{"id":731,"date":"2022-02-01T22:07:54","date_gmt":"2022-02-02T06:07:54","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=731"},"modified":"2022-03-21T07:08:02","modified_gmt":"2022-03-21T14:08:02","slug":"a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/","title":{"rendered":"NGINX on AWS EC2: setting up a web server from scratch on a domain of your choice"},"content":{"rendered":"

It doesn’t take rocket science to set up and run a web server in the AWS cloud. Here is a down-to-earth, step-by-step primer for adventurous newbies.<\/p>\n

<\/p>\n

Related: How to set up a mail server on AWS EC2 using open source software<\/a>.<\/p>\n

I. Allow your web server to be discoverable<\/h2>\n

Step 1. Reserve a domain name <\/strong><\/h4>\n

Reserve a domain name with a registrar of your choice. AWS Route 53 is one of many options; in fact, any registrar will do. Feel free to shop around for the best deals. (Yes, it is possible to switch the registrar and keep the domain name.)<\/p>\n

Step 2.\u00a0Create a hosted zone<\/strong><\/h4>\n

Create a hosted zone with a DNS service\u00a0of your choice such as AWS Route 53.\u00a0(Don’t bother looking for a freebie; with DNS services, you get what you pay for). See this post for more details: A quick guide to DNS configuration using AWS Route 53 (or any other DNS service)<\/a>.<\/p>\n

Your DNS service provider will assign you between no less than two DNS servers. These are the so-called NS records for your domain that you will need in Step 3.<\/p>\n

Step 3. Assign name servers to your domain<\/h4>\n

Enter the NS records from your hosted zone with the registrar of your domain as your NS servers of record\u00a0(enter their host names without the dots).<\/p>\n

Step 4. Provision an EC2 instance with the software stack of your choice<\/h4>\n

Fire up an EC2 instance and install the web server of your choice. Our recommended stack is the NGINX<\/a> as the web server, MariaDB as the database server, and php-fpm from #remirepo (see: How to set up the LEMP stack: Linux, NGINX, MariaDB or MySQL, PHP)<\/a>.<\/p>\n

II. Set up your web server for static content delivery<\/h2>\n

Step 5. Create the website root directory<\/h4>\n

Create a new website root directory<\/strong> in the web server document root for your domain www.domainname.tld (it’s good practice to name the directory just that). Now you can populate it with content.<\/p>\n

Step 6. Create system users for NGINX and website owners<\/h4>\n

Create a Unix user<\/strong> <\/a>without shell access\u00a0and add it to the group nginx. To separate individual websites, create\u00a0separate website owners and add them to the group NGINX.<\/p>\n

For quick reference:<\/p>\n

useradd -md \/var\/www\/www.website.root1.tld -s \/sbin\/nologin websiteowner1\r\nusermod -G nginx websiteowner1<\/pre>\n
Edit the NGINX configuration for each site, for example: www.domainname.tld. For additional flexibility in handling multiple domains, use symlinks to reference active configuration files as described in this post (search for sites-enabled and sites-available)<\/a>.<\/p>\n
For quick reference:<\/p>\n
[root@ip-16-0-0-40 sites-enabled]# ln -s \/etc\/nginx\/sites-available\/www.domainname.tld<\/pre>\n
Step 7. Upload your web documents and\/or install a CMS of your choice<\/h4>\n
Install a content management system such as WordPress by downloading it directly to your instance, unzipping, and copying the files to the web server document directory. It is recommended to set up remote access via SFTP to the web server root directory using key pairs<\/a>.<\/p>\n
Step 8. Adjust file access permissions<\/h4>\n
Adjust file access permissions on the web server root directory.<\/p>\n
For quick reference:<\/p>\n
find \/var\/path\/to\/web\/directory -type f -exec chmod 640 {} \\;\r\nfind \/var\/path\/to\/web\/directory -type d -exec chmod 750 {} \\;<\/pre>\n
Remember to also adjust SELinux permissions<\/strong><\/a> on the web server root directory (also on any newly created configuration files, and anywhere else if applicable).<\/p>\n
At this point, you should be able to serve static content.<\/p>\n
III. Set up your web server for web application delivery<\/h2>\n
Step 9. Configure your PHP interpreter<\/h4>\n
Configure a php-fpm pool<\/a> for your website<\/strong>. Make sure the pool is running as the same Unix user that will own its web server document directory and its contents (you created those users in Step 7 above and are going to grant them file access permissions on the appropriate directories in Step 13 below).<\/p>\n
To verify that the PHP interpreter is running correctly, enter:<\/p>\n
systemctl status php70-php-fpm<\/pre>\n
Step 10. Set up connectivity between your web server and your application server\/PHP interpreter<\/h4>\n
In order to facilitate communications between the web server and php-fpm you can use either Unix sockets or TCP\/IP sockets (TCP\/IP sockets allow your server to scale more efficiently\u00a0but have somewhat higher performance requirements). In either case, make sure that SELinux allows access to the interface you chose; here is how to allow access via TCP\/IP sockets in SELinux<\/a>.<\/p>\n
Here is an example configuration file for NGINX running a PHP application such as WordPress in a sub-directory and using TCP\/IP sockets on the default port 9000 (please unlock with your social karma):<\/p>\n
[sociallocker]<\/p>\n
server {\r\n listen 80;\r\n server_name www.domainname.tld domainname.tld;\r\n\r\n # define the location of the web server document directory for this website\r\n root \/var\/www\/www.domainname.tld;\r\n # define the order in which files will be served\r\n index index.php index.html index.htm;\r\n\r\n # for WordPress: include restrictions (please refer to the WordPress codex for details)\r\n include global\/restrictions.conf;\r\n\r\n\r\n # when the web application sits in a subdirectory named blog:\r\n location \/blog {\r\n # Empty; this is just here to avoid redirecting for this location,\r\n # though you might already have some config in a block like this.\r\n try_files $uri $uri\/ \/blog\/index.php?q=$request_uri;\r\n }\r\n\r\n # redirecting traffic from the host name to the subdirectory blog\r\n location \/ {\r\n return 301 \/blog\/$1;\r\n try_files $uri $uri\/ \/index.php?$args;\r\n }\r\n\r\n\r\n # pass PHP scripts to a FastCGI server listening on 127.0.0.1:9000\r\n location ~ \\.php$ {\r\n try_files $uri =404;\r\n root \/var\/www\/www.domainname.tld;\r\n fastcgi_pass 127.0.0.1:9000;\r\n # pass PHP scripts to a Unix socket instead of a TCP connection\r\n # fastcgi_pass unix:\/var\/run\/php-fpm.sockets\/www.domainname.tld.sock;\r\n fastcgi_index index.php;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n include \/etc\/nginx\/fastcgi_params;\r\n }\r\n\r\n # for WordPress: include global configuration (please refer to the WordPress Codex for details)\r\n include global\/wordpress.conf;\r\n}<\/pre>\n
[\/sociallocker]<\/p>\n
Step 11. Adjust the settings of your security management system<\/h4>\n
Adjust SELinux labels on newly created configuration files using:<\/p>\n
[root@ip-16-0-0-40 sites-available]# chcon -R -v system_u:object_r:httpd_config_t:s0 www.domainname.tld<\/pre>\n
Then restart NGINX and php-fpm to apply configuration changes.<\/p>\n
III. Set up a database<\/h2>\n
Step 12. Create a database<\/h4>\n
Create a database<\/strong> for your web application and a database user<\/strong> with limited permissions that is allowed\u00a0access to it.<\/p>\n
Quick reference:<\/p>\n
[sociallocker]<\/p>\n
mysql -u root -p\r\nCREATE USER 'DBuser'@'localhost';\r\nselect * from mysql.user;\r\ncreate database content_DB;\r\nGRANT ALL PRIVILEGES ON content_DB.* TO DBuser@localhost IDENTIFIED BY 'thisuserspassword';<\/pre>\n
As soon as you create a user account, you have to IMMEDIATELY grant all privileges to root:\r\n GRANT ALL PRIVILEGES ON *.* TO root@'::1' IDENTIFIED BY 'rootuserspassword' WITH GRANT OPTION;\r\n SET PASSWORD FOR 'root'@'::1' = PASSWORD('rootuserspassword');<\/pre>\n
SHOW GRANTS FOR 'root'@'localhost';\r\nSHOW GRANTS FOR 'DBuser'@'localhost';<\/pre>\n
flush privileges;<\/pre>\n
[\/sociallocker]<\/p>\n
Step 13. Set up database connectivity in your CMS<\/h4>\n
To make sure that your CMS system knwos how to access the database, you need to configure it with the appropriate database access credentials.\u00a0For WordPress, you simply enter the SQL connection parameters<\/strong> into the wp-config.php configuration file of your WordPress installation.<\/p>\n
IV. Security hardening<\/h2>\n
Step 14. Adjust your AWS security group<\/h4>\n
Adjust the settings of the\u00a0AWS Security Group that is assigned to your instance by\u00a0opening ports for NGINX (typically port 80 for http and 443 for https in both HTTP\/1.1 and\u00a0HTTP\/2)<\/p>\n
Step 15. Complete the WordPress set-up<\/h4>\n
Complete the installation<\/strong> of WordPress by visiting the website in your web browser.<\/p>\n
Follow the onscreen instructions in order to create a WordPress administrator. This user will sign in in step 15.<\/p>\n
Step 16. Polish your WordPress to perfection<\/h4>\n
Sign in to WordPress with the user credentials of the WordPress administrator. Install themes, plug-ins and other extensions to your hear’s content. In some cases, you may need to perform uploads outside of WordPress;\u00a0Windows users can deploy FileZilla for convenient SFTP transfer of files between the local computer and your\u00a0EC2 instance.<\/p>\n
Back-up your server instance.<\/p>\n
Now is the time for some advanced security hardening of your web content<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
It doesn’t take rocket science to set up and run a web server in the AWS cloud. Here is a down-to-earth, step-by-step primer for adventurous newbies.<\/p>\n","protected":false},"author":101011,"featured_media":76,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17,109,6],"tags":[58,28,7,21,59,100],"yoast_head":"\nNGINX on AWS EC2: setting up a web server from scratch on a domain of your choice - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NGINX on AWS EC2: setting up a web server from scratch on a domain of your choice - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"It doesn’t take rocket science to set up and run a web server in the AWS cloud. Here is a down-to-earth, step-by-step primer for adventurous newbies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-02T06:07:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-03-21T14:08:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"326\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\",\"width\":900,\"height\":326,\"caption\":\"cloudinsidr.com logo (900px wide)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/\",\"name\":\"NGINX on AWS EC2: setting up a web server from scratch on a domain of your choice - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/#primaryimage\"},\"datePublished\":\"2022-02-02T06:07:54+00:00\",\"dateModified\":\"2022-03-21T14:08:02+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/a-web-server-in-the-aws-cloud-how-to-set-up-a-website-from-scratch-on-a-domain-of-your-choice\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\",\"name\":\"Anna E Kobylinska\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7a3e9bd152f9d5cd41bf2b92df649857?s=96&d=mm&r=g\",\"caption\":\"Anna E Kobylinska\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/731"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/101011"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=731"}],"version-history":[{"count":31,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/731\/revisions"}],"predecessor-version":[{"id":2828,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/731\/revisions\/2828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}