2. Start EC2 instance, select the appropriate AMI and the like.
In some cases, similar to VMware ESXi. Full name of Amazon Elastic Compute Cloud, referred to as Amazon EC2. First laaS, Google's Google Compute Engine; Microsoft Microsoft Azure is true. EC2 using the Xen virtualization technology. Each virtual machine, also known as "instance" ( instance), can run small, large, huge three capabilities of virtual private servers. Amazon.com use EC2 Compute Units to allocate hardware resources (equivalent to a ECU a Sandy Bridge -class Xeon ).
Remote 3.1 (CRT and other tools * .pub and other key documents)
Examples of a CRT using a remote to update the check at slightly
sudo yum update -y
3.2 and PHP install Amazon Linux Extras
Install lamp-mariadb10.2-php7.2 and php7.2 Amazon Linux Extras repository. Check the installation (Installation / dependent / dependencies have been updated) you will find through the Amazon Linux optimization, great for application-optimized.
sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum reinstall yum --noplugins
3.3 Installing Apache Web, MariaDB
sudo yum install -y httpd mariadb-server
3.4 start, set the boot from the start apache and so on. And tested.
3.4.1 Test apache
[ec2-user@ip-172-15-1-131 ~]$ sudo -s [root@ip-172-15-1-131 ec2-user]# mkdir /var/www/html/a wget -P /var/www/html/a/ https://raw.githubusercontent.com/AWSinAction/\code/master/chapter3/a/index.html [root@ip-172-15-1-131 ec2-user]# cat /var/www/html/a/index.html <html> <head> <title>djf</title> </head> <body> <h1>Hello A!</h1> </body> </html> [ec2-user@ip-172-15-1-131 ~]$ cat /etc/httpd/conf.d/a.conf <VirtualHost 172.15.1.131:80> DocumentRoot /var/www/html/a </VirtualHost> [ec2-user@ip-172-15-1-131 ~]$ [ec2-user@ip-172-15-1-131 ~]$ sudo vim /etc/httpd/conf.d/a.conf [ec2-user@ip-172-15-1-131 ~]$ sudo systemctl restart httpd
Or add a /var/www/html/phpinfo.php
file
sudo yum list installed httpd mariadb-server php-mysqlnd
After deleting test:
RM /var/www/html/phpinfo.php
Verification required packages.
sudo yum list installed httpd mariadb-server php-mysqlnd
3.5 set file permissions
Adding users to groups: the sudo the usermod -a -G apache-EC2 User group ownership of the / var / www changes to its contents apache group: the sudo chown -R & lt EC2-User: apache / var / www -added group and write permissions is provided on the group ID subdirectories future, change directory permissions / var / www its subdirectories: the sudo the chmod 2775 / var / www && Find / var / www -type -exec the sudo the chmod 2775 D {} \; Add group write access, the recursive change / var / www file permissions and subdirectories: Find / var / www -type -exec the sudo the chmod 0664 F {} \;
3.6 acquire CA, enable SSL / TLS
Get Apache mod_ssl module
sudo yum install -y mod_ssl
You need to use three files, if not, manually create a certificate
Create a certificate using the openssl manual:
安装openssl:sudo yum install openssl openssl-devel
/etc/httpd/conf.d/ssl.conf
mod_ssl configuration file. It contains the following information to inform Apache "instructions": Where to Find encryption keys and certificates, which SSL / TLS protocol version allows, which encryption password to accept.
/etc/pki/tls/private/localhost.key
Automatically generated for Amazon EC2 host of 2048-bit RSA private key. During installation, OpenSSL already uses this key to generate a self-signed host certificate, you can use this key to generate a certificate signing request (CSR) to submit to a certificate authority (CA).
Note: If you see this file in the directory listing seen, it may be because of its limited access privileges. Try running sudo ls -al in the directory.
/etc/pki/tls/certs/localhost.crt
Self-signed X.509 certificate is automatically generated for the server host. This certificate is for testing whether Apache has been correctly set up to use SSL / TLS is useful.
3.6.1 Creating a Key
Using an asymmetric encryption algorithm RSA 2048-bit RSA private key generation.
sudo openssl genrsa -out localhost.key 2048
Rsa algorithm to generate the 256-bit key localhost.key document, the certificate is not required to enter a password to start this process produces apache server like the server, nor will simultaneously private key encryption.
Or sudo openssl genrsa -out custom.key 4096 (create a larger coefficient tighter RSA key), under normal circumstances, no personal application needs 768 bits, companies need to use 1024 bit, some of the most important occasions require the use of 2048 -bit .
You should use a password when using symmetric encryption algorithm to encrypt the newly created DES3 1024-bit RSA private test.key file, every time you want to use the private key. If the electronic certificate is in the apache server, etc., you have to enter a password each time the server is started.
Using a symmetric encryption algorithm AES-128 encryption password 4096 RSA private key.
sudo openssl genrsa -aes128 -passout pass:abc12345 -out custom.key 4096
Creating a normal (based key elliptic curve math) Password:
sudo openssl ecparam -name prime256v1 -out putong.key -genkey
输出为一个使用 prime256v1 (OpenSSL 支持的“命名曲线”) 的 256 位椭圆曲线私有密钥。根据 NIST,其加密强度略高于 2048 位 RSA 密钥。
通常把localhost.csr这个档案给第三方CA(Certificate Authority)机构签署生成证书就可以了。
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
自签名证书:sudo openssl req -x509 -days 365 -in localhost.csr -key localhost.key -out localhost.crt
3.6.5 配置ssl.conf
用于加密 SSL/TLS 数据流的快速密码 RC4 具有多个重大弱点。修复方法是完全禁用 RC4 支持。
禁用 SSL 版本 2 和 3,以及 TLS 版本 1.0 和 1.1。服务器现在拒绝接受与任何不是使用支持的 TLS 版本的客户端进行加密连接。