Below is my guide on setting up a Vultr VM and configuring it with a static IP, NGINX, MySQL, PHP and an SSL certificate.
I have blogged about setting up Centos and Ubuntu server on Digital Ocean before. Digital Ocean does not have data centers in Australia and this kills scalability. AWS is good but 4x the price of Vultr. I have also blogged about setting up and AWS server here. I tried to check out Alibaba Cloud but the verification process was broken so I decided to check our Vultr.
Advertisement:
Update (June 2018): I don’t use Vultr anymore, I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.
UpCloud is way faster.
Buy a domain name from Namecheap here.
Setting up a Vultr Server
1) Go to http://www.vultr.com/?ref=7192231 and create your own server today.
2) Create an account at Vultr.
3) Add a Credit Card
4) Verify your email address, Check https://my.vultr.com/promo/ for promos.
5) Create your first instance (for me it was an Ubuntu 16.04 x64 Server, 2 CPU, 4Gb RAM, 60Gb SSD, 3,000MB Transfer server in Sydney for $20 a month). I enabled IPV6, Private Networking, and Sydney as the server location. Digital Ocean would only have offered 2GB ram and 40GB SSD at this price. AWS would have charged $80/w.
2 Cores and 4GB ram is what I am after (I will use it for NGINX, MySQL, PHP, MongoDB, OpCache and Redis etc).
6) I followed this guide and generated an SSH key and added it to Vultr. I generated a local SSH key and added it to Vultr
snip
1 2 3 4 5 6 7 8 9 10 11 | cd ~/.ssh ls-al ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/username/.ssh/id_rsa): vultr_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in vultr_rsa. Your public key has been saved in vultr_rsa.pub. cat vultr_rsa.pub ssh-rsa AAAAremovedoutput |
7) I was a bit confused if the UI adding the SSH key to the in progress deploy server screen (the SSH key was added but was not highlighted so I recreated the server to deploy and the SSH key now appears).
Now time to deploy the server.
Deploying now.
My Vultr server is now deployed.
I connected to it with my SSH program on my Mac.
Now it is time to redirect my domain (purchased through Namecheap) to the new Vultr server IP.
DNS: @ A Name record at Namecheap
Update: I forgot to add an A Name for www.
DNS: Vultr (added the Same @ and www A Name records (fyi “@” was replaced with “”)).
I waited 60 minutes and DNS propagation happened. I used the site https://www.whatsmydns.net to see where the DNS replication was and I was receiving an error.
Setting the Serves Time, and Timezone (Ubuntu)
I checked the time on zone server but it was wrong (20 hours behind)
1 2 | sudo hwclock --show Tue 25 Jul 2017 01:29:58 PM UTC .420323 seconds |
I manually set the timezone to Sydney Australia.
1 | dpkg-reconfigure tzdata |
I installed the NTP time syncing service
1 | sudo apt-get install ntp |
I configured the NTP service to use Australian servers (read this guide).
1 2 3 4 5 6 | sudo nano /etc/ntp.conf # added server 0.au.pool.ntp.org server 1.au.pool.ntp.org server 2.au.pool.ntp.org |
I checked the time after restarting NTP.
1 2 | sudo service ntp restart sudo hwclock --show |
The time is correct 🙂
Installing NGINX Web Server Webserver (Ubuntu)
1 | More on the differences between <a href="https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations?utm_medium=social&utm_source=twitter&utm_campaign=apache_vs_nginx_tut&utm_content=image">Apache and nginx web servers</a>. |
1 2 3 4 5 | sudo add-apt-repository ppa:chris-lea/nginx-devel sudo apt-get update sudo apt-get install nginx sudo service nginx start nginx -v |
Installing NodeJS (Ubuntu)
1 2 3 | curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash - sudo apt-get install -y nodejs nodejs -v |
Installing MySQL (Ubuntu)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | sudo apt-get install mysql-common sudo apt-get install mysql-server mysql --version >mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper sudo mysql_secure_installation >Y (Valitate plugin) >2 (Strong passwords) >N (Don't chnage root password) >Y (Remove anon accounts) >Y (No remote root login) >Y (Remove test DB) >Y (Reload) service mysql status > mysql.service - MySQL Community Serve |
Install PHP 7.x and PHP7.0-FPM (Ubuntu)
1 2 3 4 5 6 | sudo apt-get install -y language-pack-en-base sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get install php7.0 sudo apt-get install php7.0-mysql sudo apt-get install php7.0-fpm |
php.ini
1 2 3 4 5 6 7 | sudo nano /etc/php/7.0/fpm/php.ini > edit: cgi.fix_pathinfo=0 > edit: upload_max_filesize = 8M > edit: max_input_vars = 1000 > edit: memory_limit = 128M # medium server: memory_limit = 256M # large server: memory_limit = 512M |
Restart PHP
1 2 | sudo service php7.0-fpm restart service php7.0-fpm status |
Now install misc helper modules into php 7 (thanks to this guide)
1 2 3 4 5 6 7 8 9 | sudo apt-get install php-xdebug sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml sudo nginx –s reload sudo /etc/init.d/nginx restart sudo service php7.0-fpm restart php -v |
Initial NGINX Configuring – Pre SSL and Security (Ubuntu)
Here is a good guide on setting up NGINX for performance.
1 | mkdir /www |
Edit the NGINX configuration
1 | sudo nano /etc/nginx/nginx.conf |
File Contents: /etc/nginx/nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 | # https://github.com/denji/nginx-tuning user www-data; worker_processes auto; worker_cpu_affinity auto; pid /run/nginx.pid; worker_rlimit_nofile 100000; error_log /var/log/nginx/nginxcriterror.log crit; events { worker_connections 4000; use epoll; multi_accept on; } http { limit_conn conn_limit_per_ip 10; limit_req zone=req_limit_per_ip burst=10 nodelay; # copies data between one FD and other from within the kernel faster then read() + write() sendfile on; # send headers in one peace, its better then sending them one by one tcp_nopush on; # don't buffer data sent, good for small data bursts in real time tcp_nodelay on; # reduce the data that needs to be sent over network -- for testing environment gzip on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml; gzip_disable msie6; # allow the server to close connection on non responding client, this will free up memory reset_timedout_connection on; # if client stop responding, free up memory -- default 60 send_timeout 2; # server will close connection after this time -- default 75 keepalive_timeout 30; # number of requests client can make over keep-alive -- for testing environment keepalive_requests 100000; # Security server_tokens off; # limit the number of connections per single IP limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file client_body_buffer_size 128k; # headerbuffer size for the request header from client -- for testing environment client_header_buffer_size 3m; # to boost I/O on HDD we can disable access logs access_log off; # cache informations about FDs, frequently accessed files # can boost performance, but you need to test those values open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # maximum number and size of buffers for large headers to read from client request large_client_header_buffers 4 256k; # read timeout for the request body from client -- for testing environment client_body_timeout 3m; # how long to wait for the client to send a request header -- for testing environment client_header_timeout 3m; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } |
File Contents: /etc/nginx/sites-available/default
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | proxy_cache_path /tmp/nginx-cache keys_zone=one:10m; server { # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 access_log /var/log/nginx/myservername.com.log; root /usr/share/nginx/www; index index.php index.html index.htm; server_name www.myservername.com myservername.com localhost; # ssl on; # ssl_certificate /etc/nginx/ssl/cert_chain.crt; # ssl_certificate_key /etc/nginx/ssl/myservername.key; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers # ssl_prefer_server_ciphers on; # ssl_dhparam /etc/nginx/ssl/dhparams.pem; # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # server_tokens off; # ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/ # Set SSL caching and storage/timeout values: # ssl_session_timeout 4h; # ssl_session_tickets off; # Requires nginx >= 1.5.9 # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked # ssl_stapling on; # Requires nginx >= 1.3.7 # ssl_stapling_verify on; # Requires nginx => 1.3.7 # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # add_header X-Frame-Options DENY; # Prevent Clickjacking # Prevent MIME Sniffing # add_header X-Content-Type-Options nosniff; # Use Google DNS # resolver 8.8.8.8 8.8.4.4 valid=300s; # resolver_timeout 1m; # This is handled with the header above. # rewrite ^/(.*) https://myservername.com/$1 permanent; location / { try_files $uri $uri/ =404; index index.php index.html index.htm; proxy_set_header Proxy ""; } fastcgi_param PHP_VALUE "memory_limit = 512M"; # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ \.php$ { try_files $uri =404; # include snippets/fastcgi-php.conf; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # With php5-cgi alone: # fastcgi_pass 127.0.0.1:9000; } # deny access to .htaccess files, if Apache's document root #location ~ /\.ht { # deny all; #} } |
I talked to Dmitriy Kovtun (SSL CS) on the Namecheap Chat to resolve a privacy error (I stuffed up and I am getting the error “Your connection is not private” and “NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN”).
SSL checker says everything is fine.
I checked the certificate strength with SSL Labs (OK).
Test and Reload NGINX (Ubuntu)
1 2 3 | sudo nginx -t sudo nginx -s reload sudo /etc/init.d/nginx restart |
Create a test PHP file
1 2 3 | <?php phpinfo() ?> |
It Works.
Install Utils (Ubuntu)
Install an interactive folder size program
1 2 | sudo apt-get install ncdu sudo ncdu / |
Install a better disk check utility
1 2 | sudo apt-get install pydf pydf |
Display startup processes
1 2 | sudo apt-get install rcconf sudo rcconf |
Install JSON helper
1 2 3 | sudo apt-get install jq # Download and display a json file with jq curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq . |
Increase the console history
1 2 | HISTSIZE=10000 HISTCONTROL=ignoredups |
I rebooted to see if PHP started up.
1 | sudo reboot |
OpenSSL Info (Ubuntu)
Read about updating OpenSSL here.
Update Ubuntu
1 2 | sudo apt-get update sudo apt-get dist-upgrade |
Vultr Firewall
I configured the server firewall at Vultr and ensured it was setup by clicking my server, then settings then firewall.
I then checked open ports with https://mxtoolbox.com/SuperTool.aspx
Assign a Domain (Vultr)
I assigned a domain with my VM at https://my.vultr.com/dns/add/
Charts
I reviewed the server information at Vultr (nice).
Static IP’s
You should also setup a static IP in /etc/network/interfaces as mentioned in the settings for your server https://my.vultr.com/subs/netconfig/?SUBID=XXXXXX
1 2 3 4 5 6 7 8 9 10 11 12 | Hello, Thank you for contacting us. Please try setting your OS's network interface configuration for static IP assignments in this case. The blue "network configuration examples" link on the "Settings" tab includes the necessary file paths and configurations. This configuration change can be made via the provided web console. Setting your instance's IP to static will prevent any issues that your chosen OS might have with DHCP lease failure. Any instance with additional IPs or private networking enabled will require static addresses on all interfaces as well. -- xxxxx xxxxxx Systems Administrator Vultr LLC |
Backup your existing Ubuntu 16.04 DHCP Network Configuratiion
1 | cp /etc/network/interfaces /interfaces.bak |
I would recommend you log a Vultr support ticket and get the right IPV4/IPV6 details to paste into /etc/network/interfaces while you can access your IP.
It is near impossible to configure the static IP when the server is refusing a DHCP IP address (happened top me after 2 months).
If you don’t have time to setup a static IP you can roll with Auto DHCP IP assignment and when your server fails to get and IP you can manually run the following command (changing the network adapter too your network adapter) from the web root console.
1 | dhclient -1 -v ens3 |
I logged a ticket for each of my other servers to get thew contents or /etc/network/interfaces
Support Ticket Contents:
1 2 3 4 5 6 | What should the contents of /etc/network/interfaces be for xx.xx.xx.xx (Ubuntu: 16.04, Static) Q1) What do I need to add to the /etc/network/interfaces file to set a static IP for server www.myservername.com/xx.xx.xx.xx/SUBID=XXXXXX The server's IPV4 IP is: XX.XX.XX.XX The server's IPV6 IP is: xx:xx:xx:xx:xx:xx:xx:xx (Network: xx:xx:xx:xx::, CIRD: 64, Recursive DNS: None) |
Install an FTP Server (Ubuntu)
I decided on pureftp-d based on this advice. I did try vsftpd but it failed. I used this guide to setup FTP and a user.
I used this guide to setup an FTP and a user. I was able to login via FTP but decided to setup C9 instead. I stopped the FTP service.
1 | sudo nano authorized_keys |
I opened the site with C9 and it setup my environment.
I do love C9.io
Add an SSL certificate (Reissue existing SSL cert at NameCheap)
I had a chat with Konstantin Detinich (SSL CS) on Namecheap’s chat and he helped me through reissuing my certificate.
I have a three-year certificate so I reissued it. I will follow the Namecheap reissue guide here.
I recreated certificates
1 2 3 4 5 | cd /etc/nginx/ mkdir ssl cd ssl sudo openssl req -newkey rsa:2048 -nodes -keyout mydomain_com.key -out mydomain_com.csr cat mydomain_com.csr |
I posted the CSR into Name Cheap Reissue Certificate Form.
Tip: Make sure your certificate is using the same name and the old certificate.
I continued the Namecheap prompts and specified HTTP domain control verification.
Namecheap Output: When you submit your info for this step, the activation process will begin and your SSL certificate will be available from your Domain List. To finalize the activation, you’ll need to complete the Domain Control Validation process. Please follow the instructions below.
Now I will wait for the verification instructions.
Update: I waited a few hours and the instructions never came so I logged in to the NameCheap portal and downloaded the HTTP domain verification file. and uploaded it to my domain.
I forgot to add the text file to the NGINX allowed files in files list.
I added the following file: /etc/nginx/sites-available/default
1 | index index.php index.html index.htm 53guidremovedE5.txt; |
I reloaded and restarted NGINX
1 2 3 | sudo nginx -t nginx -s reload sudo /etc/init.d/nginx restart |
The file now loaded over port 80. I then checked Namecheap chat (Alexandra Belyaninova) to speed up the HTTP Domain verification and they said the text file needs to be placed in /.well-known/pki-validation/ folder (not specified in the earlier steps).
1 | http://mydomain.com/.well-known/pki-validation/53gudremovedE5.txt and http://www.mydoamin.com/.well-known/pki-validation/53guidremovedE5.txt |
The certificate reissue was all approved and available for download.
I uploaded all files related to the ssl cert to /etc/nginx/ssl/ and read my guide here to refresh myself on what is next.
I ran this command in the folder /etc/nginx/ssl/ to generate a DH prime rather than downloading a nice new one from here.
1 | openssl dhparam -out dhparams4096.pem 4096 |
This namecheap guide will tell you how to activate a new certificate and how to generate a CSR file. Note: The guide to the left will generate a 2048 bit key and this will cap you SSL certificates security to a B at http://www.sslabs.com/ssltest so I recommend you generate an 4096 bit csr key and 4096 bit Diffie Hellmann key.
I used https://certificatechain.io/ to generate a valid certificate chain.
My SSL /etc/nginx/ssl/sites-available/default config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | proxy_cache_path /tmp/nginx-cache keys_zone=one:10m; server { listen 80 default_server; listen [::]:80 default_server; error_log /www-error-log.txt; access_log /www-access-log.txt; listen 443 ssl; limit_conn conn_limit_per_ip 10; limit_req zone=req_limit_per_ip burst=10 nodelay; root /www; index index.php index.html index.htm; server_name www.thedomain.com thedomain.com localhost; # ssl on This causes to manuy http redirects ssl_certificate /etc/nginx/ssl/trust-chain.crt; ssl_certificate_key /etc/nginx/ssl/thedomain_com.key; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/ssl/dhparams4096.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; server_tokens off; ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/ # Set SSL caching and storage/timeout values: ssl_session_timeout 4h; ssl_session_tickets off; # Requires nginx >= 1.5.9 # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; # Prevent Clickjacking # Prevent MIME Sniffing add_header X-Content-Type-Options nosniff; # Use Google DNS resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 1m; # This is handled with the header above. # rewrite ^/(.*) https://thedomain.com/$1 permanent; location / { try_files $uri $uri/ =404; index index.php index.html index.htm; proxy_set_header Proxy ""; } fastcgi_param PHP_VALUE "memory_limit = 1024M"; # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ \.php$ { try_files $uri =404; # include snippets/fastcgi-php.conf; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # With php5-cgi alone: # fastcgi_pass 127.0.0.1:9000; } # deny access to .htaccess files, if Apache's document root location ~ /\.ht { deny all; } } |
My /etc/nginx/nginx.conf Config
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 | # https://github.com/denji/nginx-tuning user www-data; worker_processes auto; worker_cpu_affinity auto; pid /run/nginx.pid; worker_rlimit_nofile 100000; error_log /var/log/nginx/nginxcriterror.log crit; events { worker_connections 4000; use epoll; multi_accept on; } http { limit_conn conn_limit_per_ip 10; limit_req zone=req_limit_per_ip burst=10 nodelay; # copies data between one FD and other from within the kernel faster then read() + write() sendfile on; # send headers in one peace, its better then sending them one by one tcp_nopush on; # don't buffer data sent, good for small data bursts in real time tcp_nodelay on; # reduce the data that needs to be sent over network -- for testing environment gzip on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml; gzip_disable msie6; # allow the server to close connection on non responding client, this will free up memory reset_timedout_connection on; # if client stop responding, free up memory -- default 60 send_timeout 2; # server will close connection after this time -- default 75 keepalive_timeout 30; # number of requests client can make over keep-alive -- for testing environment keepalive_requests 100000; # Security server_tokens off; # limit the number of connections per single IP limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; # limit the number of requests for a given session limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s; # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file client_body_buffer_size 128k; # headerbuffer size for the request header from client -- for testing environment client_header_buffer_size 3m; # to boost I/O on HDD we can disable access logs access_log off; # cache informations about FDs, frequently accessed files # can boost performance, but you need to test those values open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # maximum number and size of buffers for large headers to read from client request large_client_header_buffers 4 256k; # read timeout for the request body from client -- for testing environment client_body_timeout 3m; # how long to wait for the client to send a request header -- for testing environment client_header_timeout 3m; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} |
Namecheap support checked my certificate with https://decoder.link/sslchecker/ (no errors). Other SSL checkers are https://certlogik.com/ssl-checker/ and https://sslanalyzer.comodoca.com/
I was given a new certificate to try by Namecheap.
Namecheap Chat (Dmitriy) also recommended I clear my google cache as they did not see errors on their side (this worked).
SSL Security
Read my past guide on adding SSL to a Digital Ocean server.
I am checking my site with https://www.ssllabs.com/ssltest/ (OK).
My site came up clean with shodan.io
Securing Ubuntu in the Cloud
Read my guide here.
OpenSSL Version
I checked the OpenSLL version to see if it was up to date
1 2 | openssl version OpenSSL 1.1.0f 25 May 2017 |
Yep, all up to date https://www.openssl.org/
I will check often.
Install MySQL GUI
Installed the Adminer MySQL GUI tool (uploaded)
Don’t forget to check your servers IP with www.shodan.io to ensure there are no back doors.
I had to increase PHP’supload_max_filesize file size temporarily to allow me to restore a database backup. I edited the php file in /etc/php/7.0/fmp/php.ini and then reload php
1 | sudo service php7.0-fpm restart |
I used Adminer to restore a database.
Support
I found the email support to Vultr was great, I had an email reply in minutes. The Namecheap chat was awesome too. I did have an unplanned reboot on a Vultr node that one of my servers were on (let’s hope the server survives).
View the Vultr service status page is located here.
Conclusion
I now have a secure server with MySQL and other web resources ready to go. I will not add some remote monitoring and restore a website along with NodeJS and MongoDB.
Definitely, give Vulrt go (they even have data centers in Sydney). Signup with this link http://www.vultr.com/?ref=7192231
Namecheap is great for certificates and support.
Vultr API
Vultr has a great API that you can use to automate status pages or obtain information about your VM instances.
API Location: https://www.vultr.com/api/
First, you will need to activate API access and allow your IP addresses (IPV4 and IPV6) in Vultr. At first, I only allowed IPV4 addresses but it looks as if Vultr use IPV6 internally so add your IPV6 IP (if you are hitting the IP form, a Vultr server). Beware that the return JSON from the https://api.vultr.com/v1/server/list API has URLs (and tokens) to your virtual console and root passwords so ensure your API key is secured.
Here is some working PHP code to query the API
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | <?php $ch = curl_init(); $headers = [ 'API-Key: removed' ]; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list'); $server_output = curl_exec ($ch); curl_close ($ch); print $server_output ; curl_close($ch); echo json_decode($server_output); ?> |
Your server will need to curl installed and you will need to enable URL opening in your php.ini file.
1 | allow_url_fopen = On |
Once you have curl (and the API) working via PHP, this code will return data from the API for a nominated server (replace ‘123456’ with the id from your server at https://my.vultr.com/).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | $ch = curl_init(); $headers = [ 'API-Key: removed' ]; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list'); $server_output = curl_exec ($ch); curl_close ($ch); //print $server_output ; curl_close($ch); $array = json_decode($server_output, true); // # Replace 1234546 with the ID from your server at https://my.vultr.com/ //Get Server Location $vultr_location = $array['123456']['location']; echo "Location: $vultr_location <br/>"; //Get Server CPU Count $vultr_cpu = $array['123456']['vcpu_count']; echo "CPUs: $vultr_cpu <br/>"; //Get Server OS $vultr_os = $array['123456']['os']; echo "OS: $vultr_os<br />"; //Get Server RAM $vultr_ram = $array['123456']['ram']; echo "Ram: $vultr_ram<br />"; //Get Server Disk $vultr_disk = $array['123456']['disk']; echo "Disk: $vultr_disk<br />"; //Get Server Allowed Bnadwidth $vultr_bandwidth_allowed = $array['123456']['allowed_bandwidth_gb']; //Get Server Used Bnadwidth $vultr_bandwidth_used = $array['123456']['current_bandwidth_gb']; echo "Bandwidth: $vultr_bandwidth_used MB of $vultr_bandwidth_allowed MB<br />"; //Get Server Power Stataus $vultr_power = $array['123456']['power_status']; echo "Power State: $vultr_power<br />"; //Get Server State $vultr_state = $array['123456']['server_state']; echo "Server State: $vultr_state<br />"; |
A raw packet looks like this from https://api.vultr.com/v1/server/list
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | HTTP/1.1 200 OK Server: nginx Date: Sun, 30 Jul 2017 12:02:34 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close X-User: user@email.com Expires: Sun, 30 Jul 2017 12:02:33 GMT Cache-Control: no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff {"123456":{"SUBID":"123456","os":"Ubuntu 16.04 x64","ram":"4096 MB","disk":"Virtual 60 GB","main_ip":"###.###.###.###","vcpu_count":"2","location":"Sydney","DCID":"##","default_password":"removed","date_created":"2017-01-01 09:00:00","pending_charges":"0.01","status":"active","cost_per_month":"20.00","current_bandwidth_gb":0.001,"allowed_bandwidth_gb":"3000","netmask_v4":"255.255.254.0","gateway_v4":"###.###.###.#,"power_status":"running","server_state":"ok","VPSPLANID":"###","v6_main_ip":"####:####:####:###:####:####:####:####","v6_network_size":"##","v6_network":"####:####:####:###:","v6_networks":[{"v6_main_ip":"####:####:####:###:####:####::####","v6_network_size":"##","v6_network":"####:####:####:###::"}],"label":"####","internal_ip":"###.###.###.##","kvm_url":"removed","auto_backups":"no","tag":"Server01","OSID":"###","APPID":"#","FIREWALLGROUPID":"########"}} |
I recommend the Paw software for any API testing locally on OSX.
Bonus: Converting Vultr Network totals from the Vultr API with PHP
Add the following as a global PHP function in your PHP file. Found the number formatting solution here.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | <?php // Found at https://stackoverflow.com/questions/2510434/format-bytes-to-kilobytes-megabytes-gigabytes function swissConverter($value, $format = true, $precision = 2) { // Below converts value into bytes depending on input (specify mb, for // example) $bytes = preg_replace_callback('/^\s*(\d+)\s*(?:([kmgt]?)b?)?\s*$/i', function ($m) { switch (strtolower($m[2])) { case 't': $m[1] *= 1024; case 'g': $m[1] *= 1024; case 'm': $m[1] *= 1024; case 'k': $m[1] *= 1024; } return $m[1]; }, $value); if(is_numeric($bytes)) { if($format === true) { //Below converts bytes into proper formatting (human readable //basically) $base = log($bytes, 1024); $suffixes = array('', 'KB', 'MB', 'GB', 'TB'); return round(pow(1024, $base - floor($base)), $precision) .' '. $suffixes[floor($base)]; } else { return $bytes; } } else { return NULL; //Change to prefered response } } ?> |
Now you can query the https://api.vultr.com/v1/server/bandwidth?SUBID=123456 API and get bandwidth information related to your server (replace 123456 with your servers ID).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | <h4>Network Stats:</h4><br /> <?php $ch = curl_init(); $headers = [ 'API-Key: removed' ]; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); // Change 123456 to your server ID curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/bandwidth?SUBID=123456'); $server_output = curl_exec ($ch); curl_close ($ch); //print $server_output ; curl_close($ch); $array = json_decode($server_output, true); //Get 123456 Incoming Bytes Yesterday $vultr123456_imcoming00ib = $array['incoming_bytes'][0][1]; echo " Incoming Data Total Day Before Yesterday: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/>"; //Get 123456 Incoming Bytes Yesterday $vultr123456_imcoming00ib = $array['incoming_bytes'][1][1]; echo " Incoming Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/>"; //Get 123456 Incoming Bytes Today $vultr123456_imcoming00ib = $array['incoming_bytes'][2][1]; echo " Incoming Data Total Today: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/><br/>"; //Get 123456 Outgoing Bytes Day Before Yesterday $vultr123456_imcoming10ob = $array['outgoing_bytes'][0][1]; echo " Outgoing Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming10ob, true) . "</strong><br/>"; //Get 123456 Outgoing Bytes Yesterday $vultr123456_imcoming10ob = $array['outgoing_bytes'][1][1]; echo " Outgoing Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming10ob, true) . "</strong><br/>"; //Get 123456 Outgoing Bytes Today $vultr123456_imcoming00ob = $array['outgoing_bytes'][2][1]; echo " Outgoing Data Total Today: <strong>" . swissConverter($vultr123456_imcoming00ob, true) . "</strong><br/>"; echo "<br />"; ?> |
Bonus: Pinging a Vultr server from the Vultr API with PHP’s fsockopen function
Paste the ping function globally
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <?php function pingfsockopen($host,$port=443,$timeout=3) { $fsock = fsockopen($host, $port, $errno, $errstr, $timeout); if ( ! $fsock ) { return FALSE; } else { return TRUE; } } ?> |
Now you can grab the servers IP from https://api.vultr.com/v1/server/list and then ping it (on SSL port 443).
1 2 3 4 5 6 7 8 9 | //Get Server 123456 IP $vultr_mainip = $array['123456']['main_ip']; $up = pingfsockopen($vultr_mainip); if( $up ) { echo " Server is UP.<br />"; } else { echo " Server is DOWN<br />"; } |
Setup Google DNS
1 | sudo nano /etc/network/interfaces |
Add line
1 | dns-nameservers 8.8.8.8 8.8.4.4 |
What have I missed?
Read my blog post on Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute.
Read my blog post on securing your Ubuntu server in the cloud.
Read my blog post on running an Ubuntu system scan with Lynis.
Donate and make this blog better
Ask a question or recommend an article
v1.993 added log info