Here are some useful tips for developers handling AWS servers on a regular basis.
Frequently used commands
$ sudo nano /etc/httpd/conf.d/vhost.conf # Edit vhosts file
$ sudo nano /etc/httpd/conf/httpd.conf # Edit httpd file $ sudo nano /etc/php.ini # Edit PHP config
$ sudo service httpd restart # Restart Apache
$ sudo cp -R /var/www/html/* /var/www/vhosts/staging # Copy all from one dir to another
# to delete everything within a directory but not the directory itself (including inner sub-directories)
$ sudo rm -rf /var/www/html/*
# the command leaves a .htaccess file behind if there is one there
$ sudo rm -rf /var/www/html/.htaccess $ sudo rm -rf /var/www/vhosts/staging/* $ sudo rm -rf /var/www/vhosts/staging/.htaccess
# zip a directory and everything in it
$ sudo zip -r html.zip /var/www/html/*
How to setup an SSL cert on an EC2 instance
$ sudo su root
$ yum install python27-devel git
$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ /opt/letsencrypt/letsencrypt-auto --debug
----
#if using an AMI where letsencrypt is already installed you may come across zope.interface issue in which case run these commands
$ rm -rf ~/.local/share/letsencrypt
$ rm -rf /opt/eff.org/certbot/
$ unset PYTHON_INSTALL_LAYOUT;
$ rm -rf /root/.local/share/letsencrypt/;
-----
$ echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
$ echo "email = example@example.com" >> /etc/letsencrypt/config.ini
# the following commands are assuming you have a UAT/Staging version of your site which you want to run over HTTPS also
$ /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/vhosts/staging -d uat.example.com --config /etc/letsencrypt/config.ini --agree-tos
$ /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/vhosts/staging -d www.uat.example.com --config /etc/letsencrypt/config.ini --agree-tos
$ /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html -d example.com --config /etc/letsencrypt/config.ini --agree-tos
$ /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos
$ rmdir /var/www/vhosts/staging/.well-known
$ rmdir /var/www/html/.well-known
# Your certs should now be validated, so here is the VirtualHost settings for your vhosts.conf file
# Listen 443
<VirtualHost *:443>
ServerName uat.example.com
DocumentRoot "/var/www/vhosts/staging"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/uat.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/uat.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/uat.example.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
<Directory /var/www/vhosts/staging>
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
# www alternative on live
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
#restart apache and your site should be running over HTTPS. However, if your vhosts file throws up and error related to un-named VirtualHosts, go to your httpd.conf file and un-comment out: NameVirtualHost *:80 and NameVirtualHost *:443 (you may have to add 443). To find the line in nano use CTL + w
# To renew, run this command
$ /opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos
# if you are using an instance from an AMI you may have previous certs on this instance which need to be removed for renewals
rm -rf /etc/letsencrypt/live/remove.com
rm /etc/letsencrypt/renewal/remove.com.conf
Crontab settings for backups (pushed to S3)
$ crontab -e (not sudo)
# press i to INSERT onto crontab
30 4 * * * aws s3 sync /var/www/backup/ s3://example-backup/
0 2 * * * mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example > /var/www/backup/daily/daily_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
45 1 * * * zip -r /var/www/backup/daily/html.zip /var/www/html
10 3 * * * find /var/www/backup/daily* -mtime +2 -exec rm {} \;
1 2 * * 0 mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example > /var/www/backup/weekly/weekly_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
1 2 * * 0 zip -r /var/www/backup/weekly/html.zip /var/www/html
1 3 * * 0 find /var/www/backup/weekly* -mtime +8 -exec rm {} \;
0 1 1 * * mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example> /var/www/backup/monthly/monthly_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
0 1 1 * * zip -r /var/www/backup/monthly/html.zip /var/www/html
0 2 1 * * find /var/www/backup/montly* -mtime +32 -exec rm {} \;
30 5 1 * * /opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos
#run a few days before your SSL registration date each month to be sure its covered
ESC - :wq to save
Steps in launching EC2 from AMI
- Select AMI and Launch
- Select IAM Role (or create new)
#!/bin/bash
service httpd start
chkconfig httpd on
- Select Security Group (or create new)
- Select Key Pair (or create new)
# If new Convert key to PPK
- Connect to Workbench
# distinct user for each DB - never use root
- 3rd party App to schedule backups
Upgrade to PHP7 - EC2 instance (from 5.6, 7.0, 7.1)
# Remove current php & apache - removed guide $ so you can copy and paste commands directly into CLI
sudo service httpd stop
sudo yum remove httpd* php*
# Remove any third party repos that aren't relevant
sudo yum repolist
sudo yum remove remi-safe
# Install Apache24 for Amazon AMI
sudo yum install httpd24
# Download webtatic
mkdir -p /tmp/php7
cd /tmp/php7
wget https://mirror.webtatic.com/yum/el6/latest.rpm
# Install webtatic repo
sudo yum install latest.rpm
sudo vi /etc/yum.repos.d/webtatic.repo - set repo to enabled
sudo yum clean all
# Install php7
sudo yum install --enablerepo=webtatic php72
php -v # outputs build data
sudo yum install php72-opcache php72-xml php72-pdo php72-mysqlnd php72-gd php72-pecl-apcu php72-mbstring php72-imap php72-mcrypt sudo php72-intl
sudo yum install mod24_ssl
# these edits are needed on your php.ini file, values are for demo purposes
post_max_size 25M
upload_max_filesize 10M
max_execution_time 180
max_input_time 180
memory_limit = 25M
short_open_tag = On