Setting up a web server on AWS

This post will walk you through the process of running a web server on Amazon Web Services.  There are several other cloud-service providers that will also let you do this, along with web-hosting sites.  I’m describing AWS because it is the one I’m familiar with and will be able to help you with if you’re having trouble at Urbana ’15.

Step 1: Get an account

Head over to https://aws.amazon.com and click on the Create an AWS Account button.  Put in an email address to be associated with the new account and click on the I am a new user radio button and then click the Sign in using our secure server button.  Pick a name and a password (and re-type your email address to verify it) and then click the Create account button.  (Put this info into your favorite password vault so you remember it.  Be sure to choose a secure password — if someone gets this info, they can own your server and rack up charges on your credit card).

The next page will ask whether you are creating a company account or a personal account.  If this is to launch your new project for Urbana ’15, you probably want to choose a Company Account to make it easy to hand things off later as needed.  I have found it to be important to make a new account for each new endeavor rather than piling a bunch of domains into my personal account — splitting them out later is more challenging.  It also keeps things cleaner to have a separate account for each endeavor.  You’ll also need to fill in a postal address where they can reach you, as well as a phone number (which they will be calling to complete your registration, so it should be a phone you can answer right away).  Fill in the funky characters for the security check.  Read the AWS customer agreement and make sure you are okay with its terms.  One important term is that you have the legal authority to enter in agreement for the company.  I’m not a lawyer, so can’t advise on contract terms.  If you don’t like their terms, find another provider with better terms.  You’ll need to find one whose terms you can agree with to proceed.

On the next screen, you need to enter credit-card information.  Note: AWS offers lots of services, some of which can cost a lot of money.  Be certain to keep your login information private and take care when activating services to ensure you don’t get billed for something you did not expect.  On the plus side, AWS offers a set of free-tier features that you can try for free for up to a year and they won’t charge your card unless you use services that must be paid for.

Now would be a good time to put a reminder on your calendar for 11 months from now reminding yourself to cancel the account, so that you don’t end up getting charged for services you left running and forgot about.

They will call the phone number you entered above to make you enter a PIN number to verify that you are the one creating the domain.

Then you choose a support plan.  You’ll probably want the Basic (Free) plan; you can upgrade later if you need to.

Along the way, you will have gotten a few emails from AWS letting you know about your progress signing up with them.

Step 2: Setting up a server

Log on to your AWS Management Console under the My Account pull-down box at http://aws.amazon.com.  Use the login and password you chose above.

Click on the EC2 link under Compute.  Using the pull-down at the upper right, select a region for your services.  To start with, it is fine to keep the default (Oregon).  This is where the server will actually be sitting, but people can connect to it from anywhere in the world.  As your project grows and you want to ensure availability, you may launch servers all around the world, but for now we only need one region.

Click on the Launch Instance button to create a new instance.

  • Choose an Amazon Machine Image to base your server on.  You’ll want to pick one of the Free tier eligible configurations.  The following instructions assume that you choose an Ubuntu 64-bit server.  Do not use the Amazon instance at the top of the list, or the instructions below won’t work.
  • On the next page, you can select the default t2.micro instance, which is eligible for the free tier.  If you need more memory, processor or storage, you can select a different instance type but this will cost money.  For a simple web server or WordPress site, t2.micro is sufficient.  Click Next: Configure Instance Details.
  • On the next page are a bunch of options that should be fine.  Click Next: Add Storage.
  • To avoid monthly charges for SSD disk, you need to pull down the Volume Type and select Magnetic. Then Select Next: Add Tags.
  • You don’t need to have tags, so go ahead and select Next: Configure Security Group.
  • On the next page, click on Edit security groups within the orange information message near the top of the screen.
    • You will want to create a new security group.  Give it a useful name, perhaps web-server.
    • Use the Add Rule button and select HTTP from the pull-down list. Do not replace the existing SSH rule, or you won’t be able to log on to your instance.  You want this rule to accept connections from any host so that people can view your web pages.
    • Use the Add Rule button and select HTTPS from the pull-down list. Do not replace the existing SSH rule, or you won’t be able to log on to your instance.  You want this rule to accept connections from any host so that people can view your web pages securely.
    • You can restrict the Source on your SSH connections to only places where you will be logging in from, but I’d recommend doing that once you are back home from the conference so that you don’t lock yourself out.
    • Click the Review and launch button.
  • You can leave the other options at their default values and press Launch.

Obtaining a Secure Key: Now we start down the path of providing secure access to your server, which complicates things a bit.  There will be dialog box talking about key pairs.  This is a public/private key pair that you will use to access your server.  Amazon will keep the public part of the key and you will keep the private part.  There are a couple of important things about this: (A) Anyone who has a copy of the private key can take over and do whatever they want with your server, and (B) If you lose the private key, you will no longer be able to access your server.  This means that you need to keep the key safe but also make sure you can continue to access it.

  • Select Create a new key pair from the first pull-down menu.
  • Give the key pair a name; these instructions will assume you pick the name web-server-key.
  • Press the Download Key Pair button.  This will download a file named web-server-key.pem (or maybe web-server-key.pem.txt), which you will need to log on to your server.  It will begin with the line “—–BEGIN RSA PRIVATE KEY—–” and end with the line “—–END RSA PRIVATE KEY—–“.  I tend to store these keys in my favorite password vault, RoboForm, but you can use the mac keychain or any other tool to keep track of it.
  • Now you can use the Launch Instances button to start your server.  If you go back to your management console (perhaps by clicking on the cube in the upper left) and then to EC2, you will see that you have 1 running instance.  By clicking on the Instances menu item on the left, you will see a table that has your one instance in it.

Configuring SSH: Okay, now we have some more work to do on the security side.  Basically, we’ll be connecting to our server using secure shell (SSH), using public/private key authentication.  This involves moving the private key into the right location and setting its permissions so that only you can read it (reducing the likelihood of it being stolen by someone else).

Find the Public IP address of your server.  This will be a four-component number with dots, like 192.168.0.88 (with different numbers, probably starting with 52).  You do this by looking at the information near the bottom of the web page showing your instances (which was described just before configuring SSH).

We’ll need to get to a command-line interface to do some of it.  The way you do this depends on the operating system you are on.  We’ll go from the easiest to the hardest:

  • Mac/Linux: Launch the Terminal application (which is in the Applications/Utilities folder on the mac and can be found by searching for the application on Linux).  Make sure your .ssh folder exists and has the correct permissions by typing the following into the terminal and pressing return (these are Linux commands whose purpose you should look up and understand after the conference, along with more info on SSH keys, if you’re going to maintain this server going forward):
    • mkdir -p ~/.ssh; chmod 700 ~/.ssh
    • mv ~/Downloads/web-server-key.pem.txt ~/.ssh/web-server-key.pem
    • chmod 600 ~/.ssh/web-server-key.pem
  • Windows: Windows does not come with an SSH client installed, so you will need to get one.  One approach is to install Cygwin.  Another is to get one of many available SSH clients.  These instructions assume that you are using the free version of MobaXterm.  To create a new entry for this server, you do the following:
    • Click on Sessions/New Session.  Click on SSH.
    • Fill in the public IP address from above as the Remote host, and ubuntu as the Specify username.
    • Move the downloaded private key file to a location that has permission set so that only you can read the file, probably outside your Downloads folder.  Remember, if someone gets this file, they can own your server and retarget it to start cracking as part of a botnet or worse.
    • Click on the Advanced SSH settings tab and fill in the Use private key, clicking on the little icon in the right of the key field to select the file you copied the private key to.  Then click OK.

Connecting to the server: Now that you have a terminal running and SSH set up, you can connect to your server.   You connect to that server by filling in the letters below with that address, using the private key as your identifier:

  • ssh -i ~/.ssh/web-server-key.pem ubuntu@aa.bb.cc.dd

The first time you connect to your host, it will ask you if you want to trust its key fingerprint.  This is a bit tricky, because if the network infrastructure you are communicating on is compromised, you may be subjected to a “man in the middle” attack, where another computer pretends to be your actual host to gain your credentials.  If you are on a trusted network, you can go ahead and accept the fingerprint by typing ‘yes’.

You will now have a command-line interface on your server, which will tell you the operating system and some information about packages that can be updated and info on where to purchase support.  At the end, you will have a prompt on the machine you connected to (whose IP address will differ from the public IP address, because it is an internal AWS address).

Step 3: Installing and configuring server software

Updates: It is very important to keep the software on your server up to date.  If it is not, hackers can exploit security holes to take over your server and add it to a botnet, or worse.  Doing so requires you to be the administrator on Linux, which is the “super user”.  Obtaining this level can be done using the sudo (“Super User DO”) command.  You first update the package list for Ubuntu and then apply and required updates:

  • sudo apt-get update; sudo apt-get upgrade

This will provide a list of packages that can be upgraded and then ask if you want to.  You tell it that you do by typing ‘Y’ and then pressing return (or just press return, the capital Y means that this will be the default).  During the upgrade process, you may be asked about how various configuration files should be handled.  Select keep the local version currently installed for each of these.

Once you have completed the upgrade, reboot the server to make sure that all of them have taken full effect:

  • sudo reboot

This will drop the SSH connection to the remote server while it reboots.  Wait a couple of minutes for it to reboot and then connect to it again using SSH.

Configure automatic updates: You can log in from time to time to update packages as described above, but because it is so important to keep security updates current, you should also enable them to be automatically updated once per day.  See https://help.ubuntu.com/lts/serverguide/automatic-updates.html for a full description of the process, which involves:

  • sudo apt-get install unattended-upgrades nano
  • sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
    • (Make sure that the first block with Allowed-Origins has the entry with -security uncommented (no // on its line).  If it has //, then use the arrow keys and delete key to remove them and then save the file using ctrl-O and pressing enter, then ctrl-X to exit).
    • Uncomment the line with Remove-Unused-Dependencies and change “false” to “true”.
    • Uncomment the line with Automatic-Reboot and change “false” to “true”.
  • sudo nano /etc/apt/apt.conf.d/10periodic
    • (Edit the file to include the following lines:)
      • APT::Periodic::Update-Package-Lists "1";
        APT::Periodic::Download-Upgradeable-Packages "1";
        APT::Periodic::AutocleanInterval "7";
        APT::Periodic::Unattended-Upgrade "1";

Virtual memory: The 1GB of physical memory on your server is very small, even for just serving web pages.  To increase the amount available, you can add virtual memory (storage on disk) to keep the server from running out.  This is slower to access than physical memory, but lets you handle spikes in memory usage.  You configure this virtual memory using:

  • sudo fallocate -l 2G /swapfile
  • sudo chmod 600 /swapfile
  • sudo mkswap /swapfile
  • sudo swapon /swapfile
  • sudo nano /etc/fstab
    • (At the bottom of the file, add the following:
      /swapfile   none    swap    sw    0   0
    • Write out the file using ctrl-O Enter, and then quit with ctrl-X.

Installing web server: There are several web servers available, but a very common and powerful one is Apache, which is on version 2.  You can install it on your server using

  • sudo apt-get install apache2

The above command will have run the web server on your host.  Before you connect to it, you should provide a permanent external IP address as described below.

Step 4: Connecting to the outside world

The public IP address associated with an instance can change when that instance is stopped and re-started, so it should not be used as the IP address that people use to connect to your web server — otherwise, it may end up pointing at someone else’s host!  You can always go back to your management console to find out the new address to use to log on to your machine if needed, but a better approach is to assign an Elastic IP Address to your host.

Note: Although it is currently free to have 1 elastic IP address per host in the free tier, there is currently a charge of one penny per GB of data transferred in or out of EC2 (such as data provided to someone visiting your web page!).

  • Click on the Elastic IPs menu item on the left side of the EC2 dashboard.
  • Click on the Allocate New Address button, and (if you are willing to pay the charges associated with data transfer) then Allocate to confirm.
  • Right-click in the Name blank space next to the IP address and select Associate address.  In the Instance selector, select the instance you just launched (it may be the only one there).  Then press Associate.

At this point, you should be able to connect to your web server by typing its Elastic IP address into the address bar of a browser.  There will be a generic message on the page.

This could also be a good time to check out the post on purchasing and redirecting a domain name to your site.

Step 5: Filling in your content

Direct edit: You can use the nano editor to edit the file /var/www/html/index.html file directly.  This will let you put in whatever straight HTML you like:

  • sudo nano /var/www/html/index.html

SFTP: You can also use sftp to push files to the server, using the same identity as you used for ssh.

WordPress: You can also take a look at the post on setting up WordPress on a server.

@todo Blog post on pulling from a Github repository

@todo Consider running a cron job to pull automatically