Today, I have a lot that I would like to do.
Step 1. Verify the email address that you will be using to purchase a domain name from Alibaba. Go to Verify Email Address. Alibaba will then send you a confirmation email with a link. Click on that link to confirm your email address.
Step 2. Go to Alibaba Cloud Domain and purchase your domain. In my case I purchase "neoprime.xyz". This domain purchase was priced at $0.99 which makes for an inexpensive purchase for testing purposes.
Step 3. Wait a few minutes after the purchase completes. You will then receive two emails:
The second email introduces us to a new Alibaba service - Domain Name Proxy Service.
Domain name proxy service is a value-added domain name service that protects the identity and
personal information of registrants, administrators, technical contacts, and payers by making
the registration information unavailable in the WHOIS database.
Enabling this service reduces the amount of spam you receive, minimizes the amount of personal information that is available, and does not affect using your domain name.
Step 4. Go to the Alibaba Cloud Console - Domains & Websites. You should now see your new domain name. If not wait a few more minutes. For me this all happened very quickly - one or two minutes. Now click on your domain name. This will take you to a new page that displays your registration information. Verify everything. Make note of the two DNS servers.
Step 1. Go to the Alibaba ECS Console.
A confirmation box will appear. Click on the blue "Console" button which will take you back to the list of ECS instances. In a minute or so, click on the refresh button. Once the instance is running, make note of the public IP. We will enter the public IP in the DNS server.
Step 1. Go to the Alibaba Domain Console. This is located under Domains & Websites.
Step 2. To the right side of the page on the same line as your domain name is the link "Resolve". Click this link. This takes us to a new tab where we can add DNS records for our new domain name. For now, I will point this domain to neoprime.io and www.neoprime.io.
Step 3. Create the naked domain entry.
Step 4. Create the www domain entry.
Step 5. Create the cdn domain entry.
Note: We selected the shortest TTL value so that we can quickly make changes to our DNS entries. Later once we have a real server, change this value to a typical value of "1 hour" or "1 day". Later we will want to minimize DNS hits and allow for normal DNS caching on the Internet.
We also created the cdn.neoprime.io record. We will use this later when we work with Alibaba Cloud CDN.
We now have a new domain name, an ECS instance and DNS resolving the domain name. Next let's configure the ECS instance as an Apache/PHP stack and publish a home page.
I use Bitvise SSH Client to manage my Linux instances that use Key Pairs. This program has several nice features including a terminal console and an SFTP window for file transfers. The Client Key Manager makes keeping track of my various Key Pairs much easier.
Launch Bitvise. Click on "Client key manager". Click on the Import button to import the Key Pair used for the creating of the ECS instance. Give it a description. Then enter the IP address for the ECS instance into the Host field. Enter "root" for the Username field. Select the Client key that you just imported. Connect to the server.
Two windows will now open. The first is an SFTP file transfer window. Your machine will be in the left panel and the ECS instance in the right panel. The second window is the SSH terminal window. You are now logged in as root. Let's configure Apache / PHP using the SSH terminal window.
In the following, when you see a light gray box, this means commands that you will enter in the terminal window (shell). If the line starts with the pound sign character #, this means that the command is run as root. If you are logged in as a normal user, add sudo before the command.Update the list of available packages and their versions:
Now we need to set the timezone for the ECS instance. Your system will most likely be set to: Asia/Shanghai (CST, +0800).
My local time is Tue 2018-05-15 15:05:15 PST. My new system displays (which is not correct):
Now we need to set the timezone. Modify the following command for your timezone. Link to
Execute the following command:
Later when we setup SSL for the Apache web server, we will need to do this logged in as a normal user as Let's Encrypt does not support using the root user. You can use any user name that you want. I will use "webserver" for the user name.Create the user:
You will be prompted for the user's password and several other items.Add the user to the "sudo" group so that the user has root privileges when required to administer the system. Once this user is logged in, all that is required is using the sudo command in front of each command to obtain administrator privileges.
Now we need to tell Apache what our domain names are. Since we will be serving both HTTP and HTTPS we need virtual host entries for both protocols. We also need entries for both neoprime.xyz and www.neoprime.xyz. We are also including cdn.neoprime.xyz so that the SSL certificate has all the domain names that we need present.
Normally you will want HTTP to redirect to HTTPS, but for our work we do not want redirection as we will later be setting up auto scaling and load balancing. Redirection from HTTP to HTTPS will be managed by the load balancer.Edit /etc/apache2/apache2.conf:
PHP is a script processor that produces dynamic web page content. Usually files that are written in PHP end with the file suffix .php. We need to install both PHP and the module for Apache2.
Next, we need to determine the order that Apache serves a default file when a directory is requested. The file /etc/apache2/mods-enabled/dir.conf needs to be edited.
If our primary page type is PHP then we need to modify to look like this by moving index.php to be the first item after DirectoryIndex.
Once you have completed the changes to /etc/apache2/mods-enabled/dir.conf restart apache
Check apache and make sure everything is OK.
Software vendors and open source packages can maintain their own software repositories. Let's Encrypt has their own repository. The next step will make the Let's Encrypt repository known to Ubuntu.Install additional software so that we can add the Let's Encrypt repository:
There was a time that purchasing and installing an SSL certificate was expensive and time consuming. It could take more than a thousand dollars and a week or two just to verify your company's identity. Today, we can setup and install an SSL certificate in just minutes.
We will use Let's Encrypt to install a client on our ECS instance. Once we have verified that we can connect to our ECS instance from our desktop, we will begin the SSL process.
Open a web browser on your desktop and verify that you can see the default Apache web server page for each of your domain names. Once this is working we are ready for the next steps.
Important: When prompted to redirect all requests to https select No.
Notice that we specified three domain names. Our root domain (neoprime.xyz) and the normal website domain (www.neoprime.xyz) plus the one we will use for the CDN (cdn.neoprime.xyz). We want all three domain names in the SSL certificate that we will obtain from Let's Encrypt.
Provided that there were no errors, we have been issued an SSL certificate. This certificate is installed on our ECS instance. Let's locate this certificate and copy back to our desktop. We will need this later for our work with load balancing and CDN.Change directories to where Let's Encrypt is located:
List the contents of this directory. Notice the name of our domain is a directory. Change to that directory.Change directories to where Let's Encrypt is located:
# cd /etc/letsencrypt/live lrwxrwxrwx 1 root root 36 May 11 11:57 cert.pem -> ../../archive/neoprime.xyz/cert2.pem lrwxrwxrwx 1 root root 37 May 11 11:57 chain.pem -> ../../archive/neoprime.xyz/chain2.pem lrwxrwxrwx 1 root root 41 May 11 11:57 fullchain.pem -> ../../archive/neoprime.xyz/fullchain2.pem lrwxrwxrwx 1 root root 39 May 11 11:57 privkey.pem -> ../../archive/neoprime.xyz/privkey2.pem -rw-r--r-- 1 root root 543 May 11 10:46 README
Copy all the files to your desktop in a safe location. We will need them for the load balancer and CDN.
Verify that the Certbot renewal process will work by performing a dry run:
Now that we have a configured an ECS instance with DNS setup and SSL installed and configured, let's backup this system. In Day #4 we will be digging deeper into security and a mistake configuring the firewall, etc. could prevent you from accessing the instance which would force you to start over.
Later, we will learn more about AMIs and Snapshots and how to use them.
Copyright 2018 NeoPrime LLC