Skip to content

Test Server Setup Step by Step

kmeyer9999 edited this page Dec 21, 2017 · 1 revision

This document is current as of 12/9/17. Overview These instructions will step you through setting up a secure server on which to test a Hotine call system. The instructions can be repeated to set up an actual implementation (“production”) system. You’ll create a cloud server and domain name for your system, implement basic but comprehensive security on the server, and learn how to back up the server. Most of these steps are covered with additional explanation at https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 and https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-ubuntu-14-04, with pointers to prerequisites and options. The steps given here combine all the info in a single sequence.

  1. Acquire a security key, a server, and a domain name (URL), and link the server’s IP address to the domain name. a. Acquire an SSH key: i. Mac users: for detailed explanation and instructions see https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-digitalocean-droplets (mac users only).
  2. Alex: Step six on the mac instructions webpage covers disabling password logins for root using steps that are quite different from those given in Step 5 of the Windows instructions at https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04, is this discrepancy OK? ii. Windows users: for detailed explanation and instructions see https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users (Windows users only).
  3. Download and install PuTTY and PuTTYgen from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
  4. Run PuTTYgen (from the Start menu) and click the Generate button. Swirl the mouse pointer in the empty area at the top of the window until the status bar completes. a. Store the public key: Select and copy the text that appears in the Public Key For Pasting… area. Create a new notepad file, paste the key, and save the file with a name such as “hotline test server public key-RSA.txt”. (Note that this step differs from the instructions in the link above, the Save Public Key button will save extra unwanted text before and after the key. The text of your file should start with “ssh-rsa AAAA” and end with “== rsa-key-“ and a date.) b. Store the private key: type a short phrase (and note it down for future reference) in the Key Passphrase textbox. Re-type the phrase in the Confirm Passphrase textbox. Click the Save Private Key button and enter a filename such as “hotline test server private key-RSA” c. Close PuTTYgen. b. Acquire a server: i. Create an account at DigitalOcean, https://www.digitalocean.com/. ii. Once logged into your account, click the green Create button in the upper right and select Droplets. After a moment the Create Droplets page appears with the option to choose an image. Click the One-Click Apps link to the right of the Distributions link. Select LEMP On 16.04 in the top section, then scroll down to the Choose A Size section and select $5/Mo (512MB should be sufficient for running a Hotline server). Scroll to the bottom of the page and click the New SSH Key button in the Add Your SSH Key section. Open the public key text file you created in step 1.a.ii.2.a above and copy and paste the contents of the file in the popup window that appears. Type a name such as “hotline test server key” in the Name textbox and click the Add SSH Key button. Make sure the checkbox next to your new key is checked. Scroll further down to the Finalize And Create section. Enter a name such as “HotlineTestServer” (no spaces allowed) in the Choose A Hostname textbox, then click the big green Create button. iii. After a few seconds DigitalOcean will display the name of your new Droplet along with its IP address. iv. #### should you enable two-factor authentication for the droplet? c. Acquire a domain name (free) and point it to your new droplet: i. Create an account and sign in at http://www.freenom.com. ii. Click Services in the menu bar and select Register A New Domain. iii. Type a name such as hotlineTestXX, replacing XX with your initials, in the Find Your New Domain textbox and click the Check Availability button. Click the Get It Now button next to a free top-level domain suffix or click Select next to a priced top-level domain suffix. Click the Checkout button that appears. On the right of the domain information that appears click the Period dropdown box and select 12 months (or whatever you think is appropriate). Click the Continue button. On the Review And Checkout page enter your email address and click the Verify My Email Address button, then follow the prompts to establish your identity. Complete the Your Details section, turn on the checkbox to agree to terms and conditions (in tiny print at the bottom) and click the Complete Order button. On the Order Confirmation page click the Click Here To Go To Your Client Area button. iv. On the Client Area page click Services in the menu bar and select My Domains. Click the Manage Domain button for your new domain. On the Managing page click the Manage Freenom DNS link. On the DNS Management page enter your droplet’s IP address in the Target textbox. Optional: Also click the More Records button, type “www” (no dot) in the Name box of the new record that appears, and enter your droplet’s IP address in this Target textbox as well. This will allow you to browse to your new server using the domain name both with and without the www. prefix. Click the Save Changes button. You can close the Freenom page. d. Check your work so far: It can take a few minutes for the new domain information to propagate across the internet, so go have a cup of coffee. After 5 or 10 minutes, open a new browser window and browse to your domain name (for example hotlinetestXX.tk). You should see a page with the message “Please log into your droplet via SSH to configure your LEMP installation.” Also browse to www.hotlinetestXX.tk if you added the www A record in step 1.c.iv above, you should see the same message. Close the browser window.
  5. Secure the server. (This is written for connecting using PuTTY on a Windows client. You can also connect via Digital Ocean by clicking More on the Droplets page and selecting Access Console. Mac users can connect by…??? If not using PuTTY on Windows, refer to https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 for more info.) a. Connect to the server with initial credentials: i. Run PuTTY (from the Start menu). In the PuTTY Configuration window enter your domain name (or IP address) in the HostName text box. In the Category frame click the Data sub-category under the Connection category. Type “root” in the Auto-login Username textbox. In the Category frame expand the SSH category by clicking the plus sign and select the Auth sub-sub-category. Click the Browse button and select the private key .ppk file you created in step 1.a.ii.2.b above. In the PuTTY Configuration window, select the Session category again in the Category frame. Enter an appropriate name such as “Connect to Hotline Test Server” in the Saved Sessions text box and click the Save button. ii. If you have closed PuTTY after step a above then run PuTTY again, select the session you saved, and click the Load button. iii. In the PuTTY Configuration window Click the Open button. iv. The first time that you connect with the remote host, you will be asked to verify the identity of the remote server. This is expected the first time you connect to a new server, so click the Yes button. A console window appears.
  6. The PuTTY console window is not like a regular Windows window: To select and copy text in this window, click and drag the mouse; to paste in this window, right-click the mouse. No keypress is required for cutting or pasting, it’s all done with the mouse. Also note that no text appears when typing a password. Navigate within the console using the arrow keys on your keyboard. v. Type the passphrase you used when saving your private key in step 1.a.ii.2.b above and press Enter. b. Create secure credentials for a non-root user: Type (or copy then right-click in the PuTTY window to paste) the following commands, removing the # at the beginning of each command, replacing with an appropriate user name, and pressing Enter to run the command: i. # adduser ii. Type a new password for the new user (no text appears) and press Enter. Retype the new password. Enter the new user’s full name, then press Enter 4 more times to leave the additional info blank, type Y and press Enter to create the user. iii. # usermod -aG sudo iv. # su - (this logs you in as the new user) v. # mkdir ~/.ssh vi. # chmod 700 ~/.ssh vii. # nano ~/.ssh/authorized_keys viii. The nano command opens an editor in the console to edit the authorized_keys file. Copy the public key you created in step 1.a.ii.2.a above from the public key .txt file and paste it in the nano editor. The text is pasted on a single line, use the left-arrow button to scroll left if you want to confirm the entire text was pasted. Press Ctrl-x, then press y and Enter to exit nano, saving your changes. ix. # chmod 600 ~/.ssh/authorized_keys x. # exit (this logs you out as the new user) xi. # sudo nano /etc/ssh/sshd_config
  7. Scroll (or use Ctrl-w) to find the PasswordAuthentication line and confirm it reads “PasswordAuthentication no”.
  8. Also confirm “PubkeyAuthentication yes” and “ChallengeResponseAuthentication no”, but these should already be set.
  9. Alex : Add instructions to update “PermitRootLogin without-password” as given in step 6 of the mac instructions??? As is this is set to “yes”.
  10. Alex: Add “# ps auxw | grep ssh” and “#kill -HUP XXX” from mac instructions after closing the file??? xii. Press Ctrl-x, y, Enter to save any changes. (If you made no changes, Ctrl-x will close nano.) xiii. # sudo systemctl reload sshd xiv. # exit (this closes the PuTTY console) c. Connect to the server with initial credentials: Run PuTTY again (from the Start menu). In the PuTTY Configuration window enter, click the saved session for your connection, click Load, then type a new name for the session such as “Connect to Hotline Test Server as ” Click the Data sub-category under the Connection category in the Category frame. Type the new username in the Auto-login Username textbox. Click the Session category, click the Save button, then click the Open button. Enter your passphrase in the console. d. Secure the server with a firewall: Type (or copy then right-click in the PuTTY window to paste) the following commands, removing the # at the beginning of each command, and pressing Enter to run the command: i. # sudo ufw app list
  11. The first time you use a “super-user do” (sudo) command, you are prompted for the password of the user you are currently logged in as, enter the password for the user you created in step 2.b.ii above and press Enter. ii. # sudo ufw allow OpenSSH iii. # sudo ufw enable iv. Press y, then press Enter. v. # sudo ufw status e. Secure the server with HTTPS: i. # sudo add-apt-repository ppa:certbot/certbot ii. Press Enter to continue. iii. # sudo apt-get update iv. # sudo apt-get install python-certbot-nginx v. Press y, then press Enter. vi. You might want to use FileZilla to view the directory tree of your server, if so you can connect FileZilla as follows:
  12. Select Site Manager on the File menu. Click the New Site button. Rename the new site in the My Sites tree. Enter the domain name in the Host textbox. Click the Protocol dropdown list and select SFTP-SSH File Transfer Protocol. Choose Interactive from the Logon Type dropdown list. Clear the User textbox. Close the Site Manager window.
  13. Select Settings on the Edit menu. Select SFTP in the Select Page frame. Click the Add Key File button. Select the private key .ppk file you created in step 1.a.ii.2.b above. Click OK to close the Settings window.
  14. Select Site Manager on the File menu. Select the new site you created in step 1 of this section above. Click the Connect button. In the Enter Username window enter root and click OK. In the Enter Password window enter the passphrase you used when creating the private key in step 1.a.ii.2.b above, turn on the Remember Password Until FileZilla Is Closed checkbox, and click OK. vii. # sudo nano /etc/nginx/sites-available/default ### this line from the tutorial is wrong, should edit the file “digitalocean” instead of “default” using the following command: # sudo nano /etc/nginx/sites-available/digitalocean viii. Scroll down (or use Ctrl-w) to find the server_name entry and replace the _ (or the name “localhost”) with your domain name (or names) all in lowercase, like this: server_name hotlinetestxx.tk www.hotlinetestxx.tk; server_name hotlinetestkm.tk www.hotlinetestkm.tk; The domain names must all be lowercase! ix. Press Ctrl-x, y, Enter to save your changes. x. # sudo nginx -t xi. Confirm you get a “Syntax is OK” and “test is successful” message. xii. # sudo systemctl reload nginx xiii. # sudo ufw status xiv. # sudo ufw allow 'Nginx Full' xv. # sudo ufw delete allow 'Nginx HTTP' #### This doesn’t seem to be necessary at this point, you get a “could not delete non-existent rule” message. HTTP was allowed in https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 after installing Nginx, but we skipped that step by installing a LEMP droplet. xvi. # sudo ufw status xvii. You should see Nginx Full/Allow/Anywhere and Nginx Full (v6)/Allow/Anywhere in the list. xviii. # sudo certbot --nginx -d hotlineTestXX.tk -d www.hotlineTestXX.tk

sudo certbot --nginx -d hotlineTestKM.tk -d www.hotlineTestKM.tk

xix. Type your email address and press Enter. Type a to agree to terms and press Enter. Type n to reject sharing your email address and press Enter. Press 2 and Enter to redirect requests to HTTPS. xx. # sudo certbot renew --dry-run f. Take a snapshot: i. This is a good spot to check your work and make sure you can return here before messing with it further. If you want, you can edit the file /var/www/html/index.html, change the text from “Please log into your droplet via SSH to configure your LEMP installation.” to “My hotline page” or whatever. Open a new browser window and browse to your domain name. You should see your new text. Also browse to www.hotlinetestXX.tk if you set that up, you should see the same message. Close the browser window. ii. If everything is working OK, take a snapshot (a “snapshot” is a manual backup, whereas “backups” are created automatically on a schedule.) To take a snapshot, click your droplet in the Droplets page on DigitalOcean. Click the Snapshots link on the left. Click the Power Down link, then click the Turn Off button. Type a name in the Enter A Name textbox, and click the Take Snapshot button. (If the button says Take Live Snapshot, you haven’t turned off your droplet.) The backup process will take a minute or two. iii. After the snapshot is complete click the Power link on the left, then click the Power On button.

g. Secure the server with an SSL certificate: i. # sudo apt-get install letsencrypt ii. # sudo hostname hotlinetestxx.tk (not sure if all lowercase matters here)

sudo hostname hotlinetestkm.tk

iii. # sudo echo 'hotlinetestxx.tk' > /etc/hostname ### I get a permission denied error here, and have to edit the file: # nano /etc/hostname (and replace the contents with “hotlinetestxx.tk”) Not sure if lowercase matters here. iv. # sudo nano /etc/nginx/sites-available/digitalocean ### Alex, note that this is ‘sites-available’, not ‘sites-enabled’ as specified in your Hotline Server Setup doc. After the first “location” block, add a second “location” block, as follows: # Let's Encrypt renewal directory location ~ /.well-known { allow all; } Exit and save the file. v. # sudo apt-get install letsencrypt vi. # sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d hotlinetestxx.tk

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d hotlinetestkm.tk

(not sure if lowercase is important here). vii. # sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 viii. Take a snapshot. ix. # sudo nano /etc/nginx/sites-available/digitalocean ### Alex, again note that this is ‘sites-available’, not ‘sites-enabled’ as specified in your Hotline Server Setup doc. The final file should look like this (all commented lines deleted and new blocks highlighted in blue): server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name hotlinetestxx.tk www.hotlinetestxx.tk;

location / {
    return 301 https://$server_name$request_uri;
}

location /.well-known {
    default_type "text/plain";
    alias /var/www/html/.well-known; # have this as the webroot
}

}

server { # SSL configuration listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;

root /var/www/html;
index index.php index.html index.htm;

server_name hotlinetestxx.tk www.hotlinetestxx.tk;

location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules
    }

# Let's Encrypt renewal directory
location ~ /.well-known {
    allow all;
}

# Audio files directory
location ~ /audio {
    allow all;
}

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
    root /usr/share/nginx/html;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

} x. # sudo service nginx reload

h. Secure the server with HTTP basic authentication: For explanation and details see https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-ubuntu-14-04 i. # sudo apt-get install apache2-utils ii. Press y, Enter. iii. # sudo htpasswd -c /etc/nginx/.htpasswd nginx iv. Enter and re-enter a password for the “nginx” user v. # cat /etc/nginx/.htpasswd (to confirm a hashed username and password) vi. Edit /etc/nginx/sites-available/digitalocean ### Alex, again note that this is ‘sites-available’, not ‘sites-enabled’ as specified in your Hotline Server Setup doc. The final file should look like this (new blocks highlighted in blue): server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name hotlinetestxx.tk www.hotlinetestxx.tk;

location / {
    return 301 https://$server_name$request_uri;
}

location /.well-known {
    default_type "text/plain";
    alias /var/www/html/.well-known; # have this as the webroot
}

}

server { # SSL configuration listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;

root /var/www/html;
index index.php index.html index.htm;

server_name hotlinetestxx.tk www.hotlinetestxx.tk;

auth_basic "Sanctuary hotline admin";

auth_basic_user_file /home/sanctuary/misc/htpasswd;

location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    # Uncomment to enable naxsi on this location
    # include /etc/nginx/naxsi.rules
    }

# Let's Encrypt renewal directory
location ~ /.well-known {
    allow all;
    auth_basic off;
}

# Audio files directory
location ~ /audio {
    allow all;
    auth_basic off;
}

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
    root /usr/share/nginx/html;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

} vii. # sudo service nginx reload viii. 3. Take a snapshot of the server Info about your server: File locations: Content • /var/www/html: The actual web content, which by default only consists of the default Nginx page you saw earlier, is served out of the /var/www/html directory. This can be changed by altering Nginx configuration files. Server Configuration • /etc/nginx: The Nginx configuration directory. All of the Nginx configuration files reside here. • /etc/nginx/nginx.conf: The main Nginx configuration file. This can be modified to make changes to the Nginx global configuration. • /etc/nginx/sites-available/: The directory where per-site "server blocks" can be stored. Nginx will not use the configuration files found in this directory unless they are linked to the sites-enabled directory (see below). Typically, all server block configuration is done in this directory, and then enabled by linking to the other directory. • /etc/nginx/sites-enabled/: The directory where enabled per-site "server blocks" are stored. Typically, these are created by linking to configuration files found in the sites-available directory. • /etc/nginx/snippets: This directory contains configuration fragments that can be included elsewhere in the Nginx configuration. Potentially repeatable configuration segments are good candidates for refactoring into snippets. Server Logs • /var/log/nginx/access.log: Every request to your web server is recorded in this log file unless Nginx is configured to do otherwise. • /var/log/nginx/error.log: Any Nginx errors will be recorded in this log. CertBot: In step 2.g.6, Your certificate and chain have been saved at: /etc/letsencrypt/live/hotlinetestkm.tk-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hotlinetestkm.tk-0001/privkey.pem