Linux Server Configuration - Blacksmith Item Catalog
Server Info:
Server IP : 3.219.35.196
Server URL: http://3.219.35.196.xip.io
GitHub Repository : https://github.com/Scifideity/BlacksmithCatalog.git
Software Utilized:
Ubuntu 16.04
Python
Flask
SQLAlchemy
Git
Nginx
Gunicorn
Supervisor
Server Configuration Steps
Prep on your LOCAL machine
-
Create keys for grader
ssh-keygen
Call it grader_key
Amazon Lightsail
Browse toCreate Instance
Sign up for the plan you want, lowest, currently $3.50/mo is sufficient for this project.
Instance Type: OS Only
OS : Ubuntu 16.04
Create Instance (May take a few min)
Configure your Server
Connect via SSH w/ default key (found in Accounts section) for your region
-
Update and Upgrade the Server
sudo apt-get update
sudo apt-get upgrade
-
Configure Server for Unattended Upgrades
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
(interactive, answer Yes) -
Create user grader (pw = graderpw) and install key from Local Machine
ubuntu@ip-x.x.x.x:~$ sudo adduser grader ubuntu@ip-x.x.x.x:~$ su grader grader@ip:/home/ubuntu$ cd /home/grader grader@ip-x.x.x.x:~$ mkdir .ssh grader@ip-x.x.x.x:~$ touch .ssh/authorized_keys grader@ip-x.x.x.x:~$ vi .ssh/authorized_keys grader@ip-x.x.x.x:~$ chmod 700 .ssh grader@ip-x.x.x.x:~$ chmod 644 .ssh/authorized_keys grader@ip-x.x.x.x:~$ ls -la total 28 drwxr-xr-x 3 grader grader 4096 Jun 25 20:45 . drwxr-xr-x 4 root root 4096 Jun 25 20:42 .. -rw-r--r-- 1 grader grader 220 Jun 25 20:42 .bash_logout -rw-r--r-- 1 grader grader 3771 Jun 25 20:42 .bashrc -rw-r--r-- 1 grader grader 655 Jun 25 20:42 .profile drwx------ 2 grader grader 4096 Jun 25 20:45 .ssh -rw------- 1 grader grader 644 Jun 25 20:45 .viminfo grader@ip-x.x.x.x:~$
-
Using vim or nano edit .ssh/authroized_keys (I prefer vi/vim)
-
vi .ssh/authorized_keys
-
Paste contents of grader_key.pub from your LOCAL Machine
-
Save and Exit.
vim :
:wq
nano :
CTRL-X
,Y
,<ENTER>
-
-
Grant ‘grader’ sudo access
~$ sudo ls /etc/sudoers.d <-- Find exiting username to copy 90-cloud-init-users README ~$ sudo cp /etc/sudoers.d/90-cloud-init-users /etc/sudoers.d/grader <-- Copy to grader ~$ sudo ls /etc/sudoers.d 90-cloud-init-users grader README ~$ sudo vi /etc/sudoers.d/grader change user name to grader save and quit :wq!
-
Test grader ssh access using key
ssh -i grader_key grader@<server-ip>
-
Test grader sudo permissions
Last login: Tue Jun 25 20:51:48 2019 from x.x.x.x grader@ip-x.x.x.x:~$ ls /etc/sudoers.d ls: cannot open directory '/etc/sudoers.d': Permission denied grader@ip-x.x.x.x:~$ sudo ls /etc/sudoers.d 90-cloud-init-users grader README grader@ip-x.x.x.x:~$
-
Change ssh to listen on port 2200 and prohibit root login
grader@ip-x.x.x.x:~$ vi /etc/ssh/sshd_config Add ‘Port 2200’ below ‘Port 22’ Confirm PasswordAuthentication is no(default) Confirm PermitRootLogin is no or prohibit-password(new default) :wq grader@ip-x.x.x.x:~$
-
Restart sshd
grader@ip-x.x.x.x:~$ sudo services sshd restart
-
Close SSH session and reconnect on port 2200
- If successful
- Edit /etc/ssh/sshd_config
- Remove or Comment out ‘Port 22’
- Save and restart sshd again
- If unsuccessful
- Go back a few steps and retrace looking for what went wrong
- If successful
-
Configure UFW (Uncomplicated FireWall)
sudo ufw status <— check current status sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 2200/tcp sudo ufw allow www sudo ufw allow ntp sudo ufw enable <— activates FW - BE CERTAIN BEFORE YOU ENABLE
Configure your Application
-
Get Application onto the server (git shown but you can FTP, SCP, or SFTP if you wish)
-
Install git
sudo apt-get install git
-
Configure git
-
Configure Git : Source
-
Set git global 'user.name' and 'user.email'
git config --global user.name "Your_Name"
git config --global user.email "email_address@domain.com"
-
Create project directory (I just made it a subdirectory of $HOME)
cd $HOME
mkdir blacksmithcatalog
-
-
Clone the project to the blacksmithcatalog directory using the github repository url
git clone https://github.com/Scifideity/BlacksmithCatalog.git blacksmithcatalog
-
-
Create the Virtual Environment
-
Install Python3 and Virtual Environment
sudo apt install python3-pip
sudo apt install python3-venv
-
Create the Virtual Environment
python3 -m venv blacksmithcatalog/venv
-
-
Activate the Virtual Environment (venv)
cd blacksmithcatalog
source venv /bin/activate
NOTE: ENSURE YOU ARE IN THE (venv) FROM THIS POINT ON
Prompt will be prefaced with (venv)
-
Install Flask Application dependancies
pip install -r requirements.txt
-
Install Nginx (webserver to serve static files)
cd $HOME
sudo apt install nginx
-
Install Gunicorn (WSGI to handle python code)
pip install gunicorn
-
Configure Nginx
-
Remove the default configuration file
sudo rm /etc/nginx/sites-enabled/default
-
Create a new configuration file for your application
sudo vi /etc/nginx/sites-enabled/blacksmithcatalog
-
Add the following:
server { listen 80; server_name 3.219.35.196; location /static { alias /home/ubuntu/blacksmithcatalog/static; } location / { proxy_pass http://localhost:8000; include /etc/nginx/proxy_params; proxy_redirect off; } }
-
Save and Exit
:wq
-
-
Restart Nginx server
sudo systemctl restart nginx
-
OPTIONAL TEST : Run gunicorn from command line and test site
gunicorn -w 3 application:app
Browse to http://3.219.35.196.xip.io
CTRL-C
to exit -
Install Supervisor (Monitors and restarts app)
sudo apt install supervisor
-
Configure Supervisor
sudo vi /etc/supervisor/conf.d/blacksmithing.conf
-
Add the following:
[program:blacksmithcatalog] directory=/home/ubuntu/blacksmithcatalog command=/home/ubuntu/blacksmithcatalog/venv/bin/gunicorn -w 3 application:app user=ubuntu autostart=true autorestart=true stopasgroup=true killasgroup=true stderr_logfile=/var/log/blacksmithcatalog/blacksmithcatalog.err.log stdout_logfile=/var/log/blacksmithcatalog/blacksmithcatalog.out.log
-
Save and Exit
:wq
-
-
Make the log directory and files
sudo mkdir /var/log
sudo touch /var/log/blacksmithcatalog/blacksmithcatalog.err.log
sudo touch /var/log/blacksmithcatalog/blacksmithcatalog.out.log
-
Restart Supervisor
sudo supervisorctl reload