How to configures a Linux server to run web applications in a secure environment.
This configuration uses the Catalog Item project to create a Python WSGI application
- Public IP 35.199.122.175
- Catalog item web app
The app is hosted on a Google Cloud, and may be unavailable after the trial period
The third party sign Google and Facebook not work, because the Google need valid domain name not an IP address number and the Facebook require HTTPS protocol. Only works in a localhost environment.
- Use cloud service to create an instance of the Ubuntu Linux server.
- I am using the Google Cloud service
- Follow the Linux SSH configuration instructions.
- Update all installed packages
- Change the default port SSH 22 to 2200 add the firewall rule.
- add the firewall rule in VPN NETWORK option on Google AppEngine
- Configure Uncomplicated Firewall (UFW) to only allow connections:
- SSH 2200
- HTTP 80
- NPT 123
- Create a grader user account
- Give sudo permission to user grader
- Create SSH keys to grader using the ssh-keygen tool
- Set the local time zone for UTC
- Install the apache server to serve mod_wsgi Python application
- Install PostgreSQL and create user catalog with limited permissions to the application database.
- Installing Git
- Cloning and Configuring the Project Item Catalog
- Configure the server so that it works correctly by visiting the ip address of your server in a browser. And do not allow the git directory to be publicly accessible through a browser
- Update package information
sudo apt-get update
- Install package updates
sudo apt-get upgrade
- Create user grader
sudo adduser grader
- Give sudo permission to user grader
sudo cp /etc/sudoers.d/google_sudoers /etc/sudoers.d/gradersudo nano /etc/sudoers.d/graderrename google_sudoers to grader
- Log in with user grader
su grader
- In the user's directory grader, create an .ssh folder to store the public key.
mkdir .ssh
- Generate SSH keys for the grader in your local environment
ssh-keygen graderwith the name grader
- Create the authorized_key file in the .ssh folder save the public key
sudo nano .ssh/authorized_keysand paste content the file grader.pub
- Change permissions .ssh
sudo chmod 744 .ssh
- Change permissions for authorized_keys
sudo chmod 644 .ssh/autthorized_keys
- Close the Google Cloud Shell and log in to your local environment with a previously generated key
ssh grader@35.199.122.175 -i gradergrader is the private key
ATTENTION: In the Google compute engine, change the default default-allow-ssh port to 2200 - If you do not do this, you will not be able to communicate through ssh
- Configure o Uncomplicated Firewall (UFW)
sudo ufw default deny incoming
sudo ufw default allow incoming
sudo ufw allow 2200/tcp
sudo ufw allow web
sudo ufw allow 123/tcp
- Activate the firewall
sudo ufw enable
- Change the ssh port to 2200 in the configuration file and disable SSH Root Login
sudo nano /etc/ssh/sshd_config
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2200
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
...
- Restart the SSH service
sudo service ssh restart
- Set the time for UTC,
sudo dpkg-reconfigure tzdataselect none of above and UTC.
- Install apache and wsgi
sudo apt-get install apache2sudo apt-get install libapache2-mod-wsgi
- Install postgresql
sudo apt-get install postgresql
- Install the Postgresql
sudo -u postgres psql postgres
- Create the database and user catalog
create database catalog;create user catalog with password 'somePass'
- Install git
sudo apt-get install git
- create CatalogApp folder
sudo mkdir\var\www\ CatalogApp
- Enter the folder
cd \var\www\CatalogApp
- Cloning the Project Catalog Item
sudo git clone https://github.com/denmarksdev/catalog.git
- Install Virtual Python Environment
sudo virtualenv venv --always-copy
- Activate the virtual environment
source venv/bin/activate
- Install the application packages
sudo pip install -r catalog/requirements.txt
- Installing the PostgreSQL Provider
pip install psycopg2-binary
- Move the app folder to /var/www/CatalogApp
sudo mv /catalog/app ./
- Move the config.py folder to /var/www/CatalogApp
sudo mv /catalog/config.py ./
- In the configuration file change the provider of the bank and the public address
SQLALCHEMY_DATABASE_URI = 'postgresql://catalog:somePass@localhost/catalog'
PUBLIC_URL = "http://35.199.122.175"
- Changing static Image folder permissions
sudo ssh chmod 747 app\static\images
- Create the application's WSGI file
sudo nano catalogapp.wsgi
#!/usr/bin/python
import sys
import logging
import os
logging.basicConfig(stream=sys.stderr)
sys.path.insert(0,"/var/www/CatalogApp/")
from app import app as application
from app.sample_data import create as create_sample_data
create_sample_data()
- Configure the virtual host
sudo nano /etc/apache2/sites-available/CatalogApp.conf
<VirtualHost *:80>
ServerName 35.199.122.175
ServerAdmin grader@test.com
WSGIScriptAlias / /var/www/CatalogApp/catalogapp.wsgi
<Directory /var/www/CatalogApp/app/>
Order allow,deny
Allow from all
</Directory>
Alias /static /var/www/CatalogApp/app/static
<Directory /var/www/CatalogApp/app/static/>
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- And finally restart the apache server
sudo service apache2 restart
- Google Cloud
- git the version control system
- Flask with Apache
- How To Deploy a Flask Application on an Ubuntu VPS