ColcolMail

Installing Debian 10, OpenLiteSpeed, MariaDB and PHP 7.4 on AWS Lightsail.

Rough notes from an IT amateur so he does not forget. Follow at your peril.

in code block

here is some text in custom html block now with pre tags and a bit more text here

simple code Block

AWS

Create Lightsail server, link to static IP and set firewall rules

(Assistance: AWS (Create instance, SSH, Static IPs))

Create Instance

Location: Ireland
Select a platform: OS Only –> Debian 10.5

Change SSH Key pair –> Create new –> Create –> Enter awskeypairname –> Generate key pair –> Download file to Desktop

Identify your instance: servername

Click Create instance

Networking tab
Create static IP –> Enter servernameIP –> attach to servername
Make a note of the IP: 11.22.33.44

Instances tab
Click on instance

Networking tab
IPV4 firewall

Add two rules:

Application: HTTPS
Protocol: TCP
Port: 443
Create

Application: Custom
Protocol: TCP
Port: 7080
Select Restrict to IP address and add your IP address (what is my IP?)
Create

Edit existing SSH rule:

Select Restrict to IP address and add your IP address (what is my IP?)
Save

DNS

Amend DNS records to point yourdomain.co.uk to the new server

Create/amend two DNS records:

Name: yourdomain.co.uk
Type: A
TTL: 300
Content: 11.22.33.44

Name: www.yourdomain.co.uk
Type: CNAME
TTL: 300
Content: yourdomain.co.uk

SSH and Update Debian

Set up initial SSH configuration using Lightsail key pair to allow remote root user login via password:

In terminal:

chmod 400 ~/Desktop/awskeypairname.pem

ssh -i ~/Desktop/awskeypairname.pem admin@11.22.33.44

$ sudo -i
(switches to root user)

# nano /etc/ssh/sshd_config

Within the file, scroll through and:

1) Change #PermitRootLogin prohibit-password to PermitRootLogin yes (Note: without the leading # –> ‘uncomments’ the command)

2) Change PasswordAuthentication no to PasswordAuthentication yes

CTRL+O, Enter, CTRL+X to return to the command line.

# service sshd reload

# passwd

(enter new password for root user twice)

# exit
$ exit

ssh root@11.22.33.44

(enter earlier password)

Should be able to log in.

# exit

Set up ssh configuration for automatic remote root user login

Assistance: (LearnLinuxTV from 9m50s to 45m50s)

In terminal:

ssh-keygen

Enter file name: /Users/username/.ssh/id_rsa_servernamekeypairname
Enter passphrase (empty for no passphrase): [Enter]
Enter same passphrase again: [Enter]

(Above generates a second ssh key pair for root user and subsequent standard users)

cat .ssh/id_rsa_servernamekeypairname.pub

Displays a long key similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWe6bYxUz5nXp7A5zBdsB+6jdO8mmEWowTHHLsQ/9iixrTvKeygMpFQRPmludJeqlR9mMP5lp2LSrva80Flt/L5VxSNMGF1hixPqLyEW+UlsoPmludJeqlR9mMP5lp2LSrva8049I/GrROoLlmB1qgIYeic1swQhMapO1uvKCrrsyKSV9HT0dx+nPRk+0jgbnQIAlIEcW4Da50x5NCKGU0PiCTbPuWFnb4crZ6Z3yviPmludJeqlR9mMP5lp2LSrva8046PDEmuPMVDfaFQMEQCPpoQ8r83kllrGm9aNiPmludJeqlR9llrGm9aSrva80yC4LHmt2LZB7In3yA1 you@yourcomputer.lan

Copy the key onto your clipboard.

Now to ‘paste’ the key onto the server:

ssh root@11.22.33.44
(enter password)

# nano .ssh/authorized_keys

File will already contain some text and a key relating to the awskeypairname.

On the line below the existing text/key, paste the copied key from the clipboard.

CTRL+O, Enter, CTRL+X to return to the command line.

# exit

nano .ssh/config

Within the file add the following lines:

Host servername-root
Hostname 11.22.33.44
Port 22
User root
IdentityFile ~/.ssh/id_rsa_servernamekeypairname


CTRL+O, Enter, CTRL+X to return to the command line.

ssh servername-root

(should log straight in)

Update Debian packages

While logged in as root, a good opportunity to update Debian packages:

# apt update

# apt upgrade (answer Y to prompts)

# exit

Email

Set up SMTP email for server to send email notifications

(Assistance: Sylvain Durand, Debian (here and here))
(Permission errors within Debian 10: Alternative logfile path requires further adjustments. AskUbuntu)
(Errors within cron: Stackoverflow)

In terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install necessary email packages:

# apt install msmtp-mta (answer Y to prompts)
# apt install bsd-mailx (answer Y to prompts)

Create a system-wide SMTP config file:

# nano /etc/msmtprc

Insert the following lines:

defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account aws-system
host email-smtp.eu-west-1.amazonaws.com
port 587
from servername-system@yourdomain.co.uk
user L0NGUSERNAMEL1KETHIS
password VeryLOnGPASw0RDAb!tlikeTHiS
account default : aws-system


(host, user and password can be retrieved from AWS SES. Ensure SMTP credentials are created in the SES region matching the host endpoint)

CTRL+O, Enter, CTRL+X to return to the command line.

# echo "message" | mail -s "title" youremail@yourdomain.co.uk

(Sends a test email. Check your inbox)

# cat .msmtp.log

(Shows the email log, example below. exitcode=EX_OK means it works)

Jan 01 01:23:45 host=email-smtp.eu-west-1.amazonaws.com tls=on auth=on user=L0NGUSERNAMEL1KETHIS from=servername-system@yourdomain.co.uk recipients=youremail@yourdomain.co.uk mailsize=228 smtpstatus=250 smtpmsg='250 Ok 01020176e1cf4f13-b774792c-8714-4dd5-b28a-621d3ff63f3a-000000' exitcode=EX_OK

# exit

Install OpenLiteSpeed and Certbot

Install OpenLiteSpeed, create initial website and create Let’s Encrypt certificate

(Assistance: OpenLiteSpeed (here and here and here), Certbot and Snapcraft)

Within terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install OpenLiteSpeed packages:

# wget -O - http://rpms.litespeedtech.com/debian/enable_lst_debian_repo.sh | bash

# apt install openlitespeed (answer Y to prompts)

# apt install lsphp74 lsphp74-common lsphp74-curl lsphp74-dev lsphp74-imap lsphp74-intl lsphp74-json lsphp74-ldap lsphp74-mysql lsphp74-opcache lsphp74-pspell lsphp74-memcached lsphp74-redis lsphp74-sqlite3 lsphp74-tidy (answer Y to prompts)

Create files for initial user/website with appropriate permissions:

# groupadd yourdomaincouk

# useradd -M -g yourdomaincouk yourdomaincouk  

#
mkdir /home/yourdomain.co.uk

#
mkdir /home/yourdomain.co.uk/public_html

# chown yourdomaincouk:yourdomaincouk /home/yourdomain.co.uk

#
chmod 711 /home/yourdomain.co.uk

#
chown yourdomaincouk:nogroup /home/yourdomain.co.uk/public_html

#
chmod 750 /home/yourdomain.co.uk/public_html

#
touch /home/yourdomain.co.uk/public_html/.htaccess

#
chown -R yourdomaincouk:yourdomaincouk /home/yourdomain.co.uk/public_html/.htaccess

#
echo "<?php phpinfo();" > /home/yourdomain.co.uk/public_html/info.php

#
echo "hello world" > /home/yourdomain.co.uk/public_html/index.php

#
chown -R yourdomaincouk:yourdomaincouk /home/yourdomain.co.uk/public_html/*

Create log directory for OpenLiteSpeed:

# mkdir /home/yourdomain.co.uk/logs

# chown :nogroup /home/yourdomain.co.uk/logs

# chmod 750 /home/yourdomain.co.uk/logs

Start OpenLiteSpeed and create your WebAdmin login details:

# /usr/local/lsws/bin/lswsctrl start

# /usr/local/lsws/admin/misc/admpass.sh

(Enter administrator username and password)

In browser and OpenLiteSpeed WebAdmin

Visit:

yourdomain.co.uk:7080

(proceed through SSL warnings and log into OpenLiteSpeed WebAdmin)

(if yourdomain.co.uk:7080 does not work and 11.22.33.44:7080 does work, then your DNS changes have yet to propogate).

SERVER CONFIGURATION

Within the Server Configuration left-hand menu option:

General tab
General settings

Edit (top-right corner)
Server Name: A name for your server
Administrator Email: A contact email

VIRTUAL HOSTS

Within the Virtual Hosts left-hand menu option:
Delete the Example Virtual Host

Add (a new Virtual Host, top-right corner)

Virtual Host Name: yourdomaincouk
Virtual Host Root: /home/yourdomain.co.uk
Config File: /usr/local/lsws/conf/vhosts/yourdomaincouk.conf
Enable Scripts/ExtApps: Yes
Restrained: Yes


Save (top-right corner)
CLICK TO CREATE the conf file
Save (top-right corner)

Within the Virtual Host list, click yourdomaincouk.

Within the General tab

Edit (top-right corner)

Document Root: /home/yourdomain.co.uk/public_html
Domain Name: yourdomain.co.uk
Domain Aliases: www.yourdomain.co.uk


Save (top-right corner)

Within the Log tab

Edit (Virtual Host Log, top-right corner)

Use Server’s Log: NO
File Name: $VH_ROOT/logs/virtualhost.log
Log Level: INFO
Rolling Size (bytes): 10M
Keep Days: 90


Save (top-right corner)

Add (Access Log, top-right corner)

Log Control: Own Log File
File Name: $VH_ROOT/logs/access.log
Rolling Size (bytes): 10M
Keep Days: 90
Compress Archive: Yes


Save (top-right corner)

Within the External App tab

Add (top-right corner)

Type: LiteSpeed SAPI App

Next (top-right corner)

Name: yourdomaincouk
Address: uds://tmp/lshttpd/yourdomaincouk.sock
Max Connections: 10
Environment: PHP_LSAPI_CHILDREN=10
Initial Request Timeout (secs): 60
Retry Timeout (secs): 0
Persistent Connection: Yes
Command: /usr/local/lsws/lsphp74/bin/lsphp
Run as User: yourdomaincouk
Run as Group: yourdomaincouk


Save (top-right corner)

Within the Script Handler tab

Add (top-right corner)

Suffixes: php
Handler Type: LiteSpeed SAPI
Handler name: [VHost Level]: yourdomaincouk


Save (top-right corner)

Within the Rewrite tab

Edit (top-right corner)

Enable Rewrite: Yes
Auto Load from .htaccess: Yes

Save (top-right corner)

LISTENERS (http)

Select the Listeners left-hand menu option
Delete the Default Listener

Add (a new Listener, top-right corner)

Listener name: http
IP Address: ANY IPv4
Port: 80
Secure: No


Save (top-right corner)

To map the domain to the Listener:

Within Listener Summary, View http Listener (magnifying glass icon)

Within Virtual Host Mappings, Add:

Virtual Host: yourdomaincouk
Domains: yourdomain.co.uk, www.yourdomain.co.uk, * , 11.22.33.44


Save

Restart OpenLiteSpeed (LSWS PID green button, top-right corner)

Within another browser window:

Visit yourdomain.co.uk (should see ‘hello world’)

Visit yourdomain.co.uk/info.php (should see php details)

Within terminal:

CERTBOT

# apt install snapd (answer Y to prompts)

# snap install core

testing snap
# snap install hello-world

(Note: On occasion this error may appear:
Warning: /snap/bin was not found in your $PATH. If you've not restarted your
session since you installed snapd, try doing that. Please see
https://forum.snapcraft.io/t/9469 for more details.

If so then:
i) Exit the OpenLiteSpeed WebAdmin browser;
ii) reboot the server by # reboot, then wait a minute;
iii) return to the server by ssh yourdomaincouk-root
)
iv) return to the OpenLiteSpeed WebAdmin at yourdomain.co.uk:7080)

# hello-world
(‘Hello World!’ should appear)

# snap refresh core

(Install certbot)
# snap install --classic certbot

(Try a dry-run first to check if everything is working):

# certbot certonly --webroot -w /home/yourdomain.co.uk/public_html -d yourdomain.co.uk -d www.yourdomain.co.uk --dry-run

(Then create a certificate):

# certbot certonly --webroot -w /home/yourdomain.co.uk/public_html -d yourdomain.co.uk -d www.yourdomain.co.uk

(Enter email for urgent renewal and security notices (recommended), agree to the T&Cs [Y] and accept/decline campaign updates)

This message should eventually appear:

Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourdomain.co.uk/privkey.pem

Within OpenLiteSpeed WebAdmin

LISTENERS (https)

Within the Listeners left-hand menu option:

Add (a new Listener, top-right corner):

Listener name: https
IP Address: ANY IPv4
Port: 443
Secure: Yes


Save (top-right corner):

To map the domain to the Listener:

Within Listener Summary, View https Listener (magnifying glass icon):

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/yourdomain.co.uk/privkey.pem
Certificate File: /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem
Chained Certificate: Yes


Save (top-right corner).

Within the General tab

Within Virtual Host Mappings, Add:

Virtual Host: yourdomaincouk
Domains: yourdomain.co.uk, www.yourdomain.co.uk, * , 11.22.33.44

VIRTUAL HOSTS

Within the Virtual Hosts left-hand menu option:

Click on the yourdomaincouk Virtual Host in the table.

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/yourdomain.co.uk/privkey.pem
Certificate File: /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem
Chained Certificate: Yes


Save (top-right corner).

WEBADMIN SETTINGS

Within the WebAdmin Settings left-hand menu option:

Select Listeners:

Click on adminListener in the table.

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/yourdomain.co.uk/privkey.pem
Certificate File: /etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem
Chained Certificate: Yes


Save (top-right corner).

Restart OpenLiteSpeed (LSWS PID green button, top-right corner).

Within terminal:

# nano /home/yourdomain.co.uk/public_html/.htaccess

Insert the following text:

RewriteEngine On
RewriteCond %{HTTP_HOST} !yourdomain\.co\.uk [NC,OR]
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*) https://yourdomain.co.uk/$1 [R=301,L]


CTRL+O, Enter, CTRL+X to return to the command line.

Restart OpenLiteSpeed for the .htaccess change to take effect:

# /usr/local/lsws/bin/lswsctrl restart

Within another browser window:

Visit yourdomain.co.uk (should see ‘hello world’ and secure browser padlock)

Visit yourdomain.co.uk/info.php (should see php details secure browser padlock)

MariaDB

Install MariaDB, secure installation, create initial database

(Assistance: Digital Ocean)

Within terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install and secure MariaDB:

# apt install mariadb-server (answer Y to prompts)

# mysql_secure_installation


Answer the prompts as below:

Enter current password for root (enter for none): [Enter]
Set root password? [Y/n] n
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Create an administrator MariaDB user (example used: adminroot):

# mysql

MariaDB [(none)]> GRANT ALL ON *.* TO 'adminroot'@'localhost' IDENTIFIED BY 'yourpassword' WITH GRANT OPTION; 

MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]> exit;

Check MariaDB is running:

#
systemctl status mariadb

Output
mariadb.service - MariaDB 10.3.27 database serve
 Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: 
Active: active (running) since Mon 2020-12-28 11:14:00 UTC; 7min ago
Docs: man:mysqld(8)

Create a database for yourdomaincouk:

# mysql -u adminroot -p

(enter password)

#
CREATE DATABASE yourdomaincouk;

MariaDB [(none)]>
GRANT ALL ON yourdomaincouk.* TO 'yourdomaincouk'@'localhost' IDENTIFIED BY 'yourpassword';

MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]> exit;


# exit

Miscellaneous

Set standard user password, home directory and automatic SSH login

Within terminal: (needs to be changed(

ssh servername-root

# passwd yourdomaincouk

(enter password and confirm password)

# usermod --home /home/yourdomain.co.uk yourdomaincouk

# exit

cat .ssh/id_rsa_servernamekeypairname.pub

Displays a long key similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWe6bYxUz5nXp7A5zBdsB+6jdO8mmEWowTHHLsQ/9iixrTvKeygMpFQRPmludJeqlR9mMP5lp2LSrva80Flt/L5VxSNMGF1hixPqLyEW+UlsoPmludJeqlR9mMP5lp2LSrva8049I/GrROoLlmB1qgIYeic1swQhMapO1uvKCrrsyKSV9HT0dx+nPRk+0jgbnQIAlIEcW4Da50x5NCKGU0PiCTbPuWFnb4crZ6Z3yviPmludJeqlR9mMP5lp2LSrva8046PDEmuPMVDfaFQMEQCPpoQ8r83kllrGm9aNiPmludJeqlR9llrGm9aSrva80yC4LHmt2LZB7In3yA1 you@yourcomputer.lan

Copy the key onto your clipboard.

Now to ‘paste’ the key onto the server:

ssh yourdomaincouk@11.22.33.44

(enter password)

$ mkdir .ssh

$ nano .ssh/authorized_keys

Paste the copied key from the clipboard into the file.

CTRL+O, Enter, CTRL+X to return to the command line.

$ exit

nano .ssh/config

Within the file add the following lines:

Host servername-yourdomaincouk
Hostname 11.22.33.44
Port 22
User yourdomaincouk
IdentityFile ~/.ssh/id_rsa_servernamekeypairname


CTRL+O, Enter, CTRL+X to return to the command line.

Test automatic login:

ssh servername-yourdomaincouk

$ exit

Certbot Renewal Test

Within terminal:

ssh servername-root

# certbot renew --dry-run

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-----------------------------------------------------------
Processing /etc/letsencrypt/renewal/yourdomain.co.uk.conf
-----------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Account registered.
Simulating renewal of an existing certificate for yourdomain.co.uk and www.yourdomain.co.uk
Performing the following challenges:
http-01 challenge for yourdomain.co.uk
http-01 challenge for www.yourdomain.co.uk
Using the webroot path /home/yourdomain.co.uk/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
-----------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem

-----------------------------------------------------------
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/yourdomain.co.uk/fullchain.pem (success)
-----------------------------------------------------------


# exit

WordPress CLI Installation

(Assistance: WordPress, OpenLiteSpeed Forum)

Within terminal:

ssh servername-root

# curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

Check if WP-CLI works using OpenLiteSpeed php:

# /usr/local/lsws/lsphp74/bin/php wp-cli.phar --info

Should see output similar to this:

Output
OS: Linux 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2(2020-11-28) x86_64
Shell: /bin/sh
PHP binary: /usr/local/lsws/lsphp74/bin/php
PHP version: 7.4.13
php.ini used: /usr/local/lsws/lsphp74/etc/php/7.4/litespeed/php.ini


# chmod +x wp-cli.phar
# mv wp-cli.phar /usr/local/bin/wp


Amend user profile to automatically use OpenLiteSpeed php with WP-CLI during every SSH session:

# nano /home/yourdomain.co.uk/.profile

Insert the following line:

export PATH=/usr/local/lsws/lsphp74/bin:$PATH

CTRL+O, Enter, CTRL+X to return to the command line.

# exit

Check the automatic profile works:

ssh servername-yourdomaincouk

$ wp --info

Output should show OpenLiteSpeed php:

Output
OS: Linux 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2(2020-11-28) x86_64
Shell: /bin/sh
PHP binary: /usr/local/lsws/lsphp74/bin/php
PHP version: 7.4.13
php.ini used: /usr/local/lsws/lsphp74/etc/php/7.4/litespeed/php.ini


$ exit

Amend WordPress PHP configurations

ssh servername-root

Create WordPress config file to allow larger plugins, images etc to be uploaded through the dashboard. 

# nano /usr/local/lsws/lsphp74/etc/php/7.4/mods-available/wordpress.ini

Insert the following lines:

post_max_size = 128M
upload_max_filesize = 128M


CTRL+O, Enter, CTRL+X to return to the command line.

Restart OpenLiteSpeed for the PHP change to take effect:

# /usr/local/lsws/bin/lswsctrl restart

Visit yourdomain.co.uk/info.php to ensure post_max_size and upload_max_filesize both show 128M

# exit

Create Sendy Cronjobs

ssh servername-root

# crontab -u yourdomaincouk -e

Insert the following lines below the comments:

* * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/yourdomain.co.uk/public_html/autoresponders.php > /dev/null 2>&1


* * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/yourdomain.co.uk/public_html/import-csv.php > /dev/null 2>&1


*/5 * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/yourdomain.co.uk/public_html/scheduled.php > /dev/null 2>&1

*/15 * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/yourdomain.co.uk/public_html/update-segments.php > /dev/null 2>&1


CTRL+O, Enter, CTRL+X to return to the command line.

Wait a minute, then check to see whether the cronjobs are running (should be at least two a minute): 

# systemctl status cron

Output
Jan 09 18:37:01 ip-172-26-5-155 CRON[22067]: pam_unix(cron:session): session ope
Jan 09 18:37:01 ip-172-26-5-155 CRON[22065]: pam_unix(cron:session): session ope
Jan 09 18:37:01 ip-172-26-5-155 CRON[22069]: (yourdomaincouk) CMD (/
Jan 09 18:37:01 ip-172-26-5-155 CRON[22070]: (yourdomaincouk) CMD (/

Then q to exit.

# exit