Alibaba Cloud in 7 Days

Day #3 - Domains - DNS - Hosting - SSL

Date Created: May 10, 2018
Last Update: May 30, 2018

Today, I have a lot that I would like to do.

  • Purchase a domain name with Alibaba.
  • Create an ECS instance.
  • Setup DNS.
  • Setup SSL using Let's Encrypt.
  • The completed server will be www.neoprime.xyz

Purchase a New Domain Name

Step 1. Verify the email address that you will be using to purchase a domain name from Alibaba. Go to Verify Email Address. Alibaba will then send you a confirmation email with a link. Click on that link to confirm your email address.

Step 2. Go to Alibaba Cloud Domain and purchase your domain. In my case I purchase "neoprime.xyz". This domain purchase was priced at $0.99 which makes for an inexpensive purchase for testing purposes.

Step 3. Wait a few minutes after the purchase completes. You will then receive two emails:

  • Notification of successful domain name registration.
  • Notification of "Domain Name Proxy Service" being enabled.

The second email introduces us to a new Alibaba service - Domain Name Proxy Service.

Domain name proxy service is a value-added domain name service that protects the identity and personal information of registrants, administrators, technical contacts, and payers by making the registration information unavailable in the WHOIS database.

Enabling this service reduces the amount of spam you receive, minimizes the amount of personal information that is available, and does not affect using your domain name.

Step 4. Go to the Alibaba Cloud Console - Domains & Websites. You should now see your new domain name. If not wait a few more minutes. For me this all happened very quickly - one or two minutes. Now click on your domain name. This will take you to a new page that displays your registration information. Verify everything. Make note of the two DNS servers.

Create an ECS Instance

Step 1. Go to the Alibaba ECS Console.

  • Under Elastic Compute Service click on "Instances".
  • Click on the blue "Create Instance" button located in the top right of the console.
  • Select the Billing Method. I chose Pay-As-You-Go.
  • Select the Region. I chose US West 1 (Silicon Valley).
  • Select the Zone. I chose US West 1 Zone A.
  • Select the Instance Type. I chose x86-Architecture, then Entry-Level (Shared), then Compact Type xn4 (ecs.xn4.small) which is 1 vCPU and 1 GiB.
  • Select the Image. I chose Public Image, then Ubuntu, then version 16.04 64bit.
  • Select the Storage. I chose Ultra Cloud Disk, then 40 GiB for the size.
  • Click the orange "Next: Networking" button.

  • This takes us to a new screen to configure Networking.
  • Select the Network. I chose the Default VPC and the Default VSwitch.
  • Select the Network Billing Method. I chose Assign Public IP and 5 Mbps for bandwidth.
  • Select the Security Group. I chose one that I created for Linux servers.
  • Click the orange "Next: System Configuration" button.

  • This takes us to a new screen to configure the system parameters.
  • Select the Key Pair. I selected "Create Key Pair". Then I selected that one.
  • Enter the Instance Name. I entered "neoprime.xyz" which is the domain name.
  • Enter the Description. Enter a string that helps you remember what this system is for.
  • Enter the Host. I entered "neoprime.xyz"
  • Click the orange "Next: Grouping" button.

  • This takes us to a new screen to configure tags.
  • Press Add Tag. Create a tag such as "Name" with a value such as "Web Server".
  • Click the orange "Next: Preview" button.

  • This takes us to a new screen to review everything.
  • Double check all the entered values. Make note of the Instance cost. In my case it is $0.019 per hour plus $0.077 per GB for Public traffic fee.
  • Confirm the Terms of Service checkbox.
  • Click the orange "Create Instance" button.

A confirmation box will appear. Click on the blue "Console" button which will take you back to the list of ECS instances. In a minute or so, click on the refresh button. Once the instance is running, make note of the public IP. We will enter the public IP in the DNS server.

Setup DNS for the new ECS instance

Step 1. Go to the Alibaba Domain Console. This is located under Domains & Websites.

Step 2. To the right side of the page on the same line as your domain name is the link "Resolve". Click this link. This takes us to a new tab where we can add DNS records for our new domain name. For now, I will point this domain to neoprime.io and www.neoprime.io.

Step 3. Create the naked domain entry.

  • Click "Add Record".
  • For the Host field, enter "@"
  • For the Value field enter the IP address.
  • For the TTL: pick the shortest time - "10 minutes".

Step 4. Create the www domain entry.

  • Click "Add Record".
  • For the Host field, enter "www"
  • For the Value field enter the IP address.
  • For the TTL: pick the shortest time - "10 minutes".

Step 5. Create the cdn domain entry.

  • Click "Add Record".
  • For the Host field, enter "cdn"
  • For the Value field enter the IP address.
  • For the TTL: pick the shortest time - "10 minutes".

Note: We selected the shortest TTL value so that we can quickly make changes to our DNS entries. Later once we have a real server, change this value to a typical value of "1 hour" or "1 day". Later we will want to minimize DNS hits and allow for normal DNS caching on the Internet.

We also created the cdn.neoprime.io record. We will use this later when we work with Alibaba Cloud CDN.

We now have a new domain name, an ECS instance and DNS resolving the domain name. Next let's configure the ECS instance as an Apache/PHP stack and publish a home page.

Connect to the ECS Instance

I use Bitvise SSH Client to manage my Linux instances that use Key Pairs. This program has several nice features including a terminal console and an SFTP window for file transfers. The Client Key Manager makes keeping track of my various Key Pairs much easier.

Launch Bitvise. Click on "Client key manager". Click on the Import button to import the Key Pair used for the creating of the ECS instance. Give it a description. Then enter the IP address for the ECS instance into the Host field. Enter "root" for the Username field. Select the Client key that you just imported. Connect to the server.

Two windows will now open. The first is an SFTP file transfer window. Your machine will be in the left panel and the ECS instance in the right panel. The second window is the SSH terminal window. You are now logged in as root. Let's configure Apache / PHP using the SSH terminal window.

In the following, when you see a light gray box, this means commands that you will enter in the terminal window (shell). If the line starts with the pound sign character #, this means that the command is run as root. If you are logged in as a normal user, add sudo before the command.

Update the list of available packages and their versions:
# apt-get update

Update and patch the system:
# apt-get upgrade

Set Timezone

Now we need to set the timezone for the ECS instance. Your system will most likely be set to: Asia/Shanghai (CST, +0800).

# timedatectl

My local time is Tue 2018-05-15 15:05:15 PST. My new system displays (which is not correct):

Local time: Tue 2018-05-15 05:05:15 CST
Universal time: Mon 2018-05-14 21:05:15 UTC
RTC time: Tue 2018-05-15 05:05:13
Time zone: Asia/Shanghai (CST, +0800)
Network time on: yes
NTP synchronized: yes
RTC in local TZ: yes

Now we need to set the timezone. Modify the following command for your timezone. Link to timezone table.

Execute the following command:

# timedatectl set-timezone America/Los_Angeles

Now we need to correct the warning about the RTC time.

Execute the following command:
# timedatectl set-local-rtc 0

Create a User

Later when we setup SSL for the Apache web server, we will need to do this logged in as a normal user as Let's Encrypt does not support using the root user. You can use any user name that you want. I will use "webserver" for the user name.

Create the user:
# adduser webserver

You will be prompted for the user's password and several other items.

Add the user to the "sudo" group so that the user has root privileges when required to administer the system. Once this user is logged in, all that is required is using the sudo command in front of each command to obtain administrator privileges.
# usermod -aG sudo webserver

Install Apache Web Server

# apt-get install apache2

Configure Apache Web Server

Now we need to tell Apache what our domain names are. Since we will be serving both HTTP and HTTPS we need virtual host entries for both protocols. We also need entries for both neoprime.xyz and www.neoprime.xyz. We are also including cdn.neoprime.xyz so that the SSL certificate has all the domain names that we need present.

Normally you will want HTTP to redirect to HTTPS, but for our work we do not want redirection as we will later be setting up auto scaling and load balancing. Redirection from HTTP to HTTPS will be managed by the load balancer.

Edit /etc/apache2/apache2.conf:
# vi /etc/apache2/apache2.conf

Add the following to the bottom of the file:
ServerName neoprime.xyz
<VirtualHost *:80>
ServerName neoprime.xyz
ServerAlias www.neoprime.xyz
ServerAlias cdn.neoprime.xyz
<VirtualHost *:443>
ServerName neoprime.xyz
ServerAlias www.neoprime.xyz
ServerAlias cdn.neoprime.xyz

Verify changes and make sure that there are no errors:
# apache2ctl configtest

Restart Apache:
# systemctl restart apache2

Enable SSL module:
# a2enmod ssl

Restart Apache:
# systemctl restart apache2

Install PHP

PHP is a script processor that produces dynamic web page content. Usually files that are written in PHP end with the file suffix .php. We need to install both PHP and the module for Apache2.

# apt-get install php libapache2-mod-php

Verify that PHP is working from the command line:
# php -version

The output from the PHP interpreter will look something like this:
PHP 7.0.28-0ubuntu0.16.04.1 (cli) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.0.28-0ubuntu0.16.04.1, Copyright (c) 1999-2017, by Zend Technologies

Next, we need to determine the order that Apache serves a default file when a directory is requested. The file /etc/apache2/mods-enabled/dir.conf needs to be edited.

# vi /etc/apache2/mods-enabled/dir.conf

The default will look something like this:

<IfModule mod_dir.c>
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm

If our primary page type is PHP then we need to modify to look like this by moving index.php to be the first item after DirectoryIndex.

<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm

Once you have completed the changes to /etc/apache2/mods-enabled/dir.conf restart apache

# systemctl restart apache2

Check apache and make sure everything is OK.

# systemctl status apache2

Configure Ubuntu to enable access to an external repository

Software vendors and open source packages can maintain their own software repositories. Let's Encrypt has their own repository. The next step will make the Let's Encrypt repository known to Ubuntu.

Install additional software so that we can add the Let's Encrypt repository:
# apt install software-properties-common

Install SSL

There was a time that purchasing and installing an SSL certificate was expensive and time consuming. It could take more than a thousand dollars and a week or two just to verify your company's identity. Today, we can setup and install an SSL certificate in just minutes.

We will use Let's Encrypt to install a client on our ECS instance. Once we have verified that we can connect to our ECS instance from our desktop, we will begin the SSL process.

Open a web browser on your desktop and verify that you can see the default Apache web server page for each of your domain names. Once this is working we are ready for the next steps.

  • http://neoprime.xyz
  • http://www.neoprime.xyz
  • http://cdn.neoprime.xyz

Install the Let's Encrypt Client:
# add-apt-repository ppa:certbot/certbot

Update the system
# apt-get update

Install Certbot from the new repository:
# apt-get install python-certbot-apache

Run the Certbot client to request and install our SSL certificate:
# certbot --apache -d neoprime.xyz -d www.neoprime.xyz -d cdn.neoprime.xyz

Important: When prompted to redirect all requests to https select No.

Notice that we specified three domain names. Our root domain (neoprime.xyz) and the normal website domain (www.neoprime.xyz) plus the one we will use for the CDN (cdn.neoprime.xyz). We want all three domain names in the SSL certificate that we will obtain from Let's Encrypt.

Provided that there were no errors, we have been issued an SSL certificate. This certificate is installed on our ECS instance. Let's locate this certificate and copy back to our desktop. We will need this later for our work with load balancing and CDN.

Change directories to where Let's Encrypt is located:
# cd /etc/letsencrypt/live

List the contents of this directory. Notice the name of our domain is a directory. Change to that directory.

Change directories to where Let's Encrypt is located:
# ls -l
# cd neoprime.xyz

You will notice 4 files in this directory. These four files make up our SSL certificate. We are interested in two of them:
  • privkey2.pem - This is the Private Key for our SSL certificate. Protect this file.
  • fullchain2.pem - This is public key for our SSL certificate and the chain back to the authority. This file includes cert.pem and chain.pem.
# cd /etc/letsencrypt/live
lrwxrwxrwx 1 root root  36 May 11 11:57 cert.pem -> ../../archive/neoprime.xyz/cert2.pem
lrwxrwxrwx 1 root root  37 May 11 11:57 chain.pem -> ../../archive/neoprime.xyz/chain2.pem
lrwxrwxrwx 1 root root  41 May 11 11:57 fullchain.pem -> ../../archive/neoprime.xyz/fullchain2.pem
lrwxrwxrwx 1 root root  39 May 11 11:57 privkey.pem -> ../../archive/neoprime.xyz/privkey2.pem
-rw-r--r-- 1 root root 543 May 11 10:46 README

Copy all the files to your desktop in a safe location. We will need them for the load balancer and CDN.

Verify that the Certbot renewal process will work by performing a dry run:

sudo certbot renew --dry-run

Check apache and make sure everything is OK.
# systemctl status apache2

Next Steps

Now that we have a configured an ECS instance with DNS setup and SSL installed and configured, let's backup this system. In Day #4 we will be digging deeper into security and a mistake configuring the firewall, etc. could prevent you from accessing the instance which would force you to start over.

Step 1. Shut down the ECS instance. Step 2. Create an AMI of the ECS Instance.

Later, we will learn more about AMIs and Snapshots and how to use them.

15220 Main Street, Bellevue, WA 98007
T: 425-528-8500 - F: 425-528-8550 - E: neoprime@neoprime.io

Copyright 2018 NeoPrime LLC