This is my notes for provisioning a LAMP server in the Amazon Web Services (AWS) GovCloud region using Amazon’s Linux AMI. I had to set up a LAMP server and secured it with HTTPS. These notes outlined my installation process during the week of 12 March 2018.
My goal for this document is to list the various reference points where you can find the step-by-step setup instructions for this provisioning task. This post will also comment on the obstacles I had run into during the provisioning, and what I needed to do get past those obstacles.
You can find the installation and configuration notes below.
- VPC-UG: Amazon Virtual Private Cloud User Guide, released 29 November 2017.
- EC2-UG: Amazon Elastic Compute Cloud User Guide for Linux Instances. There are a number of revisions for this user guide. For this project, I used the version that was released on 9 February 2018. This version talks about setting up the LAMP stack and SSL/TLS with the original Amazon Linux AMI. The more recent user guides cover the newer Amazon Linux 2 AMI.
- ROUTE53-DG: Amazon Route 53 Developer Guide, released 5 December 2017.
Need to provision a Linux server with the LAMP stack in AWS GovCloud region. The server will host PHP-based web applications. All HTTP traffic will be re-directed and forced to use HTTPS.
Background and Prerequisite Information
- Needed to sign-up for an AWS GovCloud account. The GovCloud account is going to be a separate account from your regular AWS account with a different account ID. See the web page, https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-sign-up.html, for signing up.
- Web browsers
- AWS Console
Configure virtual private cloud (VPC)
When setting up the GovCloud account, AWS created a default VPC for that account. That default VPC had three subnets configured with an Internet gateway attached to each one of them.
For the one and only public-Internet-accessible server I needed, the default VPC would have worked. I did not use the default VPC. Instead, I rolled my own VPC with one public subnet and one private subnet.
If you need more info on Amazon VPC, check out their VPC-UG or many documented instructions available on the net. For training purposes, I personally use the AWS course with Linux Academy. [https://linuxacademy.com/]
Provision an instance with the Amazon Linux AMI and Elastic IP
- Provision a Linux instance with Elastic IP: Because the Amazon Linux 2 AMI is not yet available on GovCloud, I had to use the version 1 of the Linux AMI.
- Set up the DNS entry: I had an inactive domain, so I used Route 53 to configure the DNS zone and host entries. Please note that for a server hosted in GovCloud, the Route 53 settings will need to be configured from the non-GovCloud console. Another word, you will not find Route 53 in the GovCloud console. I used the instructions outline in ROUTE53-DG pages 213-216.
- Install the LAMP Stack: The instructions on pages 41-46 held up well for my installation. I configured Apache for HTTPS in the following section.
- Enable SSL/TLS: Refer to pages 58-72 in EC2-UG. Since I did not have a certificate to use, I opted to obtain a cert with EFF through the Let’s Encrypt program. The certbot instructions described on pages 69-72 worked only partially. Certbot aborted in the middle of the installation and complained about not able to find a virtual host. Repeated attempts of certbot -auto option did not work for me. I finally resorted to this blog post [https://nouveauframework.org/blog/installing-letsencrypts-free-ssl-amazon-linux/] as it helped me generate the three cert files I needed. I updated the ssl.conf manually and got the HTTPS going. At this point, the HTTP was not being redirected to HTTPS. Another similar inquiry on Stack Exchange pointed me to run the “certbot -apache” command. By doing that, I was able to force the HTTP to HTTPS redirect without needing to go hunt down the config file I needed to update. I also configured certbot in crontab to check for auto-renew daily.
- Install phpMyAdmin: Needed to do a few things with PHP config because phpMyAdmin was complaining about the BlowFish secret and configuration storage. This blog post got me through the configuration tasks [https://www.digitalocean.com/community/questions/phpmyadmin-or-alternative-for-php7-nginx-mysql-5-7-ubuntu-16-04].
Post-AppGini App Deployment
After deploying the AppGini app, two more things surfaced.
- The GD support in PHP was requested. It was a matter of installing the correct GD version by using the commands “php -version” and “sudo yum install php70-gd” for the PHP 7.0 environment I assembled.
- I also needed to reset the ownership and file permissions for the “images” folder inside my AppGini application. AppGini was complaining about not able to write into it. I followed the instructions from page 44 of EC2-UG and resolved that.
This is what I wrote and could think of so far. If you will be attempting a similar installation, I hope these can help in some way. My next project is doing a similar install using Amazon Linux 2 AMI in a non-GovCloud environment. I will be checking out the Linux AMI version 2 instructions in the user guide. Will write down what I run into and share my findings later.