This is the final project for Udacity's Full Stack Web Developer Nanodegree.
This page explains how to secure and set up a Linux distribution on a virtual machine, install and configure a web and database server to host a web application.
- The Linux distribution is Ubuntu 16.04 LTS.
- The virtual private server is Amazon.
- The web application is my Item Catalog created earlier in this Nanodegree program.
- The database server is PostgreSQL.
You can visit http://204.236.208.97.xip.io/ or http://ec2-204-236-208-97.compute-1.amazonaws.com/ for the website deployed.
- Login to aws.amazon.com and login to default user (ubuntu)
- Choose EC2 and Launch Instance with appropriate settings.
- Check for instance IPv4 public IP - 204.236.208.97
- we can download a .pem file and connect with following command
ssh -i Malik.pem ubuntu@204.236.208.97
- 22 is Port by Default,Later we need to change it to 2200 as per the udacity-linux-server-configuration rubrics.
sudo apt-get update
sudo apt-get upgrade
- Edit the
/etc/ssh/sshd_config
file:sudo vi /etc/ssh/sshd_config
. - Change the port number on line 5 from
22
to2200
. - Save and exit using esc and confirm with :wq.
- Restart SSH:
sudo service ssh restart
. - Change inbound rules in Amazon EC2 --> Type : Custom TCP Rule as 2200
- To check port 2200 wether working or not by
ssh -i Malik.pem -p 2200 ubuntu@204.236.208.97
-
Configure the default firewall for Ubuntu to only allow incoming connections for SSH (port 2200), HTTP (port 80), and NTP (port 123).
sudo ufw status # The UFW should be inactive. sudo ufw default deny incoming # Deny any incoming traffic. sudo ufw default allow outgoing # Enable outgoing traffic. sudo ufw allow 2200/tcp # Allow incoming tcp packets on port 2200. sudo ufw allow www # Allow HTTP traffic in. sudo ufw allow 123/udp # Allow incoming udp packets on port 123. sudo ufw deny 22 # Deny tcp and udp packets on port 53.
-
Turn UFW on:
sudo ufw enable
. The output should be like this:Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
-
Check the status of UFW to list current roles:
sudo ufw status
. The output should be like this:Status: active To Action From -- ------ ---- 2200/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 123/udp ALLOW Anywhere 22 DENY Anywhere 2200/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 123/udp (v6) ALLOW Anywhere (v6) 22 (v6) DENY Anywhere (v6)
- While logged in as
ubuntu
user, add user:sudo adduser grader
. - Enter a password (two times) and fill out information for this new user.
-
Edits the sudoers file:
sudo visudo
. -
Search for the line that looks like this:
root ALL=(ALL:ALL) ALL
-
Below this line, add a new line to give sudo privileges to
grader
user.root ALL=(ALL:ALL) ALL. grader ALL=(ALL:ALL) ALL.
-
Save and exit using CTRL+X and confirm with Y.
-
Verify that
grader
has sudo permissions. Runsu - grader
, enter the password.
-Configure key-based authentication for grader user
- create .ssh folder by
mkdir /home/grader/.ssh
- Run this command
sudo cp /home/ubuntu/.ssh/authorized_keys /home/grader/.ssh/authorized_keys
- change ownership
chown grader.grader /home/grader/.ssh
- add 'grader' to sudo group
sudo usermod -aG sudo grader
- change permissions for .ssh folder
sudo chmod 0700 /home/grader/.ssh/
, for authorized_keyssudo chmod 644 /home/grader/.ssh/authorized_keys
- Check in
vi /etc/ssh/sshd_config
file ifPermitRootLogin
is set tono
- Restart SSH:
sudo service ssh restart
- On the local machine, cheking if the grader account working or not by running this command :
ssh -i Malik.pem -p 2200 grader@204.236.208.97
.
- While logged in as
grader
, configure the time zone:sudo dpkg-reconfigure tzdata
. Choose time zone UTC.
- While logged in as
grader
, install Apache:sudo apt-get install apache2
. - Enter public IP of the Amazon EC2 instance into browser. Check Apache is working or not by executing public IP.
- My project is built with Python 3. So, I need to install the Python 3 mod_wsgi package:
sudo apt-get install libapache2-mod-wsgi-py3
. - Enable
mod_wsgi
using:sudo a2enmod wsgi
.
sudo apt-get install libpq-dev python-dev
sudo apt-get install postgresql postgresql-contrib
sudo su - postgres
psql
CREATE USER catalog WITH PASSWORD 'catalog';
ALTER USER catalog CREATEDB;
CREATE DATABASE catalog WITH OWNER catalog;
\c catalog
REVOKE ALL ON SCHEMA public FROM public;
GRANT ALL ON SCHEMA public TO catalog;
\q
exit
- Switch back to the
grader
user:exit
.
- While logged in as
grader
, installgit
:sudo apt-get install git
.
- While logged in as
grader
, - From the
/var/www
directory, Clone the catalog project:
sudo git clone https://github.com/BabaMalik/catalog.git
. - Change the ownership of the
catalog
directory tograder
using:sudo chown -R grader:grader catalog/
. - Change to the
/var/www/catalog/catalog
directory. - Rename the
main.py
file to__init__.py
using:mv shoestore.py __init__.py
. - We need to change sqlite to postgresql create_engine in
__init__.py
,Shoes_Setup.py
andShoeDB_init.py
,# engine = create_engine("sqlite:///catalog.db") engine = create_engine('postgresql://catalog:catalog@localhost/catalog')
- Go to Google Cloud Plateform.
- Click
APIs & services
on left menu. - Click
Credentials
. - Create an OAuth Client ID (under the Credentials tab), and add http://204.236.208.97.xip.io/ and http://ec2-204-236-208-97.compute-1.amazonaws.com/ as authorized JavaScript origins.
- Add http://204.236.208.97.xip.io/#, http://204.236.208.97.xip.io/gconnect, http://204.236.208.97.xip.io/callback as authorized redirect URI.
- Download the corresponding JSON file, open it and copy the contents.
- Open
/var/www/catalog/catalog/client_secrets.json
and paste the previous contents into the this file. - Replace the client ID
templates/#.html
file in the project directory.
- While logged in as
grader
, install pip:sudo apt-get install python3-pip
. - Install the virtual environment:
sudo apt-get install python-virtualenv
- Change to the
/var/www/catalog/catalog/
directory. - Create the virtual environment:
sudo virtualenv -p python3 venv3
. - Change the ownership to
grader
with:sudo chown -R grader:grader venv3/
. - Activate the new environment:
. venv3/bin/activate
. - Install the following dependencies:
pip install httplib2 pip install requests pip install --upgrade oauth2client pip install sqlalchemy pip install flask sudo apt-get install libpq-dev pip install psycopg2-binary
Configure and enable a new virtual host
- Run this:
sudo vi /etc/apache2/sites-available/catalog.conf
- Paste this code:
<VirtualHost *:80>
ServerName 204.236.208.97.xip.io
ServerAlias ec2-204-236-208-97.compute-1.amazonaws.com
ServerAdmin ubuntu@204.236.208.97
WSGIDaemonProcess catalog python-path=/var/www/catalog:/var/www/catalog/catalog/venv3/lib/python3.5/site-packages
WSGIProcessGroup catalog
WSGIScriptAlias / /var/www/catalog/catalog.wsgi
<Directory /var/www/catalog/catalog/>
Order allow,deny
Allow from all
</Directory>
Alias /static /var/www/catalog/catalog/static
<Directory /var/www/catalog/catalog/static/>
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- Enable the virtual host
sudo a2ensite catalog
Enabling site catalog. To activate the new configuration, you need to run: service apache2 reload
- Reload Apache:
sudo service apache2 reload
.
-
Create
/var/www/catalog/catalog.wsgi
file add the following lines:import sys import logging logging.basicConfig(stream=sys.stderr) sys.path.insert(0, "/var/www/catalog/") from catalog import app as application application.secret_key = 'supersecretkey'
-
Restart Apache:
sudo service apache2 restart
. -
From the
/var/www/catalog/catalog/
directory, activate the virtual environment:. venv3/bin/activate
. -
Run:
python Shoes_Setup.py
. -
Deactivate the virtual environment:
deactivate
.
-
Disable the default Apache site:
sudo a2dissite 000-default.conf
. The following prompt will be returned:Site 000-default disabled. To activate the new configuration, you need to run: service apache2 reload
-
Reload Apache:
sudo service apache2 reload
.
- Restart Apache again:
sudo service apache2 restart
. - Open your browser to http://204.236.208.97.xip.io/ or http://ec2-204-236-208-97.compute-1.amazonaws.com.
Special Thanks to Alain Boisvert for a very helpful README in Linux Server Configuration Project-Udacity*