// Add a new user and set it with root privileges:
sudo su
useradd {root-user}
passwd {root-user}
// [input password for root-user]
visudo
// [check to make sure that %wheel group has been activated by deleting the hash (#) sign preceeding it]
// “%wheel ALL=(ALL) NOPASSWD: ALL” allows non-root wheel member to run sudo -u root to become root without having to know the root password
usermod -aG wheel {root-user}
// Check to verify that the new account is indeed root:
// Switch to the new user:
su {root-user} –
// Verify that the new user is in the wheel group:
groups
// Finally, verify that sudo is configured to identify this new user as “root”:
sudo whoami
———– this banner displays ———-
[root-user@ip-555-55-55-555 /]$ sudo whoami
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for root-user:
root
Install the LAMP stack:
// Update the OS
sudo yum -y update
// Install Apache, HTTPD, MariaDB, etc.
sudo yum -y install httpd mod_ssl openssl mariadb-server mariadb php php-mysql php-gd php-mbstring php-common vim
// Configure services to load HTTPD and MariaDB at startup
sudo systemctl enable httpd.service
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo systemctl start httpd.service
// Install firewalld
sudo yum -y install firewalld
// unmask, enable, and start the firewall
systemctl unmask firewalld
systemctl enable firewalld
systemctl start firewalld
// Pinhole Firewall for HTTP and HTTPS
sudo firewall-cmd –permanent –zone=public –add-service=http
sudo firewall-cmd –permanent –zone=public –add-service=https
sudo firewall-cmd –reload
// Add PHP support with Apache
// Backup original httpd.conf file
sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
sudo sed -i -e ‘s/^[ \t]*//’ /etc/httpd/conf/httpd.conf
sudo sed -i “s|IncludeOptional|#IncludeOptional|” /etc/httpd/conf/httpd.conf
sudo sed -i “s|#ServerName www.example.com:80|ServerName localhost|” /etc/httpd/conf/httpd.conf
sudo sed -i “s|DirectoryIndex index.html|DirectoryIndex index.html index.php|” /etc/httpd/conf/httpd.conf
// Integrate PHP into Apache
echo “AddType application/x-httpd-php .php” | sudo tee -a /etc/httpd/conf/httpd.conf
// Secure MySQL
sudo systemctl start mariadb.service
sudo /usr/bin/mysql_secure_installation
// At this step, one could add a password for SQL root (not the same as OS root)
// Afterward, press [Enter] continuously to accept the default settings
// Optional: create a testing index page
sudo vim /var/www/html/index.php
// Input this content
<?php phpinfo(); ?>
// Exit and save file
[Esc] :wq!
// Setup multi-site
// Configure firewall
firewall-cmd –permanent –add-service=http
firewall-cmd –permanent –add-service=https
firewall-cmd –reload
// Create directories for the sites
sudo mkdir -p /var/www/kimconnect.com/public_html
sudo mkdir -p /var/www/dragoncoin.com/public_html
// Set permissions for folders and files
sudo chmod -R 755 /var/www
// Create default index files
sudo vim /var/www/kimconnect.com/public_html/index.html
—
<html>
<head>
<title>Welcome to KimConnect.com!</title>
</head>
<body>
<h1>Success! The KimConnect.com virtual host is working!</h1>
</body>
</html>
—
sudo vim /var/www/dragoncoin.com/public_html/index.html
—
<html>
<head>
<title>Welcome to DragonCoin.com!</title>
</head>
<body>
<h1>Success! The DragonCoin.com virtual host is working!</h1>
</body>
</html>
—
// Create 2 directories, one to store the config and the other to store symlinks to those configs
sudo mkdir /etc/httpd/sites-available
sudo mkdir /etc/httpd/sites-enabled
sudo vim /etc/httpd/sites-available/kimconnect.com.conf
—
<VirtualHost *:80>
ServerName kimconnect.com
ServerAlias www.kimconnect.com
DocumentRoot /var/www/kimconnect.com/public_html
ErrorLog /var/www/kimconnect.com/error.log
CustomLog /var/www/kimconnect.com/requests.log combined
</VirtualHost>
—
sudo vim /etc/httpd/sites-available/dragoncoin.com.conf
<VirtualHost *:80>
ServerName dragoncoin.com
ServerAlias www.dragoncoin.com
DocumentRoot /var/www/dragoncoin.com/public_html
ErrorLog /var/www/dragoncoin.com/error.log
CustomLog /var/www/dragoncoin.com/requests.log combined
</VirtualHost>
// Enable the available sites by making symlinks
sudo ln -s /etc/httpd/sites-available/kimconnect.com.conf /etc/httpd/sites-enabled/kimconnect.com.conf
sudo ln -s /etc/httpd/sites-available/dragoncoin.com.conf /etc/httpd/sites-enabled/dragoncoin.com.conf
sudo vim /etc/httpd/conf/httpd.conf
— Add these lines to the end —
IncludeOptional /etc/httpd/sites-enabled/*.conf
—
// Restart Apache
sudo apachectl restart
// Modify hosts file (optional)
— Add these lines —
server_ip_address kimconnect.com
server_ip_address dragoncoin.com
—
// Change security context to allow hosting from the correct directory
sudo semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?”
sudo restorecon -R -v /var/www
// Untested portion
<Directory “/var/www/kimconnect.com”>
AllowOverride None
Require all granted
</Directory>
<Directory “/var/www/dragoncoin.com”>
AllowOverride None
Require all granted
</Directory>
systemctl restart httpd.service
// Test the result
curl kimconnect.com
curl dragoncoin.com
// Setup multi-site configuration by first setting selinux to be permissive
sudo cp /etc/selinux/config /etc/selinux/config.backup
sudo sed -i ‘/^#/d’ /etc/selinux/config
sudo sed -i ‘/^$/d’ /etc/selinux/config
SELinuxStatus=$(cat /etc/selinux/config | grep SELINUX=|cut -d’=’ -f2)
echo “Current Status: $SELinuxStatus”
sudo sed -i “s|SELINUX=$SELinuxStatus|SELINUX=permissive|” /etc/selinux/config
SELinuxStatus=$(cat /etc/selinux/config | grep SELINUX=|cut -d’=’ -f2)
echo “New Status: $SELinuxStatus”
sudo shutdown -r now
To be able to view the new index.php on a browser, one must enable inbound port 80/443 access on the AWS security group associated with the instance.
— work in progress
Obtain free SSL Cert from https://www.sslforfree.com/
Example: kimconnect.com blog.kimconnect.com forum.kimconnect.com remote.kimconnect.com ftp.kimconnect.com support.kimconnect.com help.kimconnect.com work.kimconnect.com remote.kimconnect.com rdp.kimconnect.com cloud.kimconnect.com
You may need to whitelist 66.133.109.36 if the site is behind a firewall
// Put the cert inside a directory
sudo mkdir /etc/httpd/ssl
sudo vim /etc/httpd/ssl/kimconnect.crt
sudo vim /etc/httpd/ssl/kimconnect.key
// Create entry for the first website
echo -e “blog.kimconnect.com, 80, 443,/etc/httpd/ssl/kimconnect.crt,/etc/httpd/ssl/kimconnect.key\n” | sudo tee /var/www/websites.csv
// Check the result
sudo vim /var/www/websites.csv
// Configure Apache to handle multiple sites
sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.singlesite
sudo mkdir /etc/httpd/sites-available
sudo mkdir /etc/httpd/sites-enabled
sudo sed -i -e ‘s/^[ \t]*//’ /etc/httpd/conf/httpd.conf
sudo sed -i “s|IncludeOptional|#IncludeOptional|” /etc/httpd/conf/httpd.conf
sudo sed -i “s|#ServerName www.example.com:80|ServerName localhost|” /etc/httpd/conf/httpd.conf
sudo sed -i “s|DirectoryIndex index.html|DirectoryIndex index.html index.php|” /etc/httpd/conf/httpd.conf
echo “IncludeOptional /etc/httpd/sites-available/*.conf” | sudo tee -a /etc/httpd/conf/httpd.conf
cat /etc/httpd/conf/httpd.conf | grep IncludeOptional
cat /etc/httpd/conf/httpd.conf | grep DirectoryIndex
// Set Apache to read the previously defined CSV file
– start
sed 1d /var/www/websites.csv | while IFS=$’,’ read -r -a site
do
echo “Reading CSV File”
echo “Domain Name: ${site[0]}”
echo “HTTP Port: ${site[1]}”
echo “HTTPS Port: ${site[2]}”
echo “SSL CRT File: ${site[3]}”
echo “SSL Key File: ${site[4]}”
if [ -n “${site[1]}” ]; then
echo “Configuring HTTP for ${site[0]}”
echo -e “\n”\
“ServerName ${site[0]}\n”\
“DocumentRoot /var/www/${site[0]}\n”\
“ErrorLog /var/www/${site[0]}/error.log\n”\
“CustomLog /var/www/${site[0]}/requests.log combined\n”\
“\n”\
“Options All\n”\
“AllowOverride All\n”\
“Require all granted\n”\
“\n”\
“” | sudo tee /etc/httpd/sites-available/${site[0]}.conf
fi
if [ -n “${site[2]}” ]; then
if [ -z “${site[3]}” ] || [ -z “${site[4]}” ]; then
echo “HTTPS Requested but SSL Parameters are not filled”
exit 0
fi
echo “Configuring HTTPS for ${site[0]}”
echo -e “\n”\
“ServerName ${site[0]}\n”\
“DocumentRoot /var/www/${site[0]}\n”\
“ErrorLog /var/www/${site[0]}/error.log\n”\
“CustomLog /var/www/${site[0]}/requests.log combined\n”\
“\n”\
“Options All\n”\
“AllowOverride All\n”\
“Require all granted\n”\
“\n”\
“SSLEngine on\n”\
“SSLCertificateFile ${site[3]}\n”\
“SSLCertificateKeyFile ${site[4]}\n”\
“” | sudo tee /etc/httpd/sites-available/${site[0]}_secure.conf
fi
sudo ln -s /etc/httpd/sites-available/${site[0]}.conf /etc/httpd/sites-enabled/${site[0]}.conf
sudo mkdir -p /var/www/${site[0]}
echo “$ip ${site[0]}” | sudo tee -a /etc/hosts
# Download Test index.php file in place
cd /var/www/${site[0]}
echo “<?PHP phpinfo(); ?>” | sudo tee /var/www/${site[0]}/index.php
# Test SSL
openssl s_client -connect ${site[0]}:443
done
# Read websites.csv file and create virtual host for each site – stop
sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bk
sudo sed -i ‘/^#/d’ /etc/httpd/conf/httpd.conf
sudo sed -i ‘/^$/d’ /etc/httpd/conf/httpd.conf