Configure HTTPS, Mariadb Linux 2023 – Amazon EC2 AWS
Configure HTTPS, Mariadb Linux 2023 – Amazon EC2 AWS
EC2 Menu
EC2 Menu
Configure httpd, ssl, mariadb, phpMyAdmin – for a paid SSL certificate (Let’s Encrypt certbot is a separate article)
Again, you will have logged into a terminal shell as root. My examples use the vi editor.
When I do a terminal shell login, I type:
$ sudo su
# set -o vi
# export EXINIT=’set noautoindent’. –> I don’t like the editor indenting code my behalf.
When I refer to “vi” you may have another preferred editor. Do not cut and paste my comments in square brackets. Replace “Australia/Brisbane” with your own country/city. If a few things are not working, not only look at error messages, make use of forums, but reboot the instance at least once. (This is especially so if Let’s Encrypt is having issues.)
[We do not initiate httpd at this point, as the SSL certificate is not yet installed. Check with "systemctl stop httpd"]
vi /etc/httpd/conf/httpd.conf
[after Listen 80 add:]
KeepAlive On
MaxKeepAliveRequests 50
KeepAliveTimeout 5
[in the <Directory "/var/www/html"> section:]
AllowOverride All
[in the <IfModule dir_module> section after it:]
DirectoryIndex index.php index.html
[fix the ServerName to your domain:]
#ServerName www.example.com:80
ServerName mydomain.au
[save and exit]
vi /etc/httpd/conf.modules.d/00-mpm.conf
[We do not use http/2 on our smaller instances]
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
[append the following lines for performance:]
<IfModule mpm_prefork_module>
StartServers 2
MinSpareServers 2
MaxSpareServers 5
MaxRequestWorkers 125
ServerLimit 125
MaxConnectionsPerChild 0
</IfModule>
[save and exit]
[comment out "heartbeat" to stop constant error logging:]
vi /etc/httpd/conf.modules.d/00-proxy.conf
# LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
[save and exit]
[ Add a new file, /etc/httpd/conf.d/phpMyAdmin.conf
Use your own static IP address (otherwise edit it every time you use phpMyAdmin for your dynamic address). Replace xxx.xxx.xxx.xxx with your IP address. This lets you access the phpMyAdmin database GUI/interface from https://mydomain.au/phpMyAdmin. (It is possible to configure a generic login with no set IP address, but not recommended.)]
vi /etc/httpd/conf.d/phpMyAdmin.conf
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip xxx.xxx.xxx.xxx
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from xxx.xxx.xxx.xxx
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip xxx.xxx.xxx.xxx
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from xxx.xxx.xxx.xxx
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
[save and exit]
[Configure /etc/httpd/conf.d/ssl.conf.
You should not log into phpMyAdmin or create WordPress until SSL is configured, or, use an EC2 Security Group only on your IP address - which is very slow. If using a Sectigo or other paid certificate, you have to learn about how it works, and then reference the .cert and .key files in ssl.conf file. A typical certificate is domain_au.crt and domain_au.key. The .crt in that case would contain the chaining content using your own editor. I use the Cleantalk website to generate the .crs and .key files for Comodo/Sectigo. You can re-use your .key file when renewing certificates. Remember, the DNS CAA records must be correct before a purchase of the SSL certificate (else a call to a help desk), and you have to have admin@domain.au verified and working in SES and an associated S3 Bucket or with your email service. If using SES the domain and email records must be verified and working. This is complex. While Route53 cannot make a .au registration for a citizen, you can still create a hosted zone without issue, having the .au domain somewhere else, like Ventraip, and the name servers on Amazon Route53. You can see how complexities add up. Keep in mind too that if you point a domain name to Amazon name servers and they do not fully propagate around the world, your registrar may have set up DNSSEC which blocks the records, so unset any DNSSEC.]
[Below, at the top of the file, use your own domain name. I will already have a CNAME record in the DNS configs for www.mydomain.au pointing to mydomain.au. Upload your completed certificates to /home/ec2-user. Then:]
cd /home/ec2-user
cp -p domain_au.crt /etc/pki/tls/certs
cp -p domain_au.key /etc/pki/tls/private
vi /etc/httpd/conf.d/ssl.conf
<VirtualHost *:80>
ServerName mydomain.au
Redirect permanent / https://mydomain.au/
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.au
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
#ServerName www.example.com:443
ServerName mydomain.au:443
SSLEngine on
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLProxyProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
# Note: the next two long lines must have no carriage return line feeds. Please check to make sure.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCompression off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain_au.key
SSLCertificateChainFile /etc/pki/tls/certs/dpmain_au.crt
[save and exit]
[The .key file can be used every year, and the .crt is the original .crt appended with other "bundled" entries except the root certificate. It is easy to create these files with an editor. Sometimes the provider gives a bundled file but it may still need editing. SSLLABS can test your certificate after installation. You want an A rating, never an A+ rating. It will indicate if the chained (bundled) content is in the incorrect order.]
[NOTE: If you are using certbot, you want to comment out the SSLCertificateKeyFile and SSLCertificateChainFile entries above, and end up with these lines instead at the end of the file before the last </virtual> line: (I don't use the options-ssl-apache.conf file. These entries should not be pasted in until after certbot has installed the certificate. Details are not given in this article, but I mention it.)
ServerAlias mydomain.au
ServerAlias www.mydomain.au
SSLCertificateFile /etc/letsencrypt/live/mydomain.au/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.au/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
]
These are generic settings for anyone to login to the database:
cd /etc/httpd/conf.d
vi phpMyAdmin.conf
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
Require local
Require all granted
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
Require local
Require all granted
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
[save and exit]We now configure mariadb
systemctl start mariadb mysql_secure_installation ["Enter current password for root" (enter for none): OK, successfully used password, moving on... "Switch to unix_socket authentication [Y/n]" n "Change the root password?" [Y/n] Y (nominate your database password) Y for the remaining questions] [Note that we now start and enable all our services. If httpd is not loading SSL correctly, you need to problem solve.] systemctl stop mariadb systemctl start mariadb systemctl enable mariadb systemctl enable httpd systemctl enable php-fpm php -v [This will show version 8.2 or above] [Configuring phpMyAdmim:] cd /usr/share wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz ls tar xvf ..... [where ..... is the downloaded file. Then delete the tar.gz file, then use the Unix command to move the directory to phpMyAdmin, e.g.: mv yourfile phpMyAdmin] cd phpMyAdmin mkdir tmp chmod 777 tmp cp -p config.sample.inc.php config.inc.php vi config.inc.php [ Search for the blowfish line. Do a Google search on blowfish phpmyadmin generator. I use: https://phpsolved.com/phpmyadmin-blowfish-secret-generator/?g=[insert_php]echo%20$code;[/insert_php] from https://phpsolved.com. Paste the generated value into the blowfish value. Then after SaveDir as shown below, add TEMPDir... ] $cfg['SaveDir'] = ''; $cfg['TEMPDir'] = '/tmp'; [Restart httpd - recall we may not have SSL running, so you should not really log into phpMyAdmin at this stage. You can check the interface is ready with http://mydomain.au/phpMyAdmin. As a note, you can view your PHP settings with http://mydomain.au/phpinfo.php. If I have a separate article on phpMyAdmin, see that content for using it.] dnf update [I like to reboot:] sync;sync;reboot
