will make vnstati generate some graphs to monitor our bandwidth usage easily.
Thank you for reading. If you liked my small tutorial, or have any questions, feel free to leave a comment.
- Main image courtesy of Neurobin
The next part, and finale of the Web server series, is now available. Click here
If you need a place to host your servers consider Vultr, Digital Ocean and BuyVM.
These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this.
Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.
I honestly know little about servers. What would be some of the benefits of setting up your own encrypted server? How easy is it to monetize an encrypted server?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Setting up your own server (encrypted or not) helps your site or your application to be as far away as possible from "noisy neighbors" (sites that have a huge amount of traffic or using a huge amount of the server's CPU). Your site will have a great boost in speed (especially if you use a provider with great uplinks and a powerfull server).
Also, if you are on a shared hosting account, the provider hasn't secured the server enough, and one of the other sites becomes a target, your site would go down as well in case of a nullroute (fancy term for "Suspending you server's internet connection forever or until the attack has passed")
Also, if you know what you are doing, and you manage yourself, you can actually bring costs down, by hosting all your apps and sites in one server (if the server can hold all of them of course!)
As for monetisation, that's an irrelevant question, unless you plan to start a web hosting service. If this is not something you would think to do, monetisation has to do with the content or apps you will host.
Thank you for your comment, and sorry for the long reply! Things got out of hand while writing this! :)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
do you have any tutorial on setting up DNS because running executing certbot --apache obviously will not work otherwise
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
some might find this website useful for installing certbot: https://certbot.eff.org/#ubuntuxenial-apache
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
apparently you need to setup the DNS A records for your domains, so that the sites obviously don't timeout upon request, before you can get certificates for them
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
This is done from your domain registrar. There are thousands domain registrars and managers, so I can't help you there. If you tell me where did you register your domain, I could look it up
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Goddady is the registrar of the domain I'm using to test this.
I've already set the A record on there to my public IP address. However, it doesn't seem to be directing queries to the test website I have on my server.
Notably, I set up a DHCP reservation for my PC's internal IP, and also set up dynamic DNS for my router via noip.com since my router is assigning internal IPs dynamically and my ISP is, I believe, assigning dynamic IPs externally. So one of my questions is: I should be using the dynamic DNS address (i.e. myhostname.ddns.net), right?
Don't I need to change the name server addresses on Godaddy too?
I don't know why it's not redirecting to my website :/
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I'm having trouble to keep up with your comments scattered all around my posts. Let's continue the whole discussion here. If you are trying to setup a server to your home connection, your provider might have the port 80 blocked.
If you are trying to access port 80 from within your network using your public IP (= your domain), it may not work, as some routers do not do this. Try to access your server via the domain from a different network (for example, the WiFi of a neighboor, or mobile data)
Edit: and ifyou have a dynamic IP, and a subdomain that is getting updated, then you should setup a CName from your domain to the DNS subdomain that gets updated with your dynamic IP
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Alright, sounds good. I'll respond to your other comment here too.
Yes, my ISP, I believe, blocks port 80. Every online check failed to connect with port 80 even though I manually set port 80 on my router settings to accept incoming traffic and port forwarded it. However, the online checks seem to indicate that they do not block port 443.
Ahhhh, maybe that's it. I'll try accessing the website on my other computer with the VPN running.
I'm not exactly sure what I'd stick in the CName or if this would even work, since doesn't the CName point to the A Record? I believe I do have a dynamic IP, but what I've done is set up a Dynamic DNS host via NOIP.com so that the domain falez.ddns.net will always be mapped to my router's public IP address, no matter what that address becomes. However, with Godaddy I cannot use falez.ddns.net as the A Record; I have to use an actual IP address, which means once my router's public IP is updated, I'll have to manually adjust the A Record. I don't imagine my router's public IP is updated often, but I'm not sure. I have the same public IP today that was assigned yesterday, so...
It didn't work with a VPN and what not because I'm assuming the request gets redirected to the server before ever leaving my LAN?
I just tried accessing it from another network and it works. Whoop whoop!! Fucking stoked. First ever server that I've set up. Thanks a million billion, amigo.
Do you have any tutorials on setting up your own DNS and name servers?? Or do you know of any up-to-date, decent tutorials about that on the web?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I see you had success, so I'll just leave these replies in case anyone with the same problems as you enters my post!
If your ISP blocks port 80, you won't be able to host a webserver. You may be able to host a secure webserver (https) if they don't block port 443.
You have to create a CName record instead of an A record for your
www.domainnamehere.com, that points tofalez.ddns.net. The problem is that you won't be able to use non-www domain (domainnamehere.comwon't work). If you don't the next time you change IP, your site won't be available.Also, some providers may take up to 48 hours to update DNS records
If you connect to a VPN, you may encounter problems. Connect to a different network altogether (saw you did that), and clear your dns cache!
You won't be able to setup a DNS server on your network, as most, if not all, ISPs block incoming connections to port 53 that is being used for DNS lookups.
It's in my plans to write a tutorial to setup your own DNS server, I'm just looking for a nice interface to include for not so tech-savvy people.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Doesn't the CName point or resolve to the A Record? The A Records on Godaddy can only be actual IP addresses. You cannot use domains like falez.ddns.net as the A Record and therefore I'm not sure how I would point CNames to that domain?
The last question I have is: If one's ISP blocks ports 80, 443, and or even 53, can't one simply use different ports to host a server or DNS server?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The CName is a totally different record to the A record.
In a very simplified explanation, when you create a CName for
asd.domain.comand point it toasd.domain2.comwhich in turn is an A record for127.0.0.1, you are basically telling theasd.domain.comto resolve to127.0.0.1. If at any point you change the A record ofasd.domain2.comto192.168.0.1, thenasd.domain.comwill also resolve to this IP.So in your case, with a dynamic IP, this is the way to use your domain with your home connection.
To my knowledge, services like DNS, can't be used on different ports.
However, Web servers, FTP servers, SSH, and various other protocols, can be used at any port you want.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks for the great tutorial! I specifically needed the auto renew command for my Google hosted server setup. Do you recommend configuring HSTS for my SSL websites?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
If you have data that you can't afford to leak, then yes. Make sure you sign up your website on HSTS Preload Lists in this case, for an extra layer of data security!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks for the input. Now I just need to figure out how to get alerts on Steemit so I can respond to people in a timely manner.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit