NodeJS

Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

April 10, 2018 by Simon

This guide will help you install and setup the pm2 NodejJS process monitor PM2 from Keymetrics.io for free and manage your node apps performance and exceptions.

What is PM2?

PM2 is a production process manager for Node.js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime and to facilitate common system admin tasks. This is the steps I used on Ubuntu 16.04. This is NOT a paid endorsement (just self-documenting).

Key Features of PM2

PM2 offers web-based monitoring dashboard, exception reporting, load balancer, CPU and memory monitoring, transaction tracer and much more for NodeJS apps.

What is PM2?

Official page: http://pm2.keymetrics.io/

More info https://www.npmjs.com/package/pm2

Install PM2

npm install pm2 -g

1	npm install pm2 -g

Install Output

npm install pm2 -g
/usr/bin/pm2 -> /usr/lib/node_modules/pm2/bin/pm2
/usr/bin/pm2-dev -> /usr/lib/node_modules/pm2/bin/pm2-dev
/usr/bin/pm2-docker -> /usr/lib/node_modules/pm2/bin/pm2-docker
/usr/bin/pm2-runtime -> /usr/lib/node_modules/pm2/bin/pm2-runtime
/usr/lib
└─┬ pm2@2.10.2
  ├─┬ async@2.6.0
  │ └── lodash@4.17.5
  ├── blessed@0.1.81
  ├─┬ chalk@1.1.3
  │ ├── ansi-styles@2.2.1
  │ ├── escape-string-regexp@1.0.5
  │ ├─┬ has-ansi@2.0.0
  │ │ └── ansi-regex@2.1.1
  │ ├── strip-ansi@3.0.1
  │ └── supports-color@2.0.0
  ├─┬ chokidar@2.0.3
  │ ├─┬ anymatch@2.0.0
  │ │ └─┬ micromatch@3.1.10
  │ │   ├── arr-diff@4.0.0
  │ │   ├─┬ define-property@2.0.2
  │ │   │ └─┬ is-descriptor@1.0.2
  │ │   │   ├── is-accessor-descriptor@1.0.0
  │ │   │   └── is-data-descriptor@1.0.0
  │ │   ├─┬ extend-shallow@3.0.2
  │ │   │ ├── assign-symbols@1.0.0
  │ │   │ └─┬ is-extendable@1.0.1
  │ │   │   └── is-plain-object@2.0.4
  │ │   ├─┬ extglob@2.0.4
  │ │   │ ├─┬ define-property@1.0.0
  │ │   │ │ └─┬ is-descriptor@1.0.2
  │ │   │ │   ├── is-accessor-descriptor@1.0.0
  │ │   │ │   └── is-data-descriptor@1.0.0
  │ │   │ ├─┬ expand-brackets@2.1.4
  │ │   │ │ ├── debug@2.6.9
  │ │   │ │ ├── define-property@0.2.5
  │ │   │ │ ├── extend-shallow@2.0.1
  │ │   │ │ └── posix-character-classes@0.1.1
  │ │   │ └── extend-shallow@2.0.1
  │ │   ├── fragment-cache@0.2.1
  │ │   ├── kind-of@6.0.2
  │ │   ├─┬ nanomatch@1.2.9
  │ │   │ ├─┬ is-odd@2.0.0
  │ │   │ │ └── is-number@4.0.0
  │ │   │ └── is-windows@1.0.2
  │ │   ├── object.pick@1.3.0
  │ │   └── regex-not@1.0.2
  │ ├── async-each@1.0.1
  │ ├─┬ braces@2.3.2
  │ │ ├── arr-flatten@1.1.0
  │ │ ├── array-unique@0.3.2
  │ │ ├─┬ extend-shallow@2.0.1
  │ │ │ └── is-extendable@0.1.1
  │ │ ├─┬ fill-range@4.0.0
  │ │ │ ├── extend-shallow@2.0.1
  │ │ │ ├─┬ is-number@3.0.0
  │ │ │ │ └─┬ kind-of@3.2.2
  │ │ │ │   └── is-buffer@1.1.6
  │ │ │ ├── repeat-string@1.6.1
  │ │ │ └── to-regex-range@2.1.1
  │ │ ├── isobject@3.0.1
  │ │ ├── repeat-element@1.1.2
  │ │ ├─┬ snapdragon@0.8.2
  │ │ │ ├─┬ base@0.11.2
  │ │ │ │ ├─┬ cache-base@1.0.1
  │ │ │ │ │ ├─┬ collection-visit@1.0.0
  │ │ │ │ │ │ ├── map-visit@1.0.0
  │ │ │ │ │ │ └── object-visit@1.0.1
  │ │ │ │ │ ├── get-value@2.0.6
  │ │ │ │ │ ├─┬ has-value@1.0.0
  │ │ │ │ │ │ └─┬ has-values@1.0.0
  │ │ │ │ │ │   └── kind-of@4.0.0
  │ │ │ │ │ ├─┬ set-value@2.0.0
  │ │ │ │ │ │ └── extend-shallow@2.0.1
  │ │ │ │ │ ├─┬ to-object-path@0.3.0
  │ │ │ │ │ │ └── kind-of@3.2.2
  │ │ │ │ │ ├─┬ union-value@1.0.0
  │ │ │ │ │ │ └─┬ set-value@0.4.3
  │ │ │ │ │ │   └── extend-shallow@2.0.1
  │ │ │ │ │ └─┬ unset-value@1.0.0
  │ │ │ │ │   └─┬ has-value@0.3.1
  │ │ │ │ │     ├── has-values@0.1.4
  │ │ │ │ │     └── isobject@2.1.0
  │ │ │ │ ├─┬ class-utils@0.3.6
  │ │ │ │ │ ├── arr-union@3.1.0
  │ │ │ │ │ ├── define-property@0.2.5
  │ │ │ │ │ └─┬ static-extend@0.1.2
  │ │ │ │ │   ├── define-property@0.2.5
  │ │ │ │ │   └─┬ object-copy@0.1.0
  │ │ │ │ │     ├── copy-descriptor@0.1.1
  │ │ │ │ │     ├── define-property@0.2.5
  │ │ │ │ │     └── kind-of@3.2.2
  │ │ │ │ ├── component-emitter@1.2.1
  │ │ │ │ ├─┬ define-property@1.0.0
  │ │ │ │ │ └─┬ is-descriptor@1.0.2
  │ │ │ │ │   ├── is-accessor-descriptor@1.0.0
  │ │ │ │ │   └── is-data-descriptor@1.0.0
  │ │ │ │ ├─┬ mixin-deep@1.3.1
  │ │ │ │ │ ├── for-in@1.0.2
  │ │ │ │ │ └── is-extendable@1.0.1
  │ │ │ │ └── pascalcase@0.1.1
  │ │ │ ├── debug@2.6.9
  │ │ │ ├─┬ define-property@0.2.5
  │ │ │ │ └─┬ is-descriptor@0.1.6
  │ │ │ │   ├─┬ is-accessor-descriptor@0.1.6
  │ │ │ │   │ └── kind-of@3.2.2
  │ │ │ │   ├─┬ is-data-descriptor@0.1.4
  │ │ │ │   │ └── kind-of@3.2.2
  │ │ │ │   └── kind-of@5.1.0
  │ │ │ ├── extend-shallow@2.0.1
  │ │ │ ├── map-cache@0.2.2
  │ │ │ ├── source-map@0.5.7
  │ │ │ ├─┬ source-map-resolve@0.5.1
  │ │ │ │ ├── atob@2.1.0
  │ │ │ │ ├── decode-uri-component@0.2.0
  │ │ │ │ ├── resolve-url@0.2.1
  │ │ │ │ ├── source-map-url@0.4.0
  │ │ │ │ └── urix@0.1.0
  │ │ │ └── use@3.1.0
  │ │ ├─┬ snapdragon-node@2.1.1
  │ │ │ ├─┬ define-property@1.0.0
  │ │ │ │ └─┬ is-descriptor@1.0.2
  │ │ │ │   ├── is-accessor-descriptor@1.0.0
  │ │ │ │   └── is-data-descriptor@1.0.0
  │ │ │ └─┬ snapdragon-util@3.0.1
  │ │ │   └── kind-of@3.2.2
  │ │ ├── split-string@3.1.0
  │ │ └─┬ to-regex@3.0.2
  │ │   └─┬ safe-regex@1.1.0
  │ │     └── ret@0.1.15
  │ ├─┬ glob-parent@3.1.0
  │ │ ├── is-glob@3.1.0
  │ │ └── path-dirname@1.0.2
  │ ├── inherits@2.0.3
  │ ├─┬ is-binary-path@1.0.1
  │ │ └── binary-extensions@1.11.0
  │ ├─┬ is-glob@4.0.0
  │ │ └── is-extglob@2.1.1
  │ ├─┬ normalize-path@2.1.1
  │ │ └── remove-trailing-separator@1.1.0
  │ ├── path-is-absolute@1.0.1
  │ ├─┬ readdirp@2.1.0
  │ │ ├── graceful-fs@4.1.11
  │ │ ├─┬ minimatch@3.0.4
  │ │ │ └─┬ brace-expansion@1.1.11
  │ │ │   ├── balanced-match@1.0.0
  │ │ │   └── concat-map@0.0.1
  │ │ ├─┬ readable-stream@2.3.6
  │ │ │ ├── core-util-is@1.0.2
  │ │ │ ├── isarray@1.0.0
  │ │ │ ├── process-nextick-args@2.0.0
  │ │ │ ├── safe-buffer@5.1.1
  │ │ │ ├── string_decoder@1.1.1
  │ │ │ └── util-deprecate@1.0.2
  │ │ └── set-immediate-shim@1.0.1
  │ └── upath@1.0.4
  ├── cli-table-redemption@1.0.1
  ├── commander@2.13.0
  ├─┬ cron@1.3.0
  │ └── moment-timezone@0.5.14
  ├─┬ debug@3.1.0
  │ └── ms@2.0.0
  ├── eventemitter2@1.0.5
  ├── fclone@1.0.11
  ├── gkt@1.0.0
  ├─┬ mkdirp@0.5.1
  │ └── minimist@0.0.8
  ├── moment@2.22.0
  ├─┬ needle@2.2.0
  │ ├── debug@2.6.9
  │ ├─┬ iconv-lite@0.4.21
  │ │ └── safer-buffer@2.1.2
  │ └── sax@1.2.4
  ├─┬ nssocket@0.6.0
  │ ├── eventemitter2@0.4.14
  │ └── lazy@1.0.11
  ├── pidusage@1.2.0
  ├─┬ pm2-axon@3.1.0
  │ ├── amp@0.3.1
  │ ├── amp-message@0.1.2
  │ └── escape-regexp@0.0.1
  ├── pm2-axon-rpc@0.5.0
  ├─┬ pm2-deploy@0.3.9
  │ ├── async@1.5.2
  │ └── tv4@1.3.0
  ├─┬ pm2-multimeter@0.1.2
  │ └── charm@0.1.2
  ├─┬ pmx@1.6.4
  │ ├── deep-metrics@0.0.1
  │ ├── json-stringify-safe@5.0.1
  │ └─┬ vxx@1.2.2
  │   ├─┬ continuation-local-storage@3.2.1
  │   │ ├── async-listener@0.6.9
  │   │ └── emitter-listener@1.1.1
  │   ├── debug@2.6.9
  │   ├── extend@3.0.1
  │   ├── is@3.2.1
  │   ├── lodash.findindex@4.6.0
  │   ├── lodash.isequal@4.5.0
  │   ├── lodash.merge@4.6.1
  │   ├── methods@1.1.2
  │   ├── shimmer@1.2.0
  │   └── uuid@3.2.1
  ├─┬ promptly@2.2.0
  │ └─┬ read@1.0.7
  │   └── mute-stream@0.0.7
  ├── semver@5.5.0
  ├─┬ shelljs@0.7.8
  │ ├─┬ glob@7.1.2
  │ │ ├── fs.realpath@1.0.0
  │ │ ├─┬ inflight@1.0.6
  │ │ │ └── wrappy@1.0.2
  │ │ └── once@1.4.0
  │ ├── interpret@1.1.0
  │ └─┬ rechoir@0.6.2
  │   └─┬ resolve@1.7.0
  │     └── path-parse@1.0.5
  ├─┬ source-map-support@0.5.4
  │ └── source-map@0.6.1
  ├── sprintf-js@1.1.1
  ├── v8-compile-cache@1.1.2
  ├─┬ vizion@0.2.13
  │ └── async@1.5.2
  └─┬ yamljs@0.3.0
    └─┬ argparse@1.0.10
      └── sprintf-js@1.0.3

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

npm install pm2 -g

/usr/bin/pm2 -> /usr/lib/node_modules/pm2/bin/pm2

/usr/bin/pm2-dev -> /usr/lib/node_modules/pm2/bin/pm2-dev

/usr/bin/pm2-docker -> /usr/lib/node_modules/pm2/bin/pm2-docker

/usr/bin/pm2-runtime -> /usr/lib/node_modules/pm2/bin/pm2-runtime

/usr/lib

└─┬ pm2@2.10.2

├─┬ async@2.6.0

│ └── lodash@4.17.5

├── blessed@0.1.81

├─┬ chalk@1.1.3

│ ├── ansi-styles@2.2.1

│ ├── escape-string-regexp@1.0.5

│ ├─┬ has-ansi@2.0.0

│ │ └── ansi-regex@2.1.1

│ ├── strip-ansi@3.0.1

│ └── supports-color@2.0.0

├─┬ chokidar@2.0.3

│ ├─┬ anymatch@2.0.0

│ │ └─┬ micromatch@3.1.10

│ │ ├── arr-diff@4.0.0

│ │ ├─┬ define-property@2.0.2

│ │ │ └─┬ is-descriptor@1.0.2

│ │ │ ├── is-accessor-descriptor@1.0.0

│ │ │ └── is-data-descriptor@1.0.0

│ │ ├─┬ extend-shallow@3.0.2

│ │ │ ├── assign-symbols@1.0.0

│ │ │ └─┬ is-extendable@1.0.1

│ │ │ └── is-plain-object@2.0.4

│ │ ├─┬ extglob@2.0.4

│ │ │ ├─┬ define-property@1.0.0

│ │ │ │ └─┬ is-descriptor@1.0.2

│ │ │ │ ├── is-accessor-descriptor@1.0.0

│ │ │ │ └── is-data-descriptor@1.0.0

│ │ │ ├─┬ expand-brackets@2.1.4

│ │ │ │ ├── debug@2.6.9

│ │ │ │ ├── define-property@0.2.5

│ │ │ │ ├── extend-shallow@2.0.1

│ │ │ │ └── posix-character-classes@0.1.1

│ │ │ └── extend-shallow@2.0.1

│ │ ├── fragment-cache@0.2.1

│ │ ├── kind-of@6.0.2

│ │ ├─┬ nanomatch@1.2.9

│ │ │ ├─┬ is-odd@2.0.0

│ │ │ │ └── is-number@4.0.0

│ │ │ └── is-windows@1.0.2

│ │ ├── object.pick@1.3.0

│ │ └── regex-not@1.0.2

│ ├── async-each@1.0.1

│ ├─┬ braces@2.3.2

│ │ ├── arr-flatten@1.1.0

│ │ ├── array-unique@0.3.2

│ │ ├─┬ extend-shallow@2.0.1

│ │ │ └── is-extendable@0.1.1

│ │ ├─┬ fill-range@4.0.0

│ │ │ ├── extend-shallow@2.0.1

│ │ │ ├─┬ is-number@3.0.0

│ │ │ │ └─┬ kind-of@3.2.2

│ │ │ │ └── is-buffer@1.1.6

│ │ │ ├── repeat-string@1.6.1

│ │ │ └── to-regex-range@2.1.1

│ │ ├── isobject@3.0.1

│ │ ├── repeat-element@1.1.2

│ │ ├─┬ snapdragon@0.8.2

│ │ │ ├─┬ base@0.11.2

│ │ │ │ ├─┬ cache-base@1.0.1

│ │ │ │ │ ├─┬ collection-visit@1.0.0

│ │ │ │ │ │ ├── map-visit@1.0.0

│ │ │ │ │ │ └── object-visit@1.0.1

│ │ │ │ │ ├── get-value@2.0.6

│ │ │ │ │ ├─┬ has-value@1.0.0

│ │ │ │ │ │ └─┬ has-values@1.0.0

│ │ │ │ │ │ └── kind-of@4.0.0

│ │ │ │ │ ├─┬ set-value@2.0.0

│ │ │ │ │ │ └── extend-shallow@2.0.1

│ │ │ │ │ ├─┬ to-object-path@0.3.0

│ │ │ │ │ │ └── kind-of@3.2.2

│ │ │ │ │ ├─┬ union-value@1.0.0

│ │ │ │ │ │ └─┬ set-value@0.4.3

│ │ │ │ │ │ └── extend-shallow@2.0.1

│ │ │ │ │ └─┬ unset-value@1.0.0

│ │ │ │ │ └─┬ has-value@0.3.1

│ │ │ │ │ ├── has-values@0.1.4

│ │ │ │ │ └── isobject@2.1.0

│ │ │ │ ├─┬ class-utils@0.3.6

│ │ │ │ │ ├── arr-union@3.1.0

│ │ │ │ │ ├── define-property@0.2.5

│ │ │ │ │ └─┬ static-extend@0.1.2

│ │ │ │ │ ├── define-property@0.2.5

│ │ │ │ │ └─┬ object-copy@0.1.0

│ │ │ │ │ ├── copy-descriptor@0.1.1

│ │ │ │ │ ├── define-property@0.2.5

│ │ │ │ │ └── kind-of@3.2.2

│ │ │ │ ├── component-emitter@1.2.1

│ │ │ │ ├─┬ define-property@1.0.0

│ │ │ │ │ └─┬ is-descriptor@1.0.2

│ │ │ │ │ ├── is-accessor-descriptor@1.0.0

│ │ │ │ │ └── is-data-descriptor@1.0.0

│ │ │ │ ├─┬ mixin-deep@1.3.1

│ │ │ │ │ ├── for-in@1.0.2

│ │ │ │ │ └── is-extendable@1.0.1

│ │ │ │ └── pascalcase@0.1.1

│ │ │ ├── debug@2.6.9

│ │ │ ├─┬ define-property@0.2.5

│ │ │ │ └─┬ is-descriptor@0.1.6

│ │ │ │ ├─┬ is-accessor-descriptor@0.1.6

│ │ │ │ │ └── kind-of@3.2.2

│ │ │ │ ├─┬ is-data-descriptor@0.1.4

│ │ │ │ │ └── kind-of@3.2.2

│ │ │ │ └── kind-of@5.1.0

│ │ │ ├── extend-shallow@2.0.1

│ │ │ ├── map-cache@0.2.2

│ │ │ ├── source-map@0.5.7

│ │ │ ├─┬ source-map-resolve@0.5.1

│ │ │ │ ├── atob@2.1.0

│ │ │ │ ├── decode-uri-component@0.2.0

│ │ │ │ ├── resolve-url@0.2.1

│ │ │ │ ├── source-map-url@0.4.0

│ │ │ │ └── urix@0.1.0

│ │ │ └── use@3.1.0

│ │ ├─┬ snapdragon-node@2.1.1

│ │ │ ├─┬ define-property@1.0.0

│ │ │ │ └─┬ is-descriptor@1.0.2

│ │ │ │ ├── is-accessor-descriptor@1.0.0

│ │ │ │ └── is-data-descriptor@1.0.0

│ │ │ └─┬ snapdragon-util@3.0.1

│ │ │ └── kind-of@3.2.2

│ │ ├── split-string@3.1.0

│ │ └─┬ to-regex@3.0.2

│ │ └─┬ safe-regex@1.1.0

│ │ └── ret@0.1.15

│ ├─┬ glob-parent@3.1.0

│ │ ├── is-glob@3.1.0

│ │ └── path-dirname@1.0.2

│ ├── inherits@2.0.3

│ ├─┬ is-binary-path@1.0.1

│ │ └── binary-extensions@1.11.0

│ ├─┬ is-glob@4.0.0

│ │ └── is-extglob@2.1.1

│ ├─┬ normalize-path@2.1.1

│ │ └── remove-trailing-separator@1.1.0

│ ├── path-is-absolute@1.0.1

│ ├─┬ readdirp@2.1.0

│ │ ├── graceful-fs@4.1.11

│ │ ├─┬ minimatch@3.0.4

│ │ │ └─┬ brace-expansion@1.1.11

│ │ │ ├── balanced-match@1.0.0

│ │ │ └── concat-map@0.0.1

│ │ ├─┬ readable-stream@2.3.6

│ │ │ ├── core-util-is@1.0.2

│ │ │ ├── isarray@1.0.0

│ │ │ ├── process-nextick-args@2.0.0

│ │ │ ├── safe-buffer@5.1.1

│ │ │ ├── string_decoder@1.1.1

│ │ │ └── util-deprecate@1.0.2

│ │ └── set-immediate-shim@1.0.1

│ └── upath@1.0.4

├── cli-table-redemption@1.0.1

├── commander@2.13.0

├─┬ cron@1.3.0

│ └── moment-timezone@0.5.14

├─┬ debug@3.1.0

│ └── ms@2.0.0

├── eventemitter2@1.0.5

├── fclone@1.0.11

├── gkt@1.0.0

├─┬ mkdirp@0.5.1

│ └── minimist@0.0.8

├── moment@2.22.0

├─┬ needle@2.2.0

│ ├── debug@2.6.9

│ ├─┬ iconv-lite@0.4.21

│ │ └── safer-buffer@2.1.2

│ └── sax@1.2.4

├─┬ nssocket@0.6.0

│ ├── eventemitter2@0.4.14

│ └── lazy@1.0.11

├── pidusage@1.2.0

├─┬ pm2-axon@3.1.0

│ ├── amp@0.3.1

│ ├── amp-message@0.1.2

│ └── escape-regexp@0.0.1

├── pm2-axon-rpc@0.5.0

├─┬ pm2-deploy@0.3.9

│ ├── async@1.5.2

│ └── tv4@1.3.0

├─┬ pm2-multimeter@0.1.2

│ └── charm@0.1.2

├─┬ pmx@1.6.4

│ ├── deep-metrics@0.0.1

│ ├── json-stringify-safe@5.0.1

│ └─┬ vxx@1.2.2

│ ├─┬ continuation-local-storage@3.2.1

│ │ ├── async-listener@0.6.9

│ │ └── emitter-listener@1.1.1

│ ├── debug@2.6.9

│ ├── extend@3.0.1

│ ├── is@3.2.1

│ ├── lodash.findindex@4.6.0

│ ├── lodash.isequal@4.5.0

│ ├── lodash.merge@4.6.1

│ ├── methods@1.1.2

│ ├── shimmer@1.2.0

│ └── uuid@3.2.1

├─┬ promptly@2.2.0

│ └─┬ read@1.0.7

│ └── mute-stream@0.0.7

├── semver@5.5.0

├─┬ shelljs@0.7.8

│ ├─┬ glob@7.1.2

│ │ ├── fs.realpath@1.0.0

│ │ ├─┬ inflight@1.0.6

│ │ │ └── wrappy@1.0.2

│ │ └── once@1.4.0

│ ├── interpret@1.1.0

│ └─┬ rechoir@0.6.2

│ └─┬ resolve@1.7.0

│ └── path-parse@1.0.5

├─┬ source-map-support@0.5.4

│ └── source-map@0.6.1

├── sprintf-js@1.1.1

├── v8-compile-cache@1.1.2

├─┬ vizion@0.2.13

│ └── async@1.5.2

└─┬ yamljs@0.3.0

└─┬ argparse@1.0.10

└── sprintf-js@1.0.3

PM2 Pricing

PM2 appears to be for high-end apps but I am only using the free version or PM2 (thanks KeyMetrics)

Create a bucket for your node app

Click Generate New Bucket

Give the bucket a name etc.

You can now link your bucket with your local pm2 installation (keep the keys private (this one no longer exists))

Linking your local pm2 installation with your keymetrics bucket

pm2 link l3brztzboz25him i6kofelsyfo7xrd
[KM] Connecting
[Monitoring Enabled] Dashboard access: https://app.keymetrics.io/#/r/i6kofelsyfo7xrd

pm2 link l3brztzboz25him i6kofelsyfo7xrd

[KM] Connecting

[Monitoring Enabled] Dashboard access: https://app.keymetrics.io/#/r/i6kofelsyfo7xrd

To add an existing node app to PM2 type the following.

cd /your-node-application-path/
pm2 start yourapp.js -i 0 --name "myappname"

1 2	cd /your-node-application-path/ pm2 start yourapp.js -i 0 --name "myappname"

You can view node apps that pm2 is managing by typing

pm2 status

1	pm2 status

I had a two CPU VM and I found that the app I added was added to each of the two CPU (I only needed one) so I needed to delete the second app on my second core

pm2 delete 1

1	pm2 delete 1

Restart the API

pm2 restart myappname

1	pm2 restart myappname

You can add a single node apps one 1, 3 or max available CPU’s

# Start the maximum processes depending on available CPUs
pm2 start app.js -i 0

# Start the maximum processes -1 depending on available CPUs
pm2 start app.js -i -1

# Start 3 processes
pm2 start app.js -i 3

# Start the maximum processes depending on available CPUs

pm2 start app.js -i 0

# Start the maximum processes -1 depending on available CPUs

pm2 start app.js -i -1

# Start 3 processes

pm2 start app.js -i 3

Again, to add an existing node app to PM2 type the following.

cd /your-node-application-path/
pm2 start yourapp.js -i 0 --name "myappname"

1 2	cd /your-node-application-path/ pm2 start yourapp.js -i 0 --name "myappname"

Now you can view node app data online. If you don’t have a node app ready you can use the test app.

You can monitor your node app locally too from the CLI.

You can also view a demo bucket at keymetrix.io

PM2’s one age documentation can be found here.

I hope this guide helps someone.

Ask a question or recommend an article

Revision History

v1.0 Initial post

How to setup a twitter feed API endpoint in NodeJS with NGINX, Ruby and T etc

September 17, 2017 by Simon

This is how I set up a twitter feed API endpoint in NodeJS with NGINX, Ruby and T etc. This can be used to integrate SEO or automate Twitter post analytics or automate posts to twitter.

This guide assumes you have an Ubuntu server, nodejs (nginx) and setup ruby, rails and t twitter command line utility setup. Also, you will need to have an API setup and working

Ensure your API is configured in NGINX /etc/nginx/sites-available/default

server {
...
	location /api/appname/v1 {
		#rewrite ^/api(.*) /$1 break;
		proxy_set_header X-Real-IP $remote_addr;	
		# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_http_version  1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_set_header Proxy "";
		proxy_set_header Host $http_host;
		root /code/nodejs/appname;
		proxy_pass http://appnmaeapi;
	}
	...
}

server {

...

location /api/appname/v1 {

#rewrite ^/api(.*) /$1 break;

proxy_set_header X-Real-IP $remote_addr;

# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $connection_upgrade;

proxy_set_header Proxy "";

proxy_set_header Host $http_host;

root /code/nodejs/appname;

proxy_pass http://appnmaeapi;

}

...

}

I set up a placeholder GET routine in my node process that we will be used to communicate with the Twitter command line utility.

app.get('/api/appname/v1/feed/twitter/',function(req,res){
	var data = { "Feed":"" };
	data["Feed"] = "Working v0.1";
	res.json(data);
});

app.get('/api/appname/v1/feed/twitter/',function(req,res){

var data = { "Feed":"" };

data["Feed"] = "Working v0.1";

res.json(data);

});

I started 1 instance of the API on a server with pm2 linked to https://keymetrics.io/.

sudo pm2 start /noejs/app01/app.js -i 1 --name "appname"

1	sudo pm2 start /noejs/app01/app.js -i 1 --name "appname"

View API Status with PM2

sudo pm2 status
● Agent Online | Dashboard Access: https://app.keymetrics.io/#/r/######### | Server name:appname-######
┌────────────┬────┬─────────┬──────┬────────┬─────────┬────────┬─────┬───────────┬──────┬──────────┐
│ App name   │ id │ mode    │ pid  │ status │ restart │ uptime │ cpu │ mem       │ user │ watching │
├────────────┼────┼─────────┼──────┼────────┼─────────┼────────┼─────┼───────────┼──────┼──────────┤
│appname │ 0  │ cluster │ 5480 │ online │ 0       │ 87s    │ 0%  │ 35.1 MB   │ apiuser │ disabled │

sudo pm2 status

● Agent Online | Dashboard Access: https://app.keymetrics.io/#/r/######### | Server name:appname-######

┌────────────┬────┬─────────┬──────┬────────┬─────────┬────────┬─────┬───────────┬──────┬──────────┐

│ App name │ id │ mode │ pid │ status │ restart │ uptime │ cpu │ mem │ user │ watching │

├────────────┼────┼─────────┼──────┼────────┼─────────┼────────┼─────┼───────────┼──────┼──────────┤

│appname │ 0 │ cluster │ 5480 │ online │ 0 │ 87s │ 0% │ 35.1 MB │ apiuser │ disabled │

You can restart the API manually with PM2 by typing

sudo pm2 restart "appname"

1	sudo pm2 restart "appname"

I like to use https://paw.cloud/ software to test API’s over say Postman, I can easily see the test placeholder API is working.

The browser works for now but as soon as I add authentication the browser will fail, Paw FTW.

A simple way to authenticate the API is for the caller to pass a known token when requesting the page via an HTTP POST packet.

app.post('/api/appname/v1/feed/twitter/',function(req,res){
	var data = { "Status":"" };
	var wwxapi = req.headers['x-access-token'];
	var data = { "Feed":"" };
	var errData = "";
	if (wwxapi == undefined) {
		console.log(" 499 token required");
		errData = {"Status": "499", "Error": "valid token required"};
		res.statusCode = 499;
		res.send(errData);
		res.end();
	} else {
		var xpikeypass = false;
		// Check the API Key against known API Keys
		if (wwxapi == "appname-##############################") { xpikeypass = true;} // Debug API Key
		if (xpikeypass == true) {
			//  app request validated

			data["Feed"] = "Twitter Feed API Working v0.2";
			res.json(data);

		} else {
			console.log("499 token required");
			errData = {"Status": "499", "Error": "valid token required"};
			res.statusCode = 409;
			res.send(errData);	
			res.end();
		}
	}
});

app.post('/api/appname/v1/feed/twitter/',function(req,res){

var data = { "Status":"" };

var wwxapi = req.headers['x-access-token'];

var data = { "Feed":"" };

var errData = "";

if (wwxapi == undefined) {

console.log(" 499 token required");

errData = {"Status": "499", "Error": "valid token required"};

res.statusCode = 499;

res.send(errData);

res.end();

} else {

var xpikeypass = false;

// Check the API Key against known API Keys

if (wwxapi == "appname-##############################") { xpikeypass = true;} // Debug API Key

if (xpikeypass == true) {

// app request validated

data["Feed"] = "Twitter Feed API Working v0.2";

res.json(data);

} else {

console.log("499 token required");

errData = {"Status": "499", "Error": "valid token required"};

res.statusCode = 409;

res.send(errData);

res.end();

}

});

Don’t forget to restart the API after changes

sudo pm2 restart "appname"

1	sudo pm2 restart "appname"

Now we can change the API endpoint to a POST (instead of GET) and paste the code above and test it. If we pass an invalid “x-access-token” value the API will return error 409 as designed.

Passing the right “x-access-token” will return data (200 OK).

Now we can link the Twitter command line utility with the NodeJS API.

app.post('/api/appname/v1/feed/twitter/',function(req,res){
	var data = { "Status":"" };
	var wwxapi = req.headers['x-access-token'];
	var data = { "Feed":"" };
	var errData = "";
	if (wwxapi == undefined) {
		console.log(" 499 token required");
		errData = {"Status": "499", "Error": "valid token required"};
		res.statusCode = 499;
		res.send(errData);
		res.end();
	} else {
		var xpikeypass = false;
		// Check the API Key against known API Keys
		if (wwxapi == "appname-##############################") { xpikeypass = true;} // Debug API Key
		if (xpikeypass == true) {
			//  app request validated

			var result = require('child_process').execSync('/theuserwithrubyinstalled/.rbenv/shims/t search all "lang:en nodejs" --csv').toString();
			data["Feed"] = result;

			res.json(data);

		} else {
			console.log("499 token required");
			errData = {"Status": "499", "Error": "valid token required"};
			res.statusCode = 409;
			res.send(errData);	
			res.end();
		}
	}
});

app.post('/api/appname/v1/feed/twitter/',function(req,res){

var data = { "Status":"" };

var wwxapi = req.headers['x-access-token'];

var data = { "Feed":"" };

var errData = "";

if (wwxapi == undefined) {

console.log(" 499 token required");

errData = {"Status": "499", "Error": "valid token required"};

res.statusCode = 499;

res.send(errData);

res.end();

} else {

var xpikeypass = false;

// Check the API Key against known API Keys

if (wwxapi == "appname-##############################") { xpikeypass = true;} // Debug API Key

if (xpikeypass == true) {

// app request validated

var result = require('child_process').execSync('/theuserwithrubyinstalled/.rbenv/shims/t search all "lang:en nodejs" --csv').toString();

data["Feed"] = result;

res.json(data);

} else {

console.log("499 token required");

errData = {"Status": "499", "Error": "valid token required"};

res.statusCode = 409;

res.send(errData);

res.end();

}

});

Now we can test the NodeJS API and have is spawn a subprocess and hit Twitter. In this case, we are finding the latest posts on Twitter with NodeJS in them.

Works a treat 🙂

Up next

Schedule getting data from the Twitter command line utility in crontab and save to Redis
Process the CSV and save new Twitter changes to Redis
Query Redis and send returned data back to the API.
Change the API to read from Redis in NodeJ.S
Secure.

Donate and make this blog better

Ask a question or recommend an article

v1.2 Works

Securing Ubuntu in the cloud

August 9, 2017 by Simon

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

If you do not secure your server expect it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple). Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

sudo apt-get install nmap

1	sudo apt-get install nmap

Find open ports

nmap -v -sT localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST
Initiating Connect Scan at 23:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9101/tcp on 127.0.0.1
Discovered open port 9102/tcp on 127.0.0.1
Discovered open port 9103/tcp on 127.0.0.1
Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9103/tcp open  jetdirect

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

nmap -v -sT localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST

Initiating Connect Scan at 23:57

Scanning localhost (127.0.0.1) [1000 ports]

Discovered open port 80/tcp on 127.0.0.1

Discovered open port 3306/tcp on 127.0.0.1

Discovered open port 22/tcp on 127.0.0.1

Discovered open port 9101/tcp on 127.0.0.1

Discovered open port 9102/tcp on 127.0.0.1

Discovered open port 9103/tcp on 127.0.0.1

Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports)

Nmap scan report for localhost (127.0.0.1)

Host is up (0.00020s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

3306/tcp open mysql

9101/tcp open jetdirect

9102/tcp open jetdirect

9103/tcp open jetdirect

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Limit ssh connections

Setting up a Vultr VM and configuring it

July 29, 2017 by Simon

Below is my guide on setting up a Vultr VM and configuring it with a static IP, NGINX, MySQL, PHP and an SSL certificate.

I have blogged about setting up Centos and Ubuntu server on Digital Ocean before. Digital Ocean does not have data centers in Australia and this kills scalability. AWS is good but 4x the price of Vultr. I have also blogged about setting up and AWS server here. I tried to check out Alibaba Cloud but the verification process was broken so I decided to check our Vultr.

Update (June 2018): I don’t use Vultr anymore, I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.

UpCloud is way faster.

Buy a domain name from Namecheap here.

Setting up a Vultr Server

1) Go to http://www.vultr.com/?ref=7192231 and create your own server today.

2) Create an account at Vultr.

3) Add a Credit Card

4) Verify your email address, Check https://my.vultr.com/promo/ for promos.

5) Create your first instance (for me it was an Ubuntu 16.04 x64 Server, 2 CPU, 4Gb RAM, 60Gb SSD, 3,000MB Transfer server in Sydney for $20 a month). I enabled IPV6, Private Networking, and Sydney as the server location. Digital Ocean would only have offered 2GB ram and 40GB SSD at this price. AWS would have charged $80/w.

2 Cores and 4GB ram is what I am after (I will use it for NGINX, MySQL, PHP, MongoDB, OpCache and Redis etc).

6) I followed this guide and generated an SSH key and added it to Vultr. I generated a local SSH key and added it to Vultr

snip

cd ~/.ssh
ls-al
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): vultr_rsa    
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in vultr_rsa.
Your public key has been saved in vultr_rsa.pub.
cat vultr_rsa.pub 
ssh-rsa AAAAremovedoutput

cd ~/.ssh

ls-al

ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/username/.ssh/id_rsa): vultr_rsa

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in vultr_rsa.

Your public key has been saved in vultr_rsa.pub.

cat vultr_rsa.pub

ssh-rsa AAAAremovedoutput

7) I was a bit confused if the UI adding the SSH key to the in progress deploy server screen (the SSH key was added but was not highlighted so I recreated the server to deploy and the SSH key now appears).

Now time to deploy the server.

Deploying now.

My Vultr server is now deployed.

I connected to it with my SSH program on my Mac.

Now it is time to redirect my domain (purchased through Namecheap) to the new Vultr server IP.

DNS: @ A Name record at Namecheap

Update: I forgot to add an A Name for www.

DNS: Vultr (added the Same @ and www A Name records (fyi “@” was replaced with “”)).

I waited 60 minutes and DNS propagation happened. I used the site https://www.whatsmydns.net to see where the DNS replication was and I was receiving an error.

Setting the Serves Time, and Timezone (Ubuntu)

I checked the time on zone server but it was wrong (20 hours behind)

sudo hwclock --show
Tue 25 Jul 2017 01:29:58 PM UTC  .420323 seconds

1 2	sudo hwclock --show Tue 25 Jul 2017 01:29:58 PM UTC .420323 seconds

I manually set the timezone to Sydney Australia.

dpkg-reconfigure tzdata

1	dpkg-reconfigure tzdata

I installed the NTP time syncing service

sudo apt-get install ntp

1	sudo apt-get install ntp

I configured the NTP service to use Australian servers (read this guide).

sudo nano /etc/ntp.conf

# added
server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org

sudo nano /etc/ntp.conf

# added

server 0.au.pool.ntp.org

server 1.au.pool.ntp.org

server 2.au.pool.ntp.org

I checked the time after restarting NTP.

sudo service ntp restart
sudo hwclock --show

1 2	sudo service ntp restart sudo hwclock --show

The time is correct 🙂

Installing NGINX Web Server Webserver (Ubuntu)

More on the differences between <a href="https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations?utm_medium=social&utm_source=twitter&utm_campaign=apache_vs_nginx_tut&utm_content=image">Apache and nginx web servers</a>.

1	More on the differences between <a href="https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations?utm_medium=social&utm_source=twitter&utm_campaign=apache_vs_nginx_tut&utm_content=image">Apache and nginx web servers</a>.

sudo add-apt-repository ppa:chris-lea/nginx-devel
sudo apt-get update
sudo apt-get install nginx
sudo service nginx start
nginx -v

sudo add-apt-repository ppa:chris-lea/nginx-devel

sudo apt-get update

sudo apt-get install nginx

sudo service nginx start

nginx -v

Installing NodeJS (Ubuntu)

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install -y nodejs
nodejs -v

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -

sudo apt-get install -y nodejs

nodejs -v

Installing MySQL (Ubuntu)

sudo apt-get install mysql-common
sudo apt-get install mysql-server
mysql --version
>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper
sudo mysql_secure_installation
>Y (Valitate plugin)
>2 (Strong passwords)
>N (Don't chnage root password)
>Y (Remove anon accounts)
>Y (No remote root login)
>Y (Remove test DB)
>Y (Reload)
service mysql status
> mysql.service - MySQL Community Serve

sudo apt-get install mysql-common

sudo apt-get install mysql-server

mysql --version

>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper

sudo mysql_secure_installation

>Y (Valitate plugin)

>2 (Strong passwords)

>N (Don't chnage root password)

>Y (Remove anon accounts)

>Y (No remote root login)

>Y (Remove test DB)

>Y (Reload)

service mysql status

> mysql.service - MySQL Community Serve

Install PHP 7.x and PHP7.0-FPM (Ubuntu)

sudo apt-get install -y language-pack-en-base
sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.0
sudo apt-get install php7.0-mysql
sudo apt-get install php7.0-fpm

sudo apt-get install -y language-pack-en-base

sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

sudo apt-get update

sudo apt-get install php7.0

sudo apt-get install php7.0-mysql

sudo apt-get install php7.0-fpm

php.ini

sudo nano /etc/php/7.0/fpm/php.ini
> edit: cgi.fix_pathinfo=0
> edit: upload_max_filesize = 8M
> edit: max_input_vars = 1000
> edit: memory_limit = 128M
# medium server: memory_limit = 256M
# large server: memory_limit = 512M

sudo nano /etc/php/7.0/fpm/php.ini

> edit: cgi.fix_pathinfo=0

> edit: upload_max_filesize = 8M

> edit: max_input_vars = 1000

> edit: memory_limit = 128M

# medium server: memory_limit = 256M

# large server: memory_limit = 512M

Restart PHP

sudo service php7.0-fpm restart	
service php7.0-fpm status

1 2	sudo service php7.0-fpm restart service php7.0-fpm status

Now install misc helper modules into php 7 (thanks to this guide)

sudo apt-get install php-xdebug
sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap 
sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode 
sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl 
sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml
sudo nginx –s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart
php -v

sudo apt-get install php-xdebug

sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap

sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode

sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl

sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml

sudo nginx –s reload

sudo /etc/init.d/nginx restart

sudo service php7.0-fpm restart

php -v

Initial NGINX Configuring – Pre SSL and Security (Ubuntu)

Here is a good guide on setting up NGINX for performance.

mkdir /www

1	mkdir /www

Edit the NGINX configuration

sudo nano /etc/nginx/nginx.conf

1	sudo nano /etc/nginx/nginx.conf

File Contents: /etc/nginx/nginx.conf

# https://github.com/denji/nginx-tuning
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/nginxcriterror.log crit;

events {
        worker_connections 4000;
        use epoll;
        multi_accept on;
}

http {

        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

        # copies data between one FD and other from within the kernel faster then read() + write()
        sendfile on;

        # send headers in one peace, its better then sending them one by one
        tcp_nopush on;

        # don't buffer data sent, good for small data bursts in real time
        tcp_nodelay on;

        # reduce the data that needs to be sent over network -- for testing environment
        gzip on;
        gzip_min_length 10240;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
        gzip_disable msie6;

        # allow the server to close connection on non responding client, this will free up memory
        reset_timedout_connection on;


        # if client stop responding, free up memory -- default 60
        send_timeout 2;

        # server will close connection after this time -- default 75
        keepalive_timeout 30;

        # number of requests client can make over keep-alive -- for testing environment
        keepalive_requests 100000;

        # Security
        server_tokens off;

        # limit the number of connections per single IP
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

       # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file
        client_body_buffer_size  128k;

        # headerbuffer size for the request header from client -- for testing environment
        client_header_buffer_size 3m;


        # to boost I/O on HDD we can disable access logs
        access_log off;

        # cache informations about FDs, frequently accessed files
        # can boost performance, but you need to test those values
        open_file_cache max=200000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # maximum number and size of buffers for large headers to read from client request
        large_client_header_buffers 4 256k;

        # read timeout for the request body from client -- for testing environment
        client_body_timeout   3m;

       # how long to wait for the client to send a request header -- for testing environment
        client_header_timeout 3m;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;


        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

100

101

102

103

104

105

# https://github.com/denji/nginx-tuning

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /run/nginx.pid;

worker_rlimit_nofile 100000;

error_log /var/log/nginx/nginxcriterror.log crit;

events {

worker_connections 4000;

use epoll;

multi_accept on;

}

http {

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

# copies data between one FD and other from within the kernel faster then read() + write()

sendfile on;

# send headers in one peace, its better then sending them one by one

tcp_nopush on;

# don't buffer data sent, good for small data bursts in real time

tcp_nodelay on;

# reduce the data that needs to be sent over network -- for testing environment

gzip on;

gzip_min_length 10240;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;

gzip_disable msie6;

# allow the server to close connection on non responding client, this will free up memory

reset_timedout_connection on;

# if client stop responding, free up memory -- default 60

send_timeout 2;

# server will close connection after this time -- default 75

keepalive_timeout 30;

# number of requests client can make over keep-alive -- for testing environment

keepalive_requests 100000;

# Security

server_tokens off;

# limit the number of connections per single IP

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

# if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file

client_body_buffer_size 128k;

# headerbuffer size for the request header from client -- for testing environment

client_header_buffer_size 3m;

# to boost I/O on HDD we can disable access logs

access_log off;

# cache informations about FDs, frequently accessed files

# can boost performance, but you need to test those values

open_file_cache max=200000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

# maximum number and size of buffers for large headers to read from client request

large_client_header_buffers 4 256k;

# read timeout for the request body from client -- for testing environment

client_body_timeout 3m;

# how long to wait for the client to send a request header -- for testing environment

client_header_timeout 3m;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

# gzip_vary on;

# gzip_proxied any;

# gzip_comp_level 6;

# gzip_buffers 16 8k;

# gzip_http_version 1.1;

# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

File Contents: /etc/nginx/sites-available/default

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;
 
server {
        # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
 
        access_log /var/log/nginx/myservername.com.log;
 
        root /usr/share/nginx/www;
        index index.php index.html index.htm;
 
        server_name www.myservername.com myservername.com localhost;
 
        # ssl on;
        # ssl_certificate /etc/nginx/ssl/cert_chain.crt;
        # ssl_certificate_key /etc/nginx/ssl/myservername.key;
        # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";              # disable some old ciphers
        # ssl_prefer_server_ciphers on;
        # ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # server_tokens off;
        # ssl_session_cache shared:SSL:40m;                                           # More info: http://nginx.com/blog/improve-seo-https-nginx/
        # Set SSL caching and storage/timeout values:
        # ssl_session_timeout 4h;
        # ssl_session_tickets off; # Requires nginx >= 1.5.9
        # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
        # ssl_stapling on; # Requires nginx >= 1.3.7
        # ssl_stapling_verify on; # Requires nginx => 1.3.7
        # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 
        # add_header X-Frame-Options DENY;                                            # Prevent Clickjacking
 
        # Prevent MIME Sniffing
        # add_header X-Content-Type-Options nosniff;
 
 
        # Use Google DNS
        # resolver 8.8.8.8 8.8.4.4 valid=300s;
        # resolver_timeout 1m;
 
        # This is handled with the header above.
        # rewrite ^/(.*) https://myservername.com/$1 permanent;
 
        location / {
                try_files $uri $uri/ =404;
                index index.php index.html index.htm;
                proxy_set_header Proxy "";
        }
 
        fastcgi_param PHP_VALUE "memory_limit = 512M";
 
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
 
                # include snippets/fastcgi-php.conf;
 
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                # With php5-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
        }
 
        # deny access to .htaccess files, if Apache's document root
        #location ~ /\.ht {
        #       deny all;
        #}
}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {

# listen [::]:80 default_server ipv6only=on; ## listen for ipv6

access_log /var/log/nginx/myservername.com.log;

root /usr/share/nginx/www;

index index.php index.html index.htm;

server_name www.myservername.com myservername.com localhost;

# ssl on;

# ssl_certificate /etc/nginx/ssl/cert_chain.crt;

# ssl_certificate_key /etc/nginx/ssl/myservername.key;

# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers

# ssl_prefer_server_ciphers on;

# ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# server_tokens off;

# ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/

# Set SSL caching and storage/timeout values:

# ssl_session_timeout 4h;

# ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked

# ssl_stapling on; # Requires nginx >= 1.3.7

# ssl_stapling_verify on; # Requires nginx => 1.3.7

# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# add_header X-Frame-Options DENY; # Prevent Clickjacking

# Prevent MIME Sniffing

# add_header X-Content-Type-Options nosniff;

# Use Google DNS

# resolver 8.8.8.8 8.8.4.4 valid=300s;

# resolver_timeout 1m;

# This is handled with the header above.

# rewrite ^/(.*) https://myservername.com/$1 permanent;

location / {

try_files $uri $uri/ =404;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

fastcgi_param PHP_VALUE "memory_limit = 512M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# With php5-cgi alone:

# fastcgi_pass 127.0.0.1:9000;

}

# deny access to .htaccess files, if Apache's document root

#location ~ /\.ht {

# deny all;

}

I talked to Dmitriy Kovtun (SSL CS) on the Namecheap Chat to resolve a privacy error (I stuffed up and I am getting the error “Your connection is not private” and “NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN”).

SSL checker says everything is fine.

I checked the certificate strength with SSL Labs (OK).

Test and Reload NGINX (Ubuntu)

sudo nginx -t
sudo nginx -s reload
sudo /etc/init.d/nginx restart

sudo nginx -t

sudo nginx -s reload

sudo /etc/init.d/nginx restart

Create a test PHP file

<?php
phpinfo()
?>

<?php

phpinfo()

It Works.

Install Utils (Ubuntu)

Install an interactive folder size program

sudo apt-get install ncdu
sudo ncdu /

1 2	sudo apt-get install ncdu sudo ncdu /

Install a better disk check utility

sudo apt-get install pydf
pydf

1 2	sudo apt-get install pydf pydf

Display startup processes

sudo apt-get install rcconf
sudo rcconf

1 2	sudo apt-get install rcconf sudo rcconf

Install JSON helper

sudo apt-get install jq
# Download and display a json file with jq
curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

sudo apt-get install jq

# Download and display a json file with jq

curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

Increase the console history

HISTSIZE=10000
HISTCONTROL=ignoredups

1 2	HISTSIZE=10000 HISTCONTROL=ignoredups

I rebooted to see if PHP started up.

sudo reboot

1	sudo reboot

OpenSSL Info (Ubuntu)

Read about updating OpenSSL here.

Update Ubuntu

sudo apt-get update
sudo apt-get dist-upgrade

1 2	sudo apt-get update sudo apt-get dist-upgrade

Vultr Firewall

I configured the server firewall at Vultr and ensured it was setup by clicking my server, then settings then firewall.

I then checked open ports with https://mxtoolbox.com/SuperTool.aspx

Assign a Domain (Vultr)

I assigned a domain with my VM at https://my.vultr.com/dns/add/

Charts

I reviewed the server information at Vultr (nice).

Static IP’s

You should also setup a static IP in /etc/network/interfaces as mentioned in the settings for your server https://my.vultr.com/subs/netconfig/?SUBID=XXXXXX

Hello,

Thank you for contacting us.

Please try setting your OS's network interface configuration for static IP assignments in this case. The blue "network configuration examples" link on the "Settings" tab includes the necessary file paths and configurations. This configuration change can be made via the provided web console.

Setting your instance's IP to static will prevent any issues that your chosen OS might have with DHCP lease failure. Any instance with additional IPs or private networking enabled will require static addresses on all interfaces as well. 

--
xxxxx xxxxxx
Systems Administrator
Vultr LLC

Hello,

Thank you for contacting us.

Please try setting your OS's network interface configuration for static IP assignments in this case. The blue "network configuration examples" link on the "Settings" tab includes the necessary file paths and configurations. This configuration change can be made via the provided web console.

Setting your instance's IP to static will prevent any issues that your chosen OS might have with DHCP lease failure. Any instance with additional IPs or private networking enabled will require static addresses on all interfaces as well.

xxxxx xxxxxx

Systems Administrator

Vultr LLC

Backup your existing Ubuntu 16.04 DHCP Network Configuratiion

cp /etc/network/interfaces /interfaces.bak

1	cp /etc/network/interfaces /interfaces.bak

I would recommend you log a Vultr support ticket and get the right IPV4/IPV6 details to paste into /etc/network/interfaces while you can access your IP.

It is near impossible to configure the static IP when the server is refusing a DHCP IP address (happened top me after 2 months).

If you don’t have time to setup a static IP you can roll with Auto DHCP IP assignment and when your server fails to get and IP you can manually run the following command (changing the network adapter too your network adapter) from the web root console.

dhclient -1 -v ens3

1	dhclient -1 -v ens3

I logged a ticket for each of my other servers to get thew contents or /etc/network/interfaces

Support Ticket Contents:

What should the contents of /etc/network/interfaces be for xx.xx.xx.xx (Ubuntu: 16.04, Static)

Q1) What do I need to add to the /etc/network/interfaces file to set a static IP for server www.myservername.com/xx.xx.xx.xx/SUBID=XXXXXX

The server's IPV4 IP is: XX.XX.XX.XX
The server's IPV6 IP is: xx:xx:xx:xx:xx:xx:xx:xx (Network: xx:xx:xx:xx::, CIRD: 64, Recursive DNS: None)

What should the contents of /etc/network/interfaces be for xx.xx.xx.xx (Ubuntu: 16.04, Static)

Q1) What do I need to add to the /etc/network/interfaces file to set a static IP for server www.myservername.com/xx.xx.xx.xx/SUBID=XXXXXX

The server's IPV4 IP is: XX.XX.XX.XX

The server's IPV6 IP is: xx:xx:xx:xx:xx:xx:xx:xx (Network: xx:xx:xx:xx::, CIRD: 64, Recursive DNS: None)

Install an FTP Server (Ubuntu)

I decided on pureftp-d based on this advice. I did try vsftpd but it failed. I used this guide to setup FTP and a user.

I used this guide to setup an FTP and a user. I was able to login via FTP but decided to setup C9 instead. I stopped the FTP service.

Connected to my vultr domain with C9.io

I logged into and created a new remote SSH connection to my Vultr server and copied the ssh key and added to my Vultr authorized keys file

sudo nano authorized_keys

1	sudo nano authorized_keys

I opened the site with C9 and it setup my environment.

I do love C9.io

Add an SSL certificate (Reissue existing SSL cert at NameCheap)

I had a chat with Konstantin Detinich (SSL CS) on Namecheap’s chat and he helped me through reissuing my certificate.

I have a three-year certificate so I reissued it. I will follow the Namecheap reissue guide here.

I recreated certificates

cd /etc/nginx/
mkdir ssl
cd ssl
sudo openssl req -newkey rsa:2048 -nodes -keyout mydomain_com.key -out mydomain_com.csr
cat mydomain_com.csr

cd /etc/nginx/

mkdir ssl

cd ssl

sudo openssl req -newkey rsa:2048 -nodes -keyout mydomain_com.key -out mydomain_com.csr

cat mydomain_com.csr

I posted the CSR into Name Cheap Reissue Certificate Form.

Tip: Make sure your certificate is using the same name and the old certificate.

I continued the Namecheap prompts and specified HTTP domain control verification.

Namecheap Output: When you submit your info for this step, the activation process will begin and your SSL certificate will be available from your Domain List. To finalize the activation, you’ll need to complete the Domain Control Validation process. Please follow the instructions below.

Now I will wait for the verification instructions.

Update: I waited a few hours and the instructions never came so I logged in to the NameCheap portal and downloaded the HTTP domain verification file. and uploaded it to my domain.

I forgot to add the text file to the NGINX allowed files in files list.

I added the following file: /etc/nginx/sites-available/default

index index.php index.html index.htm 53guidremovedE5.txt;

1	index index.php index.html index.htm 53guidremovedE5.txt;

I reloaded and restarted NGINX

sudo nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart

sudo nginx -t

nginx -s reload

sudo /etc/init.d/nginx restart

The file now loaded over port 80. I then checked Namecheap chat (Alexandra Belyaninova) to speed up the HTTP Domain verification and they said the text file needs to be placed in /.well-known/pki-validation/ folder (not specified in the earlier steps).

http://mydomain.com/.well-known/pki-validation/53gudremovedE5.txt and http://www.mydoamin.com/.well-known/pki-validation/53guidremovedE5.txt

1	http://mydomain.com/.well-known/pki-validation/53gudremovedE5.txt and http://www.mydoamin.com/.well-known/pki-validation/53guidremovedE5.txt

The certificate reissue was all approved and available for download.

I uploaded all files related to the ssl cert to /etc/nginx/ssl/ and read my guide here to refresh myself on what is next.

I ran this command in the folder /etc/nginx/ssl/ to generate a DH prime rather than downloading a nice new one from here.

openssl dhparam -out dhparams4096.pem 4096

1	openssl dhparam -out dhparams4096.pem 4096

This namecheap guide will tell you how to activate a new certificate and how to generate a CSR file. Note: The guide to the left will generate a 2048 bit key and this will cap you SSL certificates security to a B at http://www.sslabs.com/ssltest so I recommend you generate an 4096 bit csr key and 4096 bit Diffie Hellmann key.

I used https://certificatechain.io/ to generate a valid certificate chain.

My SSL /etc/nginx/ssl/sites-available/default config

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {
	listen 80 default_server;
	listen [::]:80 default_server;

        error_log /www-error-log.txt;
        access_log /www-access-log.txt;
	
	listen 443 ssl;

	limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

	root /www;
        index index.php index.html index.htm;

	server_name www.thedomain.com thedomain.com localhost;

        # ssl on This causes to manuy http redirects
        ssl_certificate /etc/nginx/ssl/trust-chain.crt;
        ssl_certificate_key /etc/nginx/ssl/thedomain_com.key;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";              # disable some old ciphers
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/ssl/dhparams4096.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        server_tokens off;
        ssl_session_cache shared:SSL:40m;                                           # More info: http://nginx.com/blog/improve-seo-https-nginx/
        
        # Set SSL caching and storage/timeout values:
        ssl_session_timeout 4h;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        
        # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	add_header X-Frame-Options DENY;                                            # Prevent Clickjacking
 
        # Prevent MIME Sniffing
        add_header X-Content-Type-Options nosniff;
  
        # Use Google DNS
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 1m;
 
        # This is handled with the header above.
        # rewrite ^/(.*) https://thedomain.com/$1 permanent;

	location / {
                try_files $uri $uri/ =404;
                index index.php index.html index.htm;
                proxy_set_header Proxy "";
        }
 
        fastcgi_param PHP_VALUE "memory_limit = 1024M";

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
 
                # include snippets/fastcgi-php.conf;
 
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                # With php5-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
        }
 
        # deny access to .htaccess files, if Apache's document root
        location ~ /\.ht {
               deny all;
        }
	
}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {

listen 80 default_server;

listen [::]:80 default_server;

error_log /www-error-log.txt;

access_log /www-access-log.txt;

listen 443 ssl;

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

root /www;

index index.php index.html index.htm;

server_name www.thedomain.com thedomain.com localhost;

# ssl on This causes to manuy http redirects

ssl_certificate /etc/nginx/ssl/trust-chain.crt;

ssl_certificate_key /etc/nginx/ssl/thedomain_com.key;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/ssl/dhparams4096.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

server_tokens off;

ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/

# Set SSL caching and storage/timeout values:

ssl_session_timeout 4h;

ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked

ssl_stapling on; # Requires nginx >= 1.3.7

ssl_stapling_verify on; # Requires nginx => 1.3.7

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

add_header X-Frame-Options DENY; # Prevent Clickjacking

# Prevent MIME Sniffing

add_header X-Content-Type-Options nosniff;

# Use Google DNS

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 1m;

# This is handled with the header above.

# rewrite ^/(.*) https://thedomain.com/$1 permanent;

location / {

try_files $uri $uri/ =404;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

fastcgi_param PHP_VALUE "memory_limit = 1024M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# With php5-cgi alone:

# fastcgi_pass 127.0.0.1:9000;

}

# deny access to .htaccess files, if Apache's document root

location ~ /\.ht {

deny all;

}

My /etc/nginx/nginx.conf Config

# https://github.com/denji/nginx-tuning
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/nginxcriterror.log crit;

events {
	worker_connections 4000;
	use epoll;
	multi_accept on;
}

http {

        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

        # copies data between one FD and other from within the kernel faster then read() + write()
        sendfile on;

        # send headers in one peace, its better then sending them one by one
        tcp_nopush on;

        # don't buffer data sent, good for small data bursts in real time
        tcp_nodelay on;

        # reduce the data that needs to be sent over network -- for testing environment
        gzip on;
        gzip_min_length 10240;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
        gzip_disable msie6;

        # allow the server to close connection on non responding client, this will free up memory
        reset_timedout_connection on;

        # if client stop responding, free up memory -- default 60
        send_timeout 2;

        # server will close connection after this time -- default 75
        keepalive_timeout 30;

        # number of requests client can make over keep-alive -- for testing environment
        keepalive_requests 100000;

        # Security
        server_tokens off;

        # limit the number of connections per single IP 
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

        # limit the number of requests for a given session
        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file
        client_body_buffer_size  128k;

        # headerbuffer size for the request header from client -- for testing environment
        client_header_buffer_size 3m;

        # to boost I/O on HDD we can disable access logs
        access_log off;

        # cache informations about FDs, frequently accessed files
        # can boost performance, but you need to test those values
        open_file_cache max=200000 inactive=20s; 
        open_file_cache_valid 30s; 
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # maximum number and size of buffers for large headers to read from client request
        large_client_header_buffers 4 256k;

        # read timeout for the request body from client -- for testing environment
        client_body_timeout   3m;

        # how long to wait for the client to send a request header -- for testing environment
        client_header_timeout 3m;
	types_hash_max_size 2048;
	# server_tokens off;
	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	
	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

# https://github.com/denji/nginx-tuning

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /run/nginx.pid;

worker_rlimit_nofile 100000;

error_log /var/log/nginx/nginxcriterror.log crit;

events {

worker_connections 4000;

use epoll;

multi_accept on;

}

http {

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

# copies data between one FD and other from within the kernel faster then read() + write()

sendfile on;

# send headers in one peace, its better then sending them one by one

tcp_nopush on;

# don't buffer data sent, good for small data bursts in real time

tcp_nodelay on;

# reduce the data that needs to be sent over network -- for testing environment

gzip on;

gzip_min_length 10240;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;

gzip_disable msie6;

# allow the server to close connection on non responding client, this will free up memory

reset_timedout_connection on;

# if client stop responding, free up memory -- default 60

send_timeout 2;

# server will close connection after this time -- default 75

keepalive_timeout 30;

# number of requests client can make over keep-alive -- for testing environment

keepalive_requests 100000;

# Security

server_tokens off;

# limit the number of connections per single IP

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

# limit the number of requests for a given session

limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

# if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file

client_body_buffer_size 128k;

# headerbuffer size for the request header from client -- for testing environment

client_header_buffer_size 3m;

# to boost I/O on HDD we can disable access logs

access_log off;

# cache informations about FDs, frequently accessed files

# can boost performance, but you need to test those values

open_file_cache max=200000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

# maximum number and size of buffers for large headers to read from client request

large_client_header_buffers 4 256k;

# read timeout for the request body from client -- for testing environment

client_body_timeout 3m;

# how long to wait for the client to send a request header -- for testing environment

client_header_timeout 3m;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

# gzip_vary on;

# gzip_proxied any;

# gzip_comp_level 6;

# gzip_buffers 16 8k;

# gzip_http_version 1.1;

# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

#mail {

# # See sample authentication script at:

# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# # auth_http localhost/auth.php;

# # pop3_capabilities "TOP" "USER";

# # imap_capabilities "IMAP4rev1" "UIDPLUS";

# server {

# listen localhost:110;

# protocol pop3;

# proxy on;

# }

# server {

# listen localhost:143;

# protocol imap;

# proxy on;

# }

Namecheap support checked my certificate with https://decoder.link/sslchecker/ (no errors). Other SSL checkers are https://certlogik.com/ssl-checker/ and https://sslanalyzer.comodoca.com/

I was given a new certificate to try by Namecheap.

Namecheap Chat (Dmitriy) also recommended I clear my google cache as they did not see errors on their side (this worked).

SSL Security

Read my past guide on adding SSL to a Digital Ocean server.

I am checking my site with https://www.ssllabs.com/ssltest/ (OK).

My site came up clean with shodan.io

Securing Ubuntu in the Cloud

Read my guide here.

OpenSSL Version

I checked the OpenSLL version to see if it was up to date

openssl version
OpenSSL 1.1.0f  25 May 2017

1 2	openssl version OpenSSL 1.1.0f 25 May 2017

Yep, all up to date https://www.openssl.org/

I will check often.

Install MySQL GUI

Installed the Adminer MySQL GUI tool (uploaded)

Don’t forget to check your servers IP with www.shodan.io to ensure there are no back doors.

I had to increase PHP’supload_max_filesize file size temporarily to allow me to restore a database backup. I edited the php file in /etc/php/7.0/fmp/php.ini and then reload php

sudo service php7.0-fpm restart

1	sudo service php7.0-fpm restart

I used Adminer to restore a database.

Support

I found the email support to Vultr was great, I had an email reply in minutes. The Namecheap chat was awesome too. I did have an unplanned reboot on a Vultr node that one of my servers were on (let’s hope the server survives).

View the Vultr service status page is located here.

Conclusion

I now have a secure server with MySQL and other web resources ready to go. I will not add some remote monitoring and restore a website along with NodeJS and MongoDB.

Type	Protocol	Port Range	Source	Comment
HTTP	TCP	80	0.0.0.0/0	Opens a web server port for later
All ICMP	ALL	N/A	0.0.0.0/0	Allows you to ping
All traffic	ALL	All	0.0.0.0/0	Not advisable long term but OK for testing today.
SSH	TCP	22	0.0.0.0/0	Not advisable, try and limit this to known IP’s only.
HTTPS	TCP	443	0.0.0.0/0	Opens a secure web server port for later

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

NodeJS

Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

How to setup a twitter feed API endpoint in NodeJS with NGINX, Ruby and T etc

Setting up a Vultr VM and configuring it