Use EC2, VPC build a blog system detailed Step-3

2. Start EC2 instance, select the appropriate AMI and the like.

In some cases, similar to VMware ESXi. Full name of Amazon Elastic Compute Cloud, referred to as Amazon EC2. First laaS, Google's Google Compute Engine; Microsoft Microsoft Azure is true. EC2 using the Xen virtualization technology. Each virtual machine, also known as "instance" ( instance), can run small, large, huge three capabilities of virtual private servers. Amazon.com use EC2 Compute Units to allocate hardware resources (equivalent to a ECU a Sandy Bridge -class Xeon ).

3. Install LAMP Web servers on the Amazon Linux 2

Remote 3.1 (CRT and other tools * .pub and other key documents)

Examples of a CRT using a remote to update the check at slightly

 sudo yum update -y

3.2 and PHP install Amazon Linux Extras

Install lamp-mariadb10.2-php7.2 and php7.2 Amazon Linux Extras repository. Check the installation (Installation / dependent / dependencies have been updated) you will find through the Amazon Linux optimization, great for application-optimized.

 sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2

sudo yum reinstall yum --noplugins

 

3.3 Installing Apache Web, MariaDB 

 sudo yum install -y httpd mariadb-server

3.4 start, set the boot from the start apache and so on. And tested.

3.4.1 Test apache

[ec2-user@ip-172-15-1-131 ~]$ sudo -s
[root@ip-172-15-1-131 ec2-user]# mkdir /var/www/html/a

wget -P /var/www/html/a/ https://raw.githubusercontent.com/AWSinAction/\code/master/chapter3/a/index.html

[root@ip-172-15-1-131 ec2-user]# cat /var/www/html/a/index.html
<html>
<head>
<title>djf</title>
</head>
<body>
<h1>Hello A!</h1>
</body>
</html>


[ec2-user@ip-172-15-1-131 ~]$ cat /etc/httpd/conf.d/a.conf
<VirtualHost 172.15.1.131:80>
   DocumentRoot /var/www/html/a
</VirtualHost>
[ec2-user@ip-172-15-1-131 ~]$ 
[ec2-user@ip-172-15-1-131 ~]$ sudo vim  /etc/httpd/conf.d/a.conf    
[ec2-user@ip-172-15-1-131 ~]$ sudo systemctl restart  httpd

Or add a /var/www/html/phpinfo.php file

sudo yum list installed httpd mariadb-server php-mysqlnd

After deleting test:  RM /var/www/html/phpinfo.php

Verification required packages.

sudo yum list installed httpd mariadb-server php-mysqlnd

3.5 set file permissions

Adding users to groups: 
the sudo the usermod -a -G apache-EC2 User 
group ownership of the / var / www changes to its contents apache group: 
the sudo chown -R & lt EC2-User: apache / var / www 
-added group and write permissions is provided on the group ID subdirectories future, change directory permissions / var / www its subdirectories: 
the sudo the chmod 2775 / var / www && Find / var / www -type -exec the sudo the chmod 2775 D {} \; 
Add group write access, the recursive change / var / www file permissions and subdirectories: 
 Find / var / www -type -exec the sudo the chmod 0664 F {} \;

3.6 acquire CA, enable SSL / TLS

Get Apache mod_ssl module 

sudo yum install -y mod_ssl   

You need to use three files, if not, manually create a certificate

Create a certificate using the openssl manual:

安装openssl：sudo yum install openssl openssl-devel

/etc/httpd/conf.d/ssl.conf

mod_ssl configuration file. It contains the following information to inform Apache "instructions": Where to Find encryption keys and certificates, which SSL / TLS protocol version allows, which encryption password to accept.

/etc/pki/tls/private/localhost.key

Automatically generated for Amazon EC2 host of 2048-bit RSA private key. During installation, OpenSSL already uses this key to generate a self-signed host certificate, you can use this key to generate a certificate signing request (CSR) to submit to a certificate authority (CA).

Note: If you see this file in the directory listing seen, it may be because of its limited access privileges. Try running sudo ls -al in the directory.

/etc/pki/tls/certs/localhost.crt

Self-signed X.509 certificate is automatically generated for the server host. This certificate is for testing whether Apache has been correctly set up to use SSL / TLS is useful.

3.6.1 Creating a Key

Using an asymmetric encryption algorithm RSA 2048-bit RSA private key generation.

sudo openssl genrsa -out localhost.key 2048

Rsa algorithm to generate the 256-bit key localhost.key document, the certificate is not required to enter a password to start this process produces apache server like the server, nor will simultaneously private key encryption.

Or sudo openssl genrsa -out custom.key 4096 (create a larger coefficient tighter RSA key), under normal circumstances, no personal application needs 768 bits, companies need to use 1024 bit, some of the most important occasions require the use of 2048 -bit .

 

You should use a password when using symmetric encryption algorithm to encrypt the newly created DES3 1024-bit RSA private test.key file, every time you want to use the private key. If the electronic certificate is in the apache server, etc., you have to enter a password each time the server is started.

 

Using a symmetric encryption algorithm AES-128 encryption password 4096 RSA private key.

sudo openssl genrsa -aes128 -passout pass:abc12345 -out custom.key 4096  

Creating a normal (based key elliptic curve math) Password:

sudo openssl ecparam -name prime256v1 -out putong.key -genkey      

输出为一个使用 prime256v1 (OpenSSL 支持的“命名曲线”) 的 256 位椭圆曲线私有密钥。根据 NIST，其加密强度略高于 2048 位 RSA 密钥。

3.6.2 修改密钥权限

确保新的私有密钥具有高度限制的所有权和权限 (所有者=根、组=根、仅面向所有者的读取/写入权限)。命令如下：

3.6.3 生成证书请求文件(Certificate Signing Request)。

sudo openssl req -new -key localhost.key -out localhost.csr

3.6.4 签署生成证书。三方签署。并修改密钥权限。

通常把localhost.csr这个档案给第三方CA(Certificate Authority)机构签署生成证书就可以了。

openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
openssl x509 -req -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt

自签名证书：sudo openssl req -x509 -days 365 -in localhost.csr -key localhost.key -out localhost.crt  

 

3.6.5 配置ssl.conf

自签名证书，按如下配置：

vi /etc/httpd/conf.d/ssl.conf

 

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

注：如果SSLCertificateFile中指定的证书已包含相应私钥，SSLCertificateKeyFile这一行就可以注释掉。

 

如果是第三方签署的CA证书，按如下配置：

SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateChainFile /etc/ssl/certs/server-ca.crt

各指令含义：

SSLEngine ：这个指令用于开启或关闭SSL/TLS协议引擎。

SSLCertificateFile：该指令用于指定服务器持有的X.509证书(PEM编码)，其中还可以包含对应的RSA或DSA私钥。如果其中包含的私钥已经使用密语加密，那么在Apache启动的时候将会提示输入密语。

SSLCertificateKeyFile：指定了服务器私钥文件(PEM编码)的位置。如果SSLCertificateFile指定的服务器证书文件中不包含相应的私钥，那么就必须使用该指令，否则就不需要使用。

SSLCertificateChainFile：这个指令指定了一个多合一的CA证书，用于明确的创建服务器的证书链。这个证书链将被与服务器证书一起发送给客户端，由直接签发服务器证书的CA证书开始，按证书链顺序回溯，一直到根CA的证书结束，这一系列的CA证书(PEM格式)就构成了服务器的证书链。这有利于避免在执行客户端认证时多个CA证书之间出现混淆或冲突。

3.6.6 强化安全配置

用于加密 SSL/TLS 数据流的快速密码 RC4 具有多个重大弱点。修复方法是完全禁用 RC4 支持。
禁用 SSL 版本 2 和 3，以及 TLS 版本 1.0 和 1.1。服务器现在拒绝接受与任何不是使用支持的 TLS 版本的客户端进行加密连接。

 点击此处展开...

#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLProxyProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

教程：

https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/SSL-on-an-instance.html

 

3.7 确保数据库服务器的安全

sudo systemctl start mariadb

sudo mysql_secure_installation

在提示时，键入根账户的密码。

键入当前根密码。默认情况下，根账户没有设置密码。按 Enter。

键入 Y 设置密码，然后键入两次安全密码。

注意

设置 MariaDB 根密码仅是保护数据库的最基本措施。构建或安装数据库驱动的应用程序时，通常可以为该应用程序创建数据库服务用户，并避免使用根账户执行除数据库管理以外的操作。

键入 Y 删除匿名用户账户。

键入 Y 禁用远程根登录。

键入 Y 删除测试数据库。

键入 Y 重新加载权限表并保存您的更改。

sudo systemctl enable mariadb

3.8 安装 phpMyAdmin

sudo yum install php-mbstring -y

sudo systemctl restart httpd

 sudo systemctl restart php-fpm 

 cd /var/www/html   

wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz

mkdir phpMyAdmin && tar -xvzf phpMyAdmin-latest-all-languages.tar.gz -C phpMyAdmin --strip-components 1

 rm phpMyAdmin-latest-all-languages.tar.gz      

 sudo systemctl start mariadb 

Cookies do encryption to avoid confusion when sharing a plurality PhpMyAdmin Cookies or other procedures. (Note: where '' is an arbitrary character)

vim phpMyAdmin/libraries/config.default.php 

vim phpMyAdmin/config.sample.inc.php  

result: