server

Installing Webmin Server Management web GUI on Ubuntu

August 10, 2017 by su Leave a Comment

Setting up Ubuntu in the cloud is great if you are not afraid of using the command line but for those that need it, there are web based server management GUI’s you can install.

Once Ubuntu is installed (I have many guides at www.fearby.com) you can install http://www.webmin.com/ (web based management GUI for Ubuntu). It is similar to https://runcloud.io but it’s free. Read the Webadmin install guide here.

Ubuntu Install Steps

Run this in your root terminal to install Webmin on Ubuntu after you install and configure a web server, MySQL and SSL.

sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'
wget -qO - http://www.webmin.com/jcameron-key.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install webmin

sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'

wget -qO - http://www.webmin.com/jcameron-key.asc | sudo apt-key add -

sudo apt-get update

sudo apt-get install webmin

Allow port 1000 on your firewall (in my case I am limiting this to my public IP).

sudo ufw allow from 555.55.555.555/24 to any port 10000

1	sudo ufw allow from 555.55.555.555/24 to any port 10000

I opened port 10,000 on my Digital Ocean firewall screen too.

I installed an SSL certificate on my server (my guide here). I am having issues with Google Chrome and my SSL certificate so I switched ot safari.

I navigated to https://mydomain.com:10000 to log in to the Webmin dashboard

I could now log in to Webmin so I reset the password???

/usr/share/webmin/changepass.pl /etc/webmin username password

1	/usr/share/webmin/changepass.pl /etc/webmin username password

Now I can login to Webmin

Webmin has a load of options available, I zeroed in on viewing log files.

I think I need to ban a few IP’s in my firewall based on the login attempts above. View my guide on securing Ubuntu in the cloud.

Done

sudo ufw deny from 92.87.236.65
Rule added

sudo ufw deny from 106.14.3.252
Rule added

sudo ufw deny from 101.200.52.128
Rule added

sudo ufw deny from 47.94.22.157
Rule added

sudo ufw deny from 92.87.236.65

Rule added

sudo ufw deny from 106.14.3.252

Rule added

sudo ufw deny from 101.200.52.128

Rule added

sudo ufw deny from 47.94.22.157

Rule added

Webmin has a great section on Ubuntu Users

View User Details

Securing Webmin Configuration then IP Access Control and whitelist your IP address to ensure no one else can view your server (I went to http://icanhazip.com to get my IP address).

I then used the Webmin backup screen to backup my system.

This is great, it is backing up my system 🙂

pwd
/
ls -al
total 142372
drwxr-xr-x  27 root root      4096 Aug  9 23:27 .
drwxr-xr-x  27 root root      4096 Aug  9 23:27 ..
-rw-r--r--   1 root root 145670144 Aug  9 23:33 backup.tar

pwd

ls -al

total 142372

drwxr-xr-x 27 root root 4096 Aug 9 23:27 .

drwxr-xr-x 27 root root 4096 Aug 9 23:27 ..

-rw-r--r-- 1 root root 145670144 Aug 9 23:33 backup.tar

I used pydf to see how much storage space I have (I am only using 2.65GB but have 17GB available).

pydf
Filesystem Size  Used Avail Use%                                  Mounted on
/dev/vda1   19G 2658M   17G 13.5 [####..........................] /
/dev/vda15 104M 3425k  101M  3.2 [#.............................] /boot/efi

pydf

Filesystem Size Used Avail Use% Mounted on

/dev/vda1 19G 2658M 17G 13.5 [####..........................] /

/dev/vda15 104M 3425k 101M 3.2 [#.............................] /boot/efi

Gzip is taking a load of time to backup my system.

I did not need to use (htop) to monitor the CPU, Webmin has a CPU monitor built in.

Webmin also allows you to add users

Beware though you need to assign a user to modules or they won’t be able to do/see much when they login.

If you provide your MySQL root password you can create databases in Webmin under Servers then MySQL Database Server

Loads of database options that I would normally use Adminer for 🙂

File Browser

There is a file browser but (I can’t seem to drag and drop).

Official documentation is found here. I’ll add more to this post as I discover it.

Check out my other posts at www.fearby.com.

Donate and make this blog better

Ask a question or recommend an article

v1.0 Initial Post

Moving a CPanel domain with email to a self managed VPS and Gmail

August 6, 2017 by Leave a Comment

I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail

Moving a CPanel domain with email to a self managed VPS and Gmail

August 3, 2017 by su 3 Comments

I have had www.fearby.com since 1999 on three CPanel hosts (superwerbhost in the US, Jumba in Australia, Uber in Australia (NetRegistry have acquired Uber and performance at the time of writing is terrible)). I was never informed by Uber of the sale but my admin portal was moved from one host to another and each time performance degraded. I tried to speed up WordPress by optimizing images, installing cache plugins but nothing worked, pages were loading in around 24 seconds on https://www.webpagetest.org.

I had issues with a CPanel domain on the hosts (Uber/Netregistry) as they were migrating domains and the NetRegstry chat rep said I needed to phone Uber for support. No thanks, I’m going self-managed and saving a dollar.

I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail (I have done this before). I have setup Digital Ocean VM’s (Ubuntu and Centos), Vultr VM’s and AWS VM’s.

I have also had enough of Resource Limit Reached messages with CPanel and I can’t wait to…

not have a slow WordPress.
setup my own server (not a slow hosts server).
spend $5 less (we currently pay $25 for a CPanel website with 20GB storage total)
get a faster website (sub 24 seconds load time).
larger email mailboxes (30GB each).
Generate my own “SSL Labs A+ rated” certificate for $10 a year instead of $150 a year for an “SSL Labs C rated” SSL certificate from my existing hosts.

Backup

I have about 10 email accounts on my CPanel domain (using 14GB) and 2x WordPress sites. I want to backup my emails with (Outlook Export and Thunderbird Profile backup) and backup my domain file(s) a few times before I do anything. Once DNS is set in motion no server waits.

The Plan

Once everything is backed up I intend to setup a $5 a month Vulr VM and redirect all mail to Google G Suite (I have redirected mail before).

I will setup a Vultr web server in Sydney (following my guide here), buy an SSL certificate from Namecheap and move my WordPress sites.

Rough Plan

Reduce email accounts from 10x to 3x
Backup emails (twice with ThunderBird and Outlook).
Setup A Ubuntu V on Vultr.
Signup for Google G Suite Trial.
Transfer my domain to Namecheap.
Link to domain DNS to Vultr
Link to domain MX records to Google Email.
Transfer website.
Setup emails on google.
Restore WordPress.
Go live.
Downgrade to personal G Suite before the trial expires
Close down the old server.

Signing up for Google G Suite

I visited https://gsuite.google.com/ and started creating an account.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

I created a link between G Suite and an existing GMail account.

Now I can create the admin account.

Tip: Don’t use any emails that are linked as secondary emails with any Google services (this won’t be allowed). It’s s a well-known issue that you cannot add users emails who are linked to Google services (even as backup emails for Gmail, detach the email before adding it). Read more here.

Final setup steps.

Now I can add email accounts to G Suite.

Adding email users to G Suite.

The next thing I had to do was upload a file to my domain to verify I own the domain (DNS verification is also an option).

I must say the setup and verify steps are quite easy to follow on G Suite.

Time to backup our existing CPanel site.

Backup Step 1 (hopefully I won’t need this)

I decided to grab a complete copy of my CPanel domain with domains, databases and email accounts. This took 24 hours.

Backup Step 2 (hopefully I won’t need this)

I download all mail via IMAP in Outlook and Mozilla Thunderbird and export it (Outlook Export and Thunderbird Profile backup). Google have IMAP instructions here.

DNS Changes at Namecheap

I obtained my domain EPP code from my CPanel hosts and transferred the domain name to Namecheap.

Namecheap was even nice enough to set my DNS point to my existing domain so I did not have to rush a move before DNS propagation.

P.S The Namecheap Chat Staff and Namecheap Mobile App is awesome.

Having backed up everything I logged into Namecheap and set my DNS to “NameCheap BasicDNS” and then went “Advanced DNS” and set appropriate DNS records for my domain. This assumes you have setup a VM with IPV4 and IPV6 (follow my guide here).

A Record @ IPV4_OF_MY_VULTR_SERVER
A Record www IPV4_OF_MY_VULTR_SERVER
A Record ftp IPV4_OF_MY_VULTR_SERVER
AAAA Record @ IPV6_OF_MY_VULTR_SERVER
AAAA Record www IPV6_OF_MY_VULTR_SERVER
AAAA Record ftp IPV6_OF_MY_VULTR_SERVER
C Name www fearby.com

The Google G Suite also asked me to add these following MX records to the DNS records.

MX Record @ ASPMX.L.GOOGLE.COM. 1
MX Record @ ASPMX1.L.GOOGLE.COM. 5
MX Record @ ASPMX2.L.GOOGLE.COM. 5
MX Record @ ASPMX3.L.GOOGLE.COM. 10
MX Record @ ASPMX4.L.GOOGLE.COM. 10

Then it was a matter of telling Google DNS changes were made (once DNS has replicated across the US).

My advice is to set DNS changes before bed as it can take 12 hours.

Sites like https://www.whatsmydns.net/ are great for keeping track of DNS replication.

Transferring WordPress

I logged into the CPanel and exported my WordPress Database (34MB SQL file).

I had to make the following PHP.ini changes to allow the larger file size restore uploads with the Adminer utility (default is 2mb). I could not get the server side adminer.sls.gz option to restore the database?

post_max_size = 50M
upload_max_filesize = 50M

# do change back to 2MB after you restore the files to prevent DOS attacks.

post_max_size = 50M

upload_max_filesize = 50M

# do change back to 2MB after you restore the files to prevent DOS attacks.

I had to make the following changes to nginx.conf (to prevent 404 errors on the database upload)

client_max_body_size 50M;
# client_max_body_size 2M; Reset when done

1 2	client_max_body_size 50M; # client_max_body_size 2M; Reset when done

I also had to make these changes to NGINX (sites-available/default) to allow WordPress to work

# Add index.php to the list if you are using PHP
	index index.php index.html index.htm;

location / {
        # try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php?q=$uri&$args;
        index index.php index.html index.htm;
        proxy
}

# Add index.php to the list if you are using PHP

index index.php index.html index.htm;

location / {

# try_files $uri $uri/ =404;

try_files $uri $uri/ /index.php?q=$uri&$args;

index index.php index.html index.htm;

proxy

}

I had a working MySQL (I followed my guide here).

Adminer is the best PHP MySQL management utility (beats PhpMyAdmin hands down).

Restart NGINX and PHP

nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart

nginx -t

nginx -s reload

sudo /etc/init.d/nginx restart

sudo service php7.0-fpm restart

I had an error on database import, a non-descript error in script line 1 (error hint here).

A simple search and replace in the SQL fixed it.

Once I had increased PHP uploads to 50M and Nginx I was able to upload my database backup with Adminer (just remember to import to the created database that matches. the wp-config.php. Also, ensure your WordPress content is in place too.

The only other problem I had was WordPress gave an “Error 500” so moved few plugins an all was good.

Importing Old Email

I was able to use the Google G Suite tools to import my old Mail (CPanel IMAP to Google IMAP).

I love root access on my own server now, goodbye CPanel “Usage Limit Exceeded” errors (I only had light traffic on my site).

My self-hosted WordPress is a lot snappier now, my server has plenty of space (and only costs $0.007c and hour for 1x CPU, 1GB ram, 25GB SSD storage and 1000GB data transfer quota). I use the htop command to view system processor and disk space usage.

I can now have more space for content and not be restricted by tight hosts disk quotas or slow shared servers. I use the pydf command to view dis space.

pydf
Filesystem Size  Used <strong>Avail</strong> Use%                                                    Mounted on
/dev/vda1   25G 3289M   <strong>20G</strong> 13.1 [######..........................................] /
/www/wp-content#

pydf

Filesystem Size Used Avail Use% Mounted on

/dev/vda1 25G 3289M 20G 13.1 [######..........................................] /

/www/wp-content#

I use ncdu to view folder usage.

Installing ncdu

sudo apt-get install ncdu
Reading package lists... Done
Building dependency tree
Reading state information... Done
ncdu is already the newest version (1.11-1build1).
0 upgraded, 0 newly installed, 0 to remove and 58 not upgraded.

sudo apt-get install ncdu

Reading package lists... Done

Building dependency tree

Reading state information... Done

ncdu is already the newest version (1.11-1build1).

0 upgraded, 0 newly installed, 0 to remove and 58 not upgraded.

Type ncdu in the folder you want to browse under.

ncdu

ncdu

You can arrow up and down folder structures and view folder/file usage.

SSL Certificate

I am setting up a new multi year SS cert now, I will update this guide later. I had to read my SSL guide with Digital Ocean here.

I generated some certificate on my server

cd ~/
kdir sslcsrmaster4096
cd sslcsrmaster4096/
openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr

cd ~/

kdir sslcsrmaster4096

cd sslcsrmaster4096/

openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr

Sample output for a new certificate

openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr
Generating a 4096 bit RSA private key
.................................................................................................++
......++
writing new private key to 'dummy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: AU
State or Province Name (full name) [Some-State]: NSW
Locality Name (eg, city) []:Tamworth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org
Organizational Unit Name (eg, section) []: Dummy Org Dept
Common Name (e.g. server FQDN or YOUR name) []: DummyOrg
Email Address []: me@dummy.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: password
An optional company name []: DummyCO
root@servernamehere:~/sslcsrmaster4096# cat dummy.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV
BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15
IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA
ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl
+gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+
shortenedoutput
swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A=
-----END CERTIFICATE REQUEST-----

openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr

Generating a 4096 bit RSA private key

.................................................................................................++

......++

writing new private key to 'dummy.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: AU

State or Province Name (full name) [Some-State]: NSW

Locality Name (eg, city) []:Tamworth

Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org

Organizational Unit Name (eg, section) []: Dummy Org Dept

Common Name (e.g. server FQDN or YOUR name) []: DummyOrg

Email Address []: me@dummy.org

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: password

An optional company name []: DummyCO

root@servernamehere:~/sslcsrmaster4096# cat dummy.csr

-----BEGIN CERTIFICATE REQUEST-----

MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV

BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15

IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA

ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl

+gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+

shortenedoutput

swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A=

-----END CERTIFICATE REQUEST-----

I then uploaded the certificate to Namecheap for an SSL cert registration.

I selected DNS C Name record as a way to verify I own my domain.

I am now waiting for Namecheap to verify my domain

End of the Google G Suite Business Trial

Before the end of the 14-day trial, you will need to add billing details to keep the email working.

At this stage, you can downgrade from a $10/m business account per user to a $5/m per user account if you wish. The only loss would be storage and google app access.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

Before your trial ends, add your payment details and downgrade from $10/user a month business prices to $5/iser a month individual if needed.

G Suite Troubleshooting

I was able to access new G Suite email account via gmail.com but not via Outlook 2015? I reset the password, followed the google troubleshooting guide and used the official incoming and outgoing settings but nothing worked.

Google phone support suggested I enable less secure connection settings as Google firewall may be blocking Outlook. I know the IMAP RFC is many years old but I doubt Microsoft are talking to G Suite in a lazy manner.

Now I can view my messages and I can see one email that said I was blocked by the firewall. Google phone support and faqs don’t say why Outlook 2015 SSL based IMAP was blocked?

Conclusion

Thanks to my wife who put up with my continual updates over the entire domain move. Voicing the progress helped me a lot.

Donate and make this blog better

Ask a question or recommend an article

V1.7 added troubleshooting

Using phpservermonitor.org to check whether your websites and servers are up and running

July 30, 2017 by su Leave a Comment

https://www.phpservermonitor.org/ – PHP Server Monitor is a script that checks whether your websites and servers are up and running. It comes with a web based user interface where you can manage your services and websites, and you can manage users for each server with a mobile number and email address.

Features

Monitor services and websites (see below).
Email, SMS and Pushover notifications.
View history graphs of uptime and latency.
User authentication with 2 levels (administrator and regular user).
Logs of connection errors, outgoing emails and text messages.
Easy cronjob implementation to automatically check your servers.

FYI you can setup an Ubuntu Vutur VM here (my guide here) or a Digital Ocean server here (my guide here) in minutes (and only be charged by the hour). Vultr VMs can be purchased from as low a $2.5 a month (NY location) and Digital Ocean for $5 a month.

Open Source

PHP Server Monitor is an open source project 🙂

https://github.com/phpservermon/phpservermon

Installation

fyi: Installation instructions are located here. More detailed install instructions can be found in the zip file under docs/install.rst.

Go to https://www.phpservermonitor.org/download/ and download the 2.4MB phpservermon-3.2.0.zip then extract it’s 1,0834 items.

Upload the files to your website.

Run the install script https://thesubdomain.thedomain.com/phpservermon-3.2.0/install.php then follow the prompts.

I have already set my time zone so I’ll ignore this warning.

If you want to change the time zone run this command.

sudo hwclock --show
dpkg-reconfigure tzdata
sudo reboot
sudo hwclock --show

sudo hwclock --show

dpkg-reconfigure tzdata

sudo reboot

sudo hwclock --show

Then add the database details. I created the MySQL database and user using the Adminer utility.

I created a config.php as instructed.

<?php
define('PSM_DB_HOST', 'localhost');
define('PSM_DB_PORT', '3306');
define('PSM_DB_NAME', 'thedatabase');
define('PSM_DB_USER', 'thedatabaseuser');
define('PSM_DB_PASS', 'removed');
define('PSM_DB_PREFIX', 'psm_');
define('PSM_BASE_URL', 'https://thesubdomain.thedomain.com/phpservermon-3.2.0');
?>

<?php

define('PSM_DB_HOST', 'localhost');

define('PSM_DB_PORT', '3306');

define('PSM_DB_NAME', 'thedatabase');

define('PSM_DB_USER', 'thedatabaseuser');

define('PSM_DB_PASS', 'removed');

define('PSM_DB_PREFIX', 'psm_');

define('PSM_BASE_URL', 'https://thesubdomain.thedomain.com/phpservermon-3.2.0');

Create an account.

Installation Success.

I logged into the pro server monitor webpage that I just installed.

Configuration

I logged into the PHP Server monitor and configured a website to monitor ( at /phpservermon-3.2.0/?&mod=server&action=edit ).

I added this string to the HTML source of the webpages pages to monitor.

<!-- phpservermoncheckforthis -->

1	<!-- phpservermoncheckforthis -->

I added a few websites to monitor.

Other

Here are the other things you can monitor

Table of objects to monitor

Here is my tale of objects to monitor,

Here is a table of my active servers being monitored (I am monitoring 3x web page content and IP pings).

One is failing because the page does not contain the string I defined 🙂

Integration with custom status pages

todo.

Configure SMS Alerts

The config screen has multiple SMS providers to choose from.

Configure Pushover Alerts

The config screens have links to create a pushover alerts app.

Automation

todo: Review crontab.

Recent Feaures

SSL expiration checks

Conclusion

I am happy with the way PHP Server monitor easily monitors my websites.

Donate and make this blog better

Ask a question or recommend an article

v1.3 added screenshots of SMS and pushover (6:04pm 30th July 2017 AEST)

Using phpservermonitor.org to check whether your websites and servers are up and running

July 30, 2017 by Leave a Comment

Setting up a Vultr VM and configuring it

July 29, 2017 by su 8 Comments

Below is my guide on setting up a Vultr VM and configuring it with NGINX, MySQL, PHP and an SSL certificate.

I have blogged about setting up Centos and Ubuntu server on Digital Ocean before. Digital Ocean does not have data centers in Australia and this kills scalability. AWS is good but 4x the price of Vultr. I have also blogged about setting up and AWS server here. I tried to check out Alibaba Cloud but the verification process was broken so I decided to check our Vultr.

Setting up a Vultr Server

1) Go to http://www.vultr.com/?ref=7192231 and create your own server today.

2) Create an account at Vultr.

3) Add a Credit Card

4) Verify your email address, Check https://my.vultr.com/promo/ for promos.

5) Create your first instance (for me it was an Ubuntu 16.04 x64 Server, 2 CPU, 4Gb RAM, 60Gb SSD, 3,000MB Transfer server in Sydney for $20 a month). I enabled IPV6, Private Networking, and Sydney as the server location. Digital Ocean would only have offered 2GB ram and 40GB SSD at this price. AWS would have charged $80/w.

2 Cores and 4GB ram is what I am after (I will use it for NGINX, MySQL, PHP, MongoDB, OpCache and Redis etc).

6) I followed this guide and generated an SSH key and added it to Vultr. I generated a local SSH key and added it to Vultr

snip

cd ~/.ssh
ls-al
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): vultr_rsa    
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in vultr_rsa.
Your public key has been saved in vultr_rsa.pub.
cat vultr_rsa.pub 
ssh-rsa AAAAremovedoutput

cd ~/.ssh

ls-al

ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/username/.ssh/id_rsa): vultr_rsa

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in vultr_rsa.

Your public key has been saved in vultr_rsa.pub.

cat vultr_rsa.pub

ssh-rsa AAAAremovedoutput

7) I was a bit confused if the UI adding the SSH key to the in progress deploy server screen (the SSH key was added but was not highlighted so I recreated the server to deploy and the SSH key now appears).

Now time to deploy the server.

Deploying now.

My Vultr server is now deployed.

I connected to it with my SSH program on my Mac.

Now it is time to redirect my domain (purchased through Namecheap) to the new Vultr server IP.

DNS: @ A Name record at Namecheap

Update: I forgot to add an A Name for www.

DNS: Vultr (added the Same @ and www A Name records (fyi “@” was replaced with “”)).

I waited 60 minutes and DNS propagation happened. I used the site https://www.whatsmydns.net to see where the DNS replication was and I was receiving an error.

Setting the Serves Time, and Timezone (Ubuntu)

I checked the time on zone server but it was wrong (20 hours behind)

sudo hwclock --show
Tue 25 Jul 2017 01:29:58 PM UTC  .420323 seconds

1 2	sudo hwclock --show Tue 25 Jul 2017 01:29:58 PM UTC .420323 seconds

I manually set the timezone to Sydney Australia.

dpkg-reconfigure tzdata

1	dpkg-reconfigure tzdata

I installed the NTP time syncing service

sudo apt-get install ntp

1	sudo apt-get install ntp

I configured the NTP service to use Australian servers (read this guide).

sudo nano /etc/ntp.conf

# added
server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org

sudo nano /etc/ntp.conf

# added

server 0.au.pool.ntp.org

server 1.au.pool.ntp.org

server 2.au.pool.ntp.org

I checked the time after restarting NTP.

sudo service ntp restart
sudo hwclock --show

1 2	sudo service ntp restart sudo hwclock --show

The time is correct 🙂

Installing NGINX Web Server Webserver (Ubuntu)

More on the differences between <a href="https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations?utm_medium=social&utm_source=twitter&utm_campaign=apache_vs_nginx_tut&utm_content=image">Apache and nginx web servers</a>.

1	More on the differences between <a href="https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations?utm_medium=social&utm_source=twitter&utm_campaign=apache_vs_nginx_tut&utm_content=image">Apache and nginx web servers</a>.

sudo add-apt-repository ppa:chris-lea/nginx-devel
sudo apt-get update
sudo apt-get install nginx
sudo service nginx start
nginx -v

sudo add-apt-repository ppa:chris-lea/nginx-devel

sudo apt-get update

sudo apt-get install nginx

sudo service nginx start

nginx -v

Installing NodeJS (Ubuntu)

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install -y nodejs
nodejs -v

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -

sudo apt-get install -y nodejs

nodejs -v

Installing MySQL (Ubuntu)

sudo apt-get install mysql-common
sudo apt-get install mysql-server
mysql --version
>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper
sudo mysql_secure_installation
>Y (Valitate plugin)
>2 (Strong passwords)
>N (Don't chnage root password)
>Y (Remove anon accounts)
>Y (No remote root login)
>Y (Remove test DB)
>Y (Reload)
service mysql status
> mysql.service - MySQL Community Serve

sudo apt-get install mysql-common

sudo apt-get install mysql-server

mysql --version

>mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper

sudo mysql_secure_installation

>Y (Valitate plugin)

>2 (Strong passwords)

>N (Don't chnage root password)

>Y (Remove anon accounts)

>Y (No remote root login)

>Y (Remove test DB)

>Y (Reload)

service mysql status

> mysql.service - MySQL Community Serve

Install PHP 7.x and PHP7.0-FPM (Ubuntu)

sudo apt-get install -y language-pack-en-base
sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.0
sudo apt-get install php7.0-mysql
sudo apt-get install php7.0-fpm

sudo apt-get install -y language-pack-en-base

sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

sudo apt-get update

sudo apt-get install php7.0

sudo apt-get install php7.0-mysql

sudo apt-get install php7.0-fpm

php.ini

sudo nano /etc/php/7.0/fpm/php.ini
> edit: cgi.fix_pathinfo=0
> edit: upload_max_filesize = 8M
> edit: max_input_vars = 1000
> edit: memory_limit = 128M
# medium server: memory_limit = 256M
# large server: memory_limit = 512M

sudo nano /etc/php/7.0/fpm/php.ini

> edit: cgi.fix_pathinfo=0

> edit: upload_max_filesize = 8M

> edit: max_input_vars = 1000

> edit: memory_limit = 128M

# medium server: memory_limit = 256M

# large server: memory_limit = 512M

Restart PHP

sudo service php7.0-fpm restart	
service php7.0-fpm status

1 2	sudo service php7.0-fpm restart service php7.0-fpm status

Now install misc helper modules into php 7 (thanks to this guide)

sudo apt-get install php-xdebug
sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap 
sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode 
sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl 
sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml
sudo nginx –s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart
php -v

sudo apt-get install php-xdebug

sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap

sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode

sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl

sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml

sudo nginx –s reload

sudo /etc/init.d/nginx restart

sudo service php7.0-fpm restart

php -v

Initial NGINX Configuring – Pre SSL and Security (Ubuntu)

Here is a good guide on setting up NGINX for performance.

mkdir /www

1	mkdir /www

Edit the NGINX configuration

sudo nano /etc/nginx/nginx.conf

1	sudo nano /etc/nginx/nginx.conf

File Contents: /etc/nginx/nginx.conf

# https://github.com/denji/nginx-tuning
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/nginxcriterror.log crit;

events {
        worker_connections 4000;
        use epoll;
        multi_accept on;
}

http {

        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

        # copies data between one FD and other from within the kernel faster then read() + write()
        sendfile on;

        # send headers in one peace, its better then sending them one by one
        tcp_nopush on;

        # don't buffer data sent, good for small data bursts in real time
        tcp_nodelay on;

        # reduce the data that needs to be sent over network -- for testing environment
        gzip on;
        gzip_min_length 10240;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
        gzip_disable msie6;

        # allow the server to close connection on non responding client, this will free up memory
        reset_timedout_connection on;


        # if client stop responding, free up memory -- default 60
        send_timeout 2;

        # server will close connection after this time -- default 75
        keepalive_timeout 30;

        # number of requests client can make over keep-alive -- for testing environment
        keepalive_requests 100000;

        # Security
        server_tokens off;

        # limit the number of connections per single IP
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

       # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file
        client_body_buffer_size  128k;

        # headerbuffer size for the request header from client -- for testing environment
        client_header_buffer_size 3m;


        # to boost I/O on HDD we can disable access logs
        access_log off;

        # cache informations about FDs, frequently accessed files
        # can boost performance, but you need to test those values
        open_file_cache max=200000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # maximum number and size of buffers for large headers to read from client request
        large_client_header_buffers 4 256k;

        # read timeout for the request body from client -- for testing environment
        client_body_timeout   3m;

       # how long to wait for the client to send a request header -- for testing environment
        client_header_timeout 3m;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;


        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

100

101

102

103

104

105

# https://github.com/denji/nginx-tuning

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /run/nginx.pid;

worker_rlimit_nofile 100000;

error_log /var/log/nginx/nginxcriterror.log crit;

events {

worker_connections 4000;

use epoll;

multi_accept on;

}

http {

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

# copies data between one FD and other from within the kernel faster then read() + write()

sendfile on;

# send headers in one peace, its better then sending them one by one

tcp_nopush on;

# don't buffer data sent, good for small data bursts in real time

tcp_nodelay on;

# reduce the data that needs to be sent over network -- for testing environment

gzip on;

gzip_min_length 10240;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;

gzip_disable msie6;

# allow the server to close connection on non responding client, this will free up memory

reset_timedout_connection on;

# if client stop responding, free up memory -- default 60

send_timeout 2;

# server will close connection after this time -- default 75

keepalive_timeout 30;

# number of requests client can make over keep-alive -- for testing environment

keepalive_requests 100000;

# Security

server_tokens off;

# limit the number of connections per single IP

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

# if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file

client_body_buffer_size 128k;

# headerbuffer size for the request header from client -- for testing environment

client_header_buffer_size 3m;

# to boost I/O on HDD we can disable access logs

access_log off;

# cache informations about FDs, frequently accessed files

# can boost performance, but you need to test those values

open_file_cache max=200000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

# maximum number and size of buffers for large headers to read from client request

large_client_header_buffers 4 256k;

# read timeout for the request body from client -- for testing environment

client_body_timeout 3m;

# how long to wait for the client to send a request header -- for testing environment

client_header_timeout 3m;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

# gzip_vary on;

# gzip_proxied any;

# gzip_comp_level 6;

# gzip_buffers 16 8k;

# gzip_http_version 1.1;

# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

File Contents: /etc/nginx/sites-available/default

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;
 
server {
        # listen [::]:80 default_server ipv6only=on; ## listen for ipv6
 
        access_log /var/log/nginx/myservername.com.log;
 
        root /usr/share/nginx/www;
        index index.php index.html index.htm;
 
        server_name www.myservername.com myservername.com localhost;
 
        # ssl on;
        # ssl_certificate /etc/nginx/ssl/cert_chain.crt;
        # ssl_certificate_key /etc/nginx/ssl/myservername.key;
        # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";              # disable some old ciphers
        # ssl_prefer_server_ciphers on;
        # ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # server_tokens off;
        # ssl_session_cache shared:SSL:40m;                                           # More info: http://nginx.com/blog/improve-seo-https-nginx/
        # Set SSL caching and storage/timeout values:
        # ssl_session_timeout 4h;
        # ssl_session_tickets off; # Requires nginx >= 1.5.9
        # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
        # ssl_stapling on; # Requires nginx >= 1.3.7
        # ssl_stapling_verify on; # Requires nginx => 1.3.7
        # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 
        # add_header X-Frame-Options DENY;                                            # Prevent Clickjacking
 
        # Prevent MIME Sniffing
        # add_header X-Content-Type-Options nosniff;
 
 
        # Use Google DNS
        # resolver 8.8.8.8 8.8.4.4 valid=300s;
        # resolver_timeout 1m;
 
        # This is handled with the header above.
        # rewrite ^/(.*) https://myservername.com/$1 permanent;
 
        location / {
                try_files $uri $uri/ =404;
                index index.php index.html index.htm;
                proxy_set_header Proxy "";
        }
 
        fastcgi_param PHP_VALUE "memory_limit = 512M";
 
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
 
                # include snippets/fastcgi-php.conf;
 
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                # With php5-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
        }
 
        # deny access to .htaccess files, if Apache's document root
        #location ~ /\.ht {
        #       deny all;
        #}
}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {

# listen [::]:80 default_server ipv6only=on; ## listen for ipv6

access_log /var/log/nginx/myservername.com.log;

root /usr/share/nginx/www;

index index.php index.html index.htm;

server_name www.myservername.com myservername.com localhost;

# ssl on;

# ssl_certificate /etc/nginx/ssl/cert_chain.crt;

# ssl_certificate_key /etc/nginx/ssl/myservername.key;

# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers

# ssl_prefer_server_ciphers on;

# ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# server_tokens off;

# ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/

# Set SSL caching and storage/timeout values:

# ssl_session_timeout 4h;

# ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked

# ssl_stapling on; # Requires nginx >= 1.3.7

# ssl_stapling_verify on; # Requires nginx => 1.3.7

# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# add_header X-Frame-Options DENY; # Prevent Clickjacking

# Prevent MIME Sniffing

# add_header X-Content-Type-Options nosniff;

# Use Google DNS

# resolver 8.8.8.8 8.8.4.4 valid=300s;

# resolver_timeout 1m;

# This is handled with the header above.

# rewrite ^/(.*) https://myservername.com/$1 permanent;

location / {

try_files $uri $uri/ =404;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

fastcgi_param PHP_VALUE "memory_limit = 512M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# With php5-cgi alone:

# fastcgi_pass 127.0.0.1:9000;

}

# deny access to .htaccess files, if Apache's document root

#location ~ /\.ht {

# deny all;

}

I talked to Dmitriy Kovtun (SSL CS) on the Namecheap Chat to resolve a privacy error (I stuffed up and I am getting the error “Your connection is not private” and “NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN”).

SSL checker says everything is fine.

I checked the certificate strength with SSL Labs (OK).

Test and Reload NGINX (Ubuntu)

sudo nginx -t
sudo nginx -s reload
sudo /etc/init.d/nginx restart

sudo nginx -t

sudo nginx -s reload

sudo /etc/init.d/nginx restart

Create a test PHP file

<?php
phpinfo()
?>

<?php

phpinfo()

It Works.

Install Utils (Ubuntu)

Install an interactive folder size program

sudo apt-get install ncdu
sudo ncdu /

1 2	sudo apt-get install ncdu sudo ncdu /

Install a better disk check utility

sudo apt-get install pydf
pydf

1 2	sudo apt-get install pydf pydf

Display startup processes

sudo apt-get install rcconf
sudo rcconf

1 2	sudo apt-get install rcconf sudo rcconf

Install JSON helper

sudo apt-get install jq
# Download and display a json file with jq
curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

sudo apt-get install jq

# Download and display a json file with jq

curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

Increase the console history

HISTSIZE=10000
HISTCONTROL=ignoredups

1 2	HISTSIZE=10000 HISTCONTROL=ignoredups

I rebooted to see if PHP started up.

sudo reboot

1	sudo reboot

OpenSSL Info (Ubuntu)

Read about updating OpenSSL here.

Update Ubuntu

sudo apt-get update
sudo apt-get dist-upgrade

1 2	sudo apt-get update sudo apt-get dist-upgrade

Vultr Firewall

I configured the server firewall at Vultr and ensured it was setup by clicking my server, then settings then firewall.

I then checked open ports with https://mxtoolbox.com/SuperTool.aspx

Assign a Domain (Vultr)

I assigned a domain with my VM at https://my.vultr.com/dns/add/

Charts

I reviewed the server information at Vultr (nice).

Install an FTP Server (Ubuntu)

I decided on pureftp-d based on this advice. I did try vsftpd but it failed. I used this guide to setup FTP and a user.

I used this guide to setup an FTP and a user. I was able to login via FTP but decided to setup C9 instead. I stopped the FTP service.

Connected to my vultr domain with C9.io

I logged into and created a new remote SSH connection to my Vultr server and copied the ssh key and added to my Vultr authorized keys file

sudo nano authorized_keys

1	sudo nano authorized_keys

I opened the site with C9 and it setup my environment.

I do love C9.io

Add an SSL certificate (Reissue existing SSL cert at NameCheap)

I had a chat with Konstantin Detinich (SSL CS) on Namecheap’s chat and he helped me through reissuing my certificate.

I have a three-year certificate so I reissued it. I will follow the Namecheap reissue guide here.

I recreated certificates

cd /etc/nginx/
mkdir ssl
cd ssl
sudo openssl req -newkey rsa:2048 -nodes -keyout mydomain_com.key -out mydomain_com.csr
cat mydomain_com.csr

cd /etc/nginx/

mkdir ssl

cd ssl

sudo openssl req -newkey rsa:2048 -nodes -keyout mydomain_com.key -out mydomain_com.csr

cat mydomain_com.csr

I posted the CSR into Name Cheap Reissue Certificate Form.

Tip: Make sure your certificate is using the same name and the old certificate.

I continued the Namecheap prompts and specified HTTP domain control verification.

Namecheap Output: When you submit your info for this step, the activation process will begin and your SSL certificate will be available from your Domain List. To finalize the activation, you’ll need to complete the Domain Control Validation process. Please follow the instructions below.

Now I will wait for the verification instructions.

Update: I waited a few hours and the instructions never came so I logged in to the NameCheap portal and downloaded the HTTP domain verification file. and uploaded it to my domain.

I forgot to add the text file to the NGINX allowed files in files list.

I added the following file: /etc/nginx/sites-available/default

index index.php index.html index.htm 53guidremovedE5.txt;

1	index index.php index.html index.htm 53guidremovedE5.txt;

I reloaded and restarted NGINX

sudo nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart

sudo nginx -t

nginx -s reload

sudo /etc/init.d/nginx restart

The file now loaded over port 80. I then checked Namecheap chat (Alexandra Belyaninova) to speed up the HTTP Domain verification and they said the text file needs to be placed in /.well-known/pki-validation/ folder (not specified in the earlier steps).

http://mydomain.com/.well-known/pki-validation/53gudremovedE5.txt and http://www.mydoamin.com/.well-known/pki-validation/53guidremovedE5.txt

1	http://mydomain.com/.well-known/pki-validation/53gudremovedE5.txt and http://www.mydoamin.com/.well-known/pki-validation/53guidremovedE5.txt

The certificate reissue was all approved and available for download.

I uploaded all files related to the ssl cert to /etc/nginx/ssl/ and read my guide here to refresh myself on what is next.

I ran this command in the folder /etc/nginx/ssl/ to generate a DH prime rather than downloading a nice new one from here.

openssl dhparam -out dhparams4096.pem 4096

1	openssl dhparam -out dhparams4096.pem 4096

This namecheap guide will tell you how to activate a new certificate and how to generate a CSR file. Note: The guide to the left will generate a 2048 bit key and this will cap you SSL certificates security to a B at http://www.sslabs.com/ssltest so I recommend you generate an 4096 bit csr key and 4096 bit Diffie Hellmann key.

I used https://certificatechain.io/ to generate a valid certificate chain.

My SSL /etc/nginx/ssl/sites-available/default config

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	
	listen 443 ssl;

	limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

	root /www;
        index index.php index.html index.htm;

	server_name www.thedomain.com thedomain.com localhost;

        # ssl on This causes to manuy http redirects
        ssl_certificate /etc/nginx/ssl/trust-chain.crt;
        ssl_certificate_key /etc/nginx/ssl/thedomain_com.key;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";              # disable some old ciphers
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/ssl/dhparams4096.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        server_tokens off;
        ssl_session_cache shared:SSL:40m;                                           # More info: http://nginx.com/blog/improve-seo-https-nginx/
        
        # Set SSL caching and storage/timeout values:
        ssl_session_timeout 4h;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        
        # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	add_header X-Frame-Options DENY;                                            # Prevent Clickjacking
 
        # Prevent MIME Sniffing
        add_header X-Content-Type-Options nosniff;
  
        # Use Google DNS
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 1m;
 
        # This is handled with the header above.
        # rewrite ^/(.*) https://thedomain.com/$1 permanent;

	location / {
                try_files $uri $uri/ =404;
                index index.php index.html index.htm;
                proxy_set_header Proxy "";
        }
 
        fastcgi_param PHP_VALUE "memory_limit = 1024M";

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
 
                # include snippets/fastcgi-php.conf;
 
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                # With php5-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
        }
 
        # deny access to .htaccess files, if Apache's document root
        location ~ /\.ht {
               deny all;
        }
	
}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {

listen 80 default_server;

listen [::]:80 default_server;

listen 443 ssl;

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

root /www;

index index.php index.html index.htm;

server_name www.thedomain.com thedomain.com localhost;

# ssl on This causes to manuy http redirects

ssl_certificate /etc/nginx/ssl/trust-chain.crt;

ssl_certificate_key /etc/nginx/ssl/thedomain_com.key;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/ssl/dhparams4096.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

server_tokens off;

ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/

# Set SSL caching and storage/timeout values:

ssl_session_timeout 4h;

ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked

ssl_stapling on; # Requires nginx >= 1.3.7

ssl_stapling_verify on; # Requires nginx => 1.3.7

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

add_header X-Frame-Options DENY; # Prevent Clickjacking

# Prevent MIME Sniffing

add_header X-Content-Type-Options nosniff;

# Use Google DNS

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 1m;

# This is handled with the header above.

# rewrite ^/(.*) https://thedomain.com/$1 permanent;

location / {

try_files $uri $uri/ =404;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

fastcgi_param PHP_VALUE "memory_limit = 1024M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# With php5-cgi alone:

# fastcgi_pass 127.0.0.1:9000;

}

# deny access to .htaccess files, if Apache's document root

location ~ /\.ht {

deny all;

}

My /etc/nginx/nginx.conf Config

# https://github.com/denji/nginx-tuning
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/nginxcriterror.log crit;

events {
	worker_connections 4000;
	use epoll;
	multi_accept on;
}

http {

        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=10 nodelay;

        # copies data between one FD and other from within the kernel faster then read() + write()
        sendfile on;

        # send headers in one peace, its better then sending them one by one
        tcp_nopush on;

        # don't buffer data sent, good for small data bursts in real time
        tcp_nodelay on;

        # reduce the data that needs to be sent over network -- for testing environment
        gzip on;
        gzip_min_length 10240;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
        gzip_disable msie6;

        # allow the server to close connection on non responding client, this will free up memory
        reset_timedout_connection on;

        # if client stop responding, free up memory -- default 60
        send_timeout 2;

        # server will close connection after this time -- default 75
        keepalive_timeout 30;

        # number of requests client can make over keep-alive -- for testing environment
        keepalive_requests 100000;

        # Security
        server_tokens off;

        # limit the number of connections per single IP 
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

        # limit the number of requests for a given session
        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file
        client_body_buffer_size  128k;

        # headerbuffer size for the request header from client -- for testing environment
        client_header_buffer_size 3m;

        # to boost I/O on HDD we can disable access logs
        access_log off;

        # cache informations about FDs, frequently accessed files
        # can boost performance, but you need to test those values
        open_file_cache max=200000 inactive=20s; 
        open_file_cache_valid 30s; 
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        # maximum number and size of buffers for large headers to read from client request
        large_client_header_buffers 4 256k;

        # read timeout for the request body from client -- for testing environment
        client_body_timeout   3m;

        # how long to wait for the client to send a request header -- for testing environment
        client_header_timeout 3m;
	types_hash_max_size 2048;
	# server_tokens off;
	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	
	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

# https://github.com/denji/nginx-tuning

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /run/nginx.pid;

worker_rlimit_nofile 100000;

error_log /var/log/nginx/nginxcriterror.log crit;

events {

worker_connections 4000;

use epoll;

multi_accept on;

}

http {

limit_conn conn_limit_per_ip 10;

limit_req zone=req_limit_per_ip burst=10 nodelay;

# copies data between one FD and other from within the kernel faster then read() + write()

sendfile on;

# send headers in one peace, its better then sending them one by one

tcp_nopush on;

# don't buffer data sent, good for small data bursts in real time

tcp_nodelay on;

# reduce the data that needs to be sent over network -- for testing environment

gzip on;

gzip_min_length 10240;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;

gzip_disable msie6;

# allow the server to close connection on non responding client, this will free up memory

reset_timedout_connection on;

# if client stop responding, free up memory -- default 60

send_timeout 2;

# server will close connection after this time -- default 75

keepalive_timeout 30;

# number of requests client can make over keep-alive -- for testing environment

keepalive_requests 100000;

# Security

server_tokens off;

# limit the number of connections per single IP

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

# limit the number of requests for a given session

limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

# if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file

client_body_buffer_size 128k;

# headerbuffer size for the request header from client -- for testing environment

client_header_buffer_size 3m;

# to boost I/O on HDD we can disable access logs

access_log off;

# cache informations about FDs, frequently accessed files

# can boost performance, but you need to test those values

open_file_cache max=200000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

# maximum number and size of buffers for large headers to read from client request

large_client_header_buffers 4 256k;

# read timeout for the request body from client -- for testing environment

client_body_timeout 3m;

# how long to wait for the client to send a request header -- for testing environment

client_header_timeout 3m;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

# gzip_vary on;

# gzip_proxied any;

# gzip_comp_level 6;

# gzip_buffers 16 8k;

# gzip_http_version 1.1;

# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

#mail {

# # See sample authentication script at:

# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# # auth_http localhost/auth.php;

# # pop3_capabilities "TOP" "USER";

# # imap_capabilities "IMAP4rev1" "UIDPLUS";

# server {

# listen localhost:110;

# protocol pop3;

# proxy on;

# }

# server {

# listen localhost:143;

# protocol imap;

# proxy on;

# }

Namecheap support checked my certificate with https://decoder.link/sslchecker/ (no errors). Other SSL checkers are https://certlogik.com/ssl-checker/ and https://sslanalyzer.comodoca.com/

I was given a new certificate to try by Namecheap.

Namecheap Chat (Dmitriy) also recommended I clear my google cache as they did not see errors on their side (this worked).

SSL Security

Read my past guide on adding SSL to a Digital Ocean server.

I am checking my site with https://www.ssllabs.com/ssltest/ (OK).

My site came up clean with shodan.io

OpenSSL Version

I checked the OpenSLL version to see if it was up to date

openssl version
OpenSSL 1.1.0f  25 May 2017

1 2	openssl version OpenSSL 1.1.0f 25 May 2017

Yep, all up to date https://www.openssl.org/

I will check often.

Install MySQL GUI

Installed the Adminer MySQL GUI tool (uploaded)

Don’t forget to check your servers IP with www.shodan.io to ensure there are no back doors.

I had to increase PHP’supload_max_filesize file size temporarily to allow me to restore a database backup. I edited the php file in /etc/php/7.0/fmp/php.ini and then reload php

sudo service php7.0-fpm restart

1	sudo service php7.0-fpm restart

I used Adminer to restore a database.

Support

I found the email support to Vultr was great, I had an email reply in minutes. The Namecheap chat was awesome too. I did have an unplanned reboot on a Vultr node that one of my servers were on (let’s hope the server survives).

View the Vultr service status page is located here.

Conclusion

I now have a secure server with MySQL and other web resources ready to go. I will not add some remote monitoring and restore a website along with NodeJS and MongoDB.

Definitely, give Vulrt go (they even have data centers in Sydney). Signup with this link http://www.vultr.com/?ref=7192231

Namecheap is great for certificates and support.

Vultr API

Vultr has a great API that you can use to automate status pages or obtain information about your VM instances.

API Location: https://www.vultr.com/api/

First, you will need to activate API access and allow your IP addresses (IPV4 and IPV6) in Vultr. At first, I only allowed IPV4 addresses but it looks as if Vultr use IPV6 internally so add your IPV6 IP (if you are hitting the IP form, a Vultr server). Beware that the return JSON from the https://api.vultr.com/v1/server/list API has URLs (and tokens) to your virtual console and root passwords so ensure your API key is secured.

Here is some working PHP code to query the API

<?php

$ch = curl_init();
$headers = [
     'API-Key: removed'
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list');

$server_output = curl_exec ($ch);
curl_close ($ch);
print  $server_output ;
curl_close($ch);
     
echo json_decode($server_output);
?>

<?php

$ch = curl_init();

$headers = [

'API-Key: removed'

];

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list');

$server_output = curl_exec ($ch);

curl_close ($ch);

print $server_output ;

curl_close($ch);

echo json_decode($server_output);

Your server will need to curl installed and you will need to enable URL opening in your php.ini file.

allow_url_fopen = On

1	allow_url_fopen = On

Once you have curl (and the API) working via PHP, this code will return data from the API for a nominated server (replace ‘123456’ with the id from your server at https://my.vultr.com/).

$ch = curl_init();
$headers = [
'API-Key: removed'
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list');

$server_output = curl_exec ($ch);
curl_close ($ch);
//print  $server_output ;
curl_close($ch);

$array = json_decode($server_output, true);

// # Replace 1234546 with the ID from your server at https://my.vultr.com/

//Get Server Location
$vultr_location = $array['123456']['location'];
echo "Location: $vultr_location <br/>";

//Get Server CPU Count
$vultr_cpu = $array['123456']['vcpu_count'];
echo "CPUs: $vultr_cpu <br/>";

//Get Server OS
$vultr_os = $array['123456']['os'];
echo "OS: $vultr_os<br />";

//Get Server RAM
$vultr_ram = $array['123456']['ram'];
echo "Ram: $vultr_ram<br />";

//Get Server Disk
$vultr_disk = $array['123456']['disk'];
echo "Disk: $vultr_disk<br />";

//Get Server Allowed Bnadwidth
$vultr_bandwidth_allowed = $array['123456']['allowed_bandwidth_gb'];

//Get Server Used Bnadwidth
$vultr_bandwidth_used = $array['123456']['current_bandwidth_gb'];

echo "Bandwidth: $vultr_bandwidth_used MB of $vultr_bandwidth_allowed MB<br />";

//Get Server Power Sttaus
$vultr_power = $array['123456']['power_status'];
echo "Power State: $vultr_power<br />";

 //Get Server State
$vultr_state = $array['123456']['server_state'];
echo "Server State: $vultr_state<br />";

$ch = curl_init();

$headers = [

'API-Key: removed'

];

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/list');

$server_output = curl_exec ($ch);

curl_close ($ch);

//print $server_output ;

curl_close($ch);

$array = json_decode($server_output, true);

// # Replace 1234546 with the ID from your server at https://my.vultr.com/

//Get Server Location

$vultr_location = $array['123456']['location'];

echo "Location: $vultr_location ";

//Get Server CPU Count

$vultr_cpu = $array['123456']['vcpu_count'];

echo "CPUs: $vultr_cpu ";

//Get Server OS

$vultr_os = $array['123456']['os'];

echo "OS: $vultr_os ";

//Get Server RAM

$vultr_ram = $array['123456']['ram'];

echo "Ram: $vultr_ram ";

//Get Server Disk

$vultr_disk = $array['123456']['disk'];

echo "Disk: $vultr_disk ";

//Get Server Allowed Bnadwidth

$vultr_bandwidth_allowed = $array['123456']['allowed_bandwidth_gb'];

//Get Server Used Bnadwidth

$vultr_bandwidth_used = $array['123456']['current_bandwidth_gb'];

echo "Bandwidth: $vultr_bandwidth_used MB of $vultr_bandwidth_allowed MB ";

//Get Server Power Sttaus

$vultr_power = $array['123456']['power_status'];

echo "Power State: $vultr_power ";

//Get Server State

$vultr_state = $array['123456']['server_state'];

echo "Server State: $vultr_state ";

A raw packet looks like this from https://api.vultr.com/v1/server/list

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 30 Jul 2017 12:02:34 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
X-User: user@email.com
Expires: Sun, 30 Jul 2017 12:02:33 GMT
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff

{"123456":{"SUBID":"123456","os":"Ubuntu 16.04 x64","ram":"4096 MB","disk":"Virtual 60 GB","main_ip":"###.###.###.###","vcpu_count":"2","location":"Sydney","DCID":"##","default_password":"removed","date_created":"2017-01-01 09:00:00","pending_charges":"0.01","status":"active","cost_per_month":"20.00","current_bandwidth_gb":0.001,"allowed_bandwidth_gb":"3000","netmask_v4":"255.255.254.0","gateway_v4":"###.###.###.#,"power_status":"running","server_state":"ok","VPSPLANID":"###","v6_main_ip":"####:####:####:###:####:####:####:####","v6_network_size":"##","v6_network":"####:####:####:###:","v6_networks":[{"v6_main_ip":"####:####:####:###:####:####::####","v6_network_size":"##","v6_network":"####:####:####:###::"}],"label":"####","internal_ip":"###.###.###.##","kvm_url":"removed","auto_backups":"no","tag":"Server01","OSID":"###","APPID":"#","FIREWALLGROUPID":"########"}}

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 30 Jul 2017 12:02:34 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: close

X-User: user@email.com

Expires: Sun, 30 Jul 2017 12:02:33 GMT

Cache-Control: no-cache

X-Frame-Options: DENY

Strict-Transport-Security: max-age=31536000

X-Content-Type-Options: nosniff

{"123456":{"SUBID":"123456","os":"Ubuntu 16.04 x64","ram":"4096 MB","disk":"Virtual 60 GB","main_ip":"###.###.###.###","vcpu_count":"2","location":"Sydney","DCID":"##","default_password":"removed","date_created":"2017-01-01 09:00:00","pending_charges":"0.01","status":"active","cost_per_month":"20.00","current_bandwidth_gb":0.001,"allowed_bandwidth_gb":"3000","netmask_v4":"255.255.254.0","gateway_v4":"###.###.###.#,"power_status":"running","server_state":"ok","VPSPLANID":"###","v6_main_ip":"####:####:####:###:####:####:####:####","v6_network_size":"##","v6_network":"####:####:####:###:","v6_networks":[{"v6_main_ip":"####:####:####:###:####:####::####","v6_network_size":"##","v6_network":"####:####:####:###::"}],"label":"####","internal_ip":"###.###.###.##","kvm_url":"removed","auto_backups":"no","tag":"Server01","OSID":"###","APPID":"#","FIREWALLGROUPID":"########"}}

I recommend the Paw software for any API testing locally on OSX.

Bonus: Converting Vultr Network totals from the Vultr API with PHP

Add the following as a global PHP function in your PHP file. Found the number formatting solution here.

<?php
// Found at https://stackoverflow.com/questions/2510434/format-bytes-to-kilobytes-megabytes-gigabytes 

function swissConverter($value, $format = true, $precision = 2) {
    // Below converts value into bytes depending on input (specify mb, for 
    // example)
    $bytes = preg_replace_callback('/^\s*(\d+)\s*(?:([kmgt]?)b?)?\s*$/i', 
    function ($m) {
        switch (strtolower($m[2])) {
          case 't': $m[1] *= 1024;
          case 'g': $m[1] *= 1024;
          case 'm': $m[1] *= 1024;
          case 'k': $m[1] *= 1024;
        }
        return $m[1];
        }, $value);
    if(is_numeric($bytes)) {
        if($format === true) {
            //Below converts bytes into proper formatting (human readable 
            //basically)
            $base = log($bytes, 1024);
            $suffixes = array('', 'KB', 'MB', 'GB', 'TB');   

            return round(pow(1024, $base - floor($base)), $precision) .' '. 
                     $suffixes[floor($base)];
        } else {
            return $bytes;
        }
    } else {
        return NULL; //Change to prefered response
    }
}
?>

<?php

// Found at https://stackoverflow.com/questions/2510434/format-bytes-to-kilobytes-megabytes-gigabytes

function swissConverter($value, $format = true, $precision = 2) {

// Below converts value into bytes depending on input (specify mb, for

// example)

$bytes = preg_replace_callback('/^\s*(\d+)\s*(?:([kmgt]?)b?)?\s*$/i',

function ($m) {

switch (strtolower($m[2])) {

case 't': $m[1] *= 1024;

case 'g': $m[1] *= 1024;

case 'm': $m[1] *= 1024;

case 'k': $m[1] *= 1024;

}

return $m[1];

}, $value);

if(is_numeric($bytes)) {

if($format === true) {

//Below converts bytes into proper formatting (human readable

//basically)

$base = log($bytes, 1024);

$suffixes = array('', 'KB', 'MB', 'GB', 'TB');

return round(pow(1024, $base - floor($base)), $precision) .' '.

$suffixes[floor($base)];

} else {

return $bytes;

}

} else {

return NULL; //Change to prefered response

}

Now you can query the https://api.vultr.com/v1/server/bandwidth?SUBID=123456 API and get bandwidth information related to your server (replace 123456 with your servers ID).

<h4>Network Stats:</h4><br />
<?php

$ch = curl_init();
$headers = [
    'API-Key: removed'
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Change 123456 to your server ID

curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/bandwidth?SUBID=123456');

$server_output = curl_exec ($ch);
curl_close ($ch);
//print  $server_output ;
curl_close($ch);

$array = json_decode($server_output, true);

//Get 123456 Incoming Bytes Yesterday
$vultr123456_imcoming00ib = $array['incoming_bytes'][0][1];
echo " &nbsp; &nbsp; Incoming Data Total Day Before Yesterday: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/>";

//Get 123456 Incoming Bytes Yesterday
$vultr123456_imcoming00ib = $array['incoming_bytes'][1][1];
echo " &nbsp; &nbsp; Incoming Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/>";

//Get 123456 Incoming Bytes Today
$vultr123456_imcoming00ib = $array['incoming_bytes'][2][1];
echo " &nbsp; &nbsp; Incoming Data Total Today: <strong>" . swissConverter($vultr123456_imcoming00ib, true) . "</strong><br/><br/>";

//Get 123456 Outgoing Bytes Day Before Yesterday 
$vultr123456_imcoming10ob = $array['outgoing_bytes'][0][1];
echo " &nbsp; &nbsp; Outgoing Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming10ob, true) . "</strong><br/>";

//Get 123456 Outgoing Bytes Yesterday 
$vultr123456_imcoming10ob = $array['outgoing_bytes'][1][1];
echo " &nbsp; &nbsp; Outgoing Data Total Yesterday: <strong>" . swissConverter($vultr123456_imcoming10ob, true) . "</strong><br/>";

//Get 123456 Outgoing Bytes Today 
$vultr123456_imcoming00ob = $array['outgoing_bytes'][2][1];
echo " &nbsp; &nbsp; Outgoing Data Total Today: <strong>" . swissConverter($vultr123456_imcoming00ob, true) . "</strong><br/>";

echo "<br />";
?>

<h4>Network Stats:</h4>

<?php

$ch = curl_init();

$headers = [

'API-Key: removed'

];

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Change 123456 to your server ID

curl_setopt($ch, CURLOPT_URL, 'https://api.vultr.com/v1/server/bandwidth?SUBID=123456');

$server_output = curl_exec ($ch);

curl_close ($ch);

//print $server_output ;

curl_close($ch);

$array = json_decode($server_output, true);

//Get 123456 Incoming Bytes Yesterday

$vultr123456_imcoming00ib = $array['incoming_bytes'][0][1];

echo "     Incoming Data Total Day Before Yesterday: " . swissConverter($vultr123456_imcoming00ib, true) . " ";

//Get 123456 Incoming Bytes Yesterday

$vultr123456_imcoming00ib = $array['incoming_bytes'][1][1];

echo "     Incoming Data Total Yesterday: " . swissConverter($vultr123456_imcoming00ib, true) . " ";

//Get 123456 Incoming Bytes Today

$vultr123456_imcoming00ib = $array['incoming_bytes'][2][1];

echo "     Incoming Data Total Today: " . swissConverter($vultr123456_imcoming00ib, true) . " ";

//Get 123456 Outgoing Bytes Day Before Yesterday

$vultr123456_imcoming10ob = $array['outgoing_bytes'][0][1];

echo "     Outgoing Data Total Yesterday: " . swissConverter($vultr123456_imcoming10ob, true) . " ";

//Get 123456 Outgoing Bytes Yesterday

$vultr123456_imcoming10ob = $array['outgoing_bytes'][1][1];

echo "     Outgoing Data Total Yesterday: " . swissConverter($vultr123456_imcoming10ob, true) . " ";

//Get 123456 Outgoing Bytes Today

$vultr123456_imcoming00ob = $array['outgoing_bytes'][2][1];

echo "     Outgoing Data Total Today: " . swissConverter($vultr123456_imcoming00ob, true) . " ";

echo " ";

Bonus: Pinging a Vultr server from the Vultr API with PHP’s fsockopen function

Paste the ping function globally

<?php
function pingfsockopen($host,$port=443,$timeout=3)
{
        $fsock = fsockopen($host, $port, $errno, $errstr, $timeout);
        if ( ! $fsock )
        {
                return FALSE;
        }
        else
        {
                return TRUE;
        }
}
?>

<?php

function pingfsockopen($host,$port=443,$timeout=3)

{

$fsock = fsockopen($host, $port, $errno, $errstr, $timeout);

if ( ! $fsock )

{

return FALSE;

}

else

{

return TRUE;

}

Now you can grab the servers IP from https://api.vultr.com/v1/server/list and then ping it (on SSL port 443).

//Get Server 123456 IP
$vultr_mainip = $array['123456']['main_ip'];
$up = pingfsockopen($vultr_mainip);
if( $up ) {
        echo " &nbsp; &nbsp; Server is UP.<br />";
}
else {
        echo " &nbsp; &nbsp; Server is DOWN<br />";
}

//Get Server 123456 IP

$vultr_mainip = $array['123456']['main_ip'];

$up = pingfsockopen($vultr_mainip);

if( $up ) {

echo "     Server is UP. ";

}

else {

echo "     Server is DOWN ";

}

What have I missed?

Read my guide on Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute.

Donate and make this blog better

Ask a question or recommend an article

v1.98 added more info on Vultr API and pinging (11:58pm 30th July 2017 AEST)

How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

November 6, 2016 by Leave a Comment

This guide will help you buy a new domain and SSL certificate from NameCheap, a self-managed Ubuntu 16.04 Server from Digital Ocean and configuring it with NGINX Web server, SSL etc.

Creating an AWS EC2 Ubuntu 14.04 server with NGINX, Node and MySQL and phpMyAdmin

August 16, 2016 by

Creating an AWS EC2 Ubuntu 14.04 server with NGINX, Node and MySQL and phpMyAdmin

August 16, 2016 by Simon Fearby 6 Comments

This blog lists the actions I went through to setup an AWS EC2 Ubuntu Server and add the usual applications. This follows on from my guide to setup a Digital Ocean server server guide and Vultr setup guide.

Variable Pricing

Amazon Web Services give developers 12 months of free access to a range of products. Amazon don’ t have flat rate fees like Digital Ocean instead, AWS grant you a minimum level of CPU credits for each server type. A “t2.micro” (1CPU/1GB ram $0.013c/hour server) gets 6 CPU credits an hour. That is enough for a CPU to run at 10% all the time, you can bank up to 144 CPU credits that you can use when the application spikes. The “t2.micro” is the free tier server (costs nothing for 12 months), but when the trial runs our that’s $9.50 a month. The next server up is a “t2.small” (1 CPU, 2GB ram) and you get 12 CCPUredits and hour and can bank 288, that enough for 20% CPU usage all the time.

The “t2.medium” server (2 CPU’s, 4GB Ram), allows 40% CPU usage credits, 24 CPU credits an hour with 576 bankable. That server costs $0.052c and hour and is $38 a month. Don’t forget to cache content.

I used about 40 CPU credits generating a 4096bit secure prime Diffie-Hellman key for an SSL Certificate on my t2.micro server. More Information on AWS Instance pricing here and here.

Creating an AWS Account (Free Trial)

The signup process is simple.

Create a free AWS account.
Enter your CC details (for any non-free services) and submit your account.

It will take 2 days or more for Amazon to manually approve your account. When you have been approved, navigate to https://console.aws.amazon.com login and set your region in the top right next to your name (in my case I will go with Australia ‘ap-southeast-2‘).

My console home is now: https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-2#LaunchInstanceWizard

Create a Server

You can follow the prompts to set up a free tier EC2 Ubuntu server here.

1. Choose Ubuntu EC2

2. Choose Instance Type: t2-micro (1x CPU, 1GB Ram)

3. Configure Instance: 1

4. Add Storage: /dev/sda1, 8GB+, 10-3000 IOPS

5. Tag Instance: Your own role specific tags

6. Configure Security Group: Default firewall rules.

7. Review

Tip: Create a 25GB volume (instead of 8GB) or you will need to add an extra volume mount it with the following commands.

sudo nano /etc/fstab
(append the following line)
/dev/xvdf    /mydata    ext4    defaults,nofail    0    2
sudo mkfs -t ext4 /dev/xvdf
sudo mkdir /mydata
mount -a
cd /mydata
ls -al

sudo nano /etc/fstab

(append the following line)

/dev/xvdf /mydata ext4 defaults,nofail 0 2

sudo mkfs -t ext4 /dev/xvdf

sudo mkdir /mydata

mount -a

cd /mydata

ls -al

Part of theEC2 server setup was to save a .PEM file to your SSH folder on your local PC ( ~/.ssh/mysererkeypair.pem).

You will need to secure the file:

chmod 400 ~/.ssh/mysererkeypair.pem

1	chmod 400 ~/.ssh/mysererkeypair.pem

Before we connect to the server we need to configure the firewall here in the Amazon Console.

Type	Protocol	Port Range	Source	Comment
HTTP	TCP	80	0.0.0.0/0	Opens a web server port for later
All ICMP	ALL	N/A	0.0.0.0/0	Allows you to ping
All traffic	ALL	All	0.0.0.0/0	Not advisable long term but OK for testing today.
SSH	TCP	22	0.0.0.0/0	Not advisable, try and limit this to known IP’s only.
HTTPS	TCP	443	0.0.0.0/0	Opens a secure web server port for later

DNS

You will need to assign a status IP to your server (apparently the public IP is not static). Here is a good read on connecting a domain name to the IP and assigning an elastic IP to your server. Once you have assigned an elastic IP you can point your domain to your instance.

Installing the Amazon Command Line Interface utils on your local PC

This is required to see your servers console screen and then connect via SSH.

curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
/usr/local/bin/aws --version

curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"

unzip awscli-bundle.zip

sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

/usr/local/bin/aws --version

You now need to configure your AWS CLI, first generate Access Keys here. While you are there setup Multi-Factor Authentication with Google Authenticator.

aws configure
> AWS Access Key ID: {You AWS API Key}
> AWS Secret Access Key: {You AWS Secret Accss Key}
> Default region name: ap-southeast-2 
> Default output format: text

aws configure

> AWS Access Key ID: {You AWS API Key}

> AWS Secret Access Key: {You AWS Secret Accss Key}

> Default region name: ap-southeast-2

> Default output format: text

Once you have configured your CLI you can connect and review your Ubuntu console output (the instance ID can be found in your EC2 server list).

aws ec2 get-console-output --instance-id i-123456789

1	aws ec2 get-console-output --instance-id i-123456789

Now you can hopefully connect to your server and accept any certificates to finish the connection.

ssh -i ~/.ssh/myserverpair.pem ubuntu@ec2-xx-xx-xxx-xxx.ap-southeast-2.compute.amazonaws.com

1	ssh -i ~/.ssh/myserverpair.pem ubuntu@ec2-xx-xx-xxx-xxx.ap-southeast-2.compute.amazonaws.com

Success, I can now access my AWS Instance.

Setting the Time and Daylight Savings.

Check your time.

sudo hwclock --show
> Fri 21 Oct 2016 11:58:44 PM AEDT  -0.814403 seconds

1 2	sudo hwclock --show > Fri 21 Oct 2016 11:58:44 PM AEDT -0.814403 seconds

My Daylight savings have not kicked in.

Install ntp service

sudo apt install ntp

1	sudo apt install ntp

Set your Timezone

dpkg-reconfigure tzdata

1	dpkg-reconfigure tzdata

Go to http://www.pool.ntp.org/zone/au and find my NTP server (or go here if you are outside Australia)

server 0.au.pool.ntp.org
server 1.au.pool.ntp.org
server 2.au.pool.ntp.org
server 3.au.pool.ntp.org

server 0.au.pool.ntp.org

server 1.au.pool.ntp.org

server 2.au.pool.ntp.org

server 3.au.pool.ntp.org

Add the NTP servers to “/etc/ntp.conf” and restart he NTP service.

sudo service ntp restart

1	sudo service ntp restart

Now check your time again and you should have the right time.

sudo hwclock --show
> Fri 21 Oct 2016 11:07:38 PM AEDT  -0.966273 seconds

1 2	sudo hwclock --show > Fri 21 Oct 2016 11:07:38 PM AEDT -0.966273 seconds

🙂

Installing NGINX

I am going to be installing the latest v1.11.1 mainline development (non-legacy version). Beware of bugs and breaking changes here.

sudo add-apt-repository ppa:chris-lea/nginx-devel
sudo apt-get update
sudo apt-get install nginx
sudo service nginx start
nginx -v

sudo add-apt-repository ppa:chris-lea/nginx-devel

sudo apt-get update

sudo apt-get install nginx

sudo service nginx start

nginx -v

NGINX is now installed. Try and get to your domain via port 80 (if it fails to load, check your firewall).

Installing NodeJS

Here is how you can install the latest NGINX (development build), beware of bugs and frequent changes. Read the API docs here.

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install -y nodejs
nodejs -v

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -

sudo apt-get install -y nodejs

nodejs -v

NodeJS is installed.

Installing MySQL

sudo apt-get install mysql-common
sudo apt-get install mysql-server
mysql --version
sudo mysql_install_db
sudo mysql_secure_installation
service mysql status

sudo apt-get install mysql-common

sudo apt-get install mysql-server

mysql --version

sudo mysql_install_db

sudo mysql_secure_installation

service mysql status

Install PHP 7.x and PHP7.0-FPM

I am going to install PHP 7 due to the speed improvements over 5.x. Below were the commands I entered to install PHP (thanks to this guide)

sudo add-apt-repository ppa:ondrej/php
sudo apt-get install -y language-pack-en-base
sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.0
sudo apt-get install php7.0-mysql
sudo apt-get install php7.0-fpm
sudo nano /etc/php/7.0/fpm/php.ini
> edit: cgi.fix_pathinfo=0
sudo service php7.0-fpm restart	
service php7.0-fpm status

sudo add-apt-repository ppa:ondrej/php

sudo apt-get install -y language-pack-en-base

sudo LC_ALL=en_US.UTF-8 add-apt-repository ppa:ondrej/php

sudo apt-get update

sudo apt-get install php7.0

sudo apt-get install php7.0-mysql

sudo apt-get install php7.0-fpm

sudo nano /etc/php/7.0/fpm/php.ini

> edit: cgi.fix_pathinfo=0

sudo service php7.0-fpm restart

service php7.0-fpm status

Now install misc helper modules into php 7 (thanks to this guide)

apt-get install php-xdebug
sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap 
sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode 
sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl 
sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml
sudo nginx –s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart
php -v

apt-get install php-xdebug

sudo apt-get install php7.0-phpdbg php7.0-mbstring php7.0-gd php7.0-imap

sudo apt-get install php7.0-ldap php7.0-pgsql php7.0-pspell php7.0-recode

sudo apt-get install php7.0-snmp php7.0-tidy php7.0-dev php7.0-intl

sudo apt-get install php7.0-gd php7.0-curl php7.0-zip php7.0-xml

sudo nginx –s reload

sudo /etc/init.d/nginx restart

sudo service php7.0-fpm restart

php -v

NGINX Configuration

NGINX can be a bit tricky to setup for newbies and your configuration will certainly be different but here is mine (so far):

File: /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /var/run/nginx.pid;
events {
        worker_connections 1024;
        multi_accept on;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
        client_body_buffer_size      128k;
        client_max_body_size         10m;
        client_header_buffer_size    1k;
        large_client_header_buffers  4 4k;
        output_buffers               1 32k;
        postpone_output              1460;

        proxy_headers_hash_max_size 2048;
        proxy_headers_hash_bucket_size 512;

        client_header_timeout  1m;
        client_body_timeout    1m;
        send_timeout           1m;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        # ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_min_length 256;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /var/run/nginx.pid;

events {

worker_connections 1024;

multi_accept on;

}

http {

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

client_body_buffer_size 128k;

client_max_body_size 10m;

client_header_buffer_size 1k;

large_client_header_buffers 4 4k;

output_buffers 1 32k;

postpone_output 1460;

proxy_headers_hash_max_size 2048;

proxy_headers_hash_bucket_size 512;

client_header_timeout 1m;

client_body_timeout 1m;

send_timeout 1m;

include /etc/nginx/mime.types;

default_type application/octet-stream;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

# ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

gzip on;

gzip_disable "msie6";

gzip_vary on;

gzip_proxied any;

gzip_comp_level 6;

gzip_buffers 16 8k;

gzip_http_version 1.1;

gzip_min_length 256;

gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

File: /etc/nginx/sites-available/default

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {
        # listen [::]:80 default_server ipv6only=on; ## listen for ipv6

        access_log /var/log/nginx/myservername.com.log;

        root /usr/share/nginx/www;
        index index.php index.html index.htm;

        server_name www.myservername.com myservername.com localhost;

        # ssl on;
        # ssl_certificate /etc/nginx/ssl/cert_chain.crt;
        # ssl_certificate_key /etc/nginx/ssl/myservername.key;
        # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";              # disable some old ciphers
        # ssl_prefer_server_ciphers on;
        # ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # server_tokens off;
        # ssl_session_cache shared:SSL:40m;                                           # More info: http://nginx.com/blog/improve-seo-https-nginx/
        # Set SSL caching and storage/timeout values:
        # ssl_session_timeout 4h;
        # ssl_session_tickets off; # Requires nginx >= 1.5.9
        # OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
        # ssl_stapling on; # Requires nginx >= 1.3.7
        # ssl_stapling_verify on; # Requires nginx => 1.3.7
        # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

        # add_header X-Frame-Options DENY;                                            # Prevent Clickjacking

        # Prevent MIME Sniffing
        # add_header X-Content-Type-Options nosniff;


        # Use Google DNS
        # resolver 8.8.8.8 8.8.4.4 valid=300s;
        # resolver_timeout 1m;

        # This is handled with the header above.
        #rewrite ^/(.*) https://myservername.com/$1 permanent;

        location / {
                try_files $uri $uri/ =404;
                index index.php index.html index.htm;
                proxy_set_header Proxy "";
        }

        fastcgi_param PHP_VALUE "memory_limit = 512M";

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;

                # include snippets/fastcgi-php.conf;

                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                # With php5-cgi alone:
                # fastcgi_pass 127.0.0.1:9000;
        }

        # deny access to .htaccess files, if Apache's document root
        #location ~ /\.ht {
        #       deny all;
        #}
}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;

server {

# listen [::]:80 default_server ipv6only=on; ## listen for ipv6

access_log /var/log/nginx/myservername.com.log;

root /usr/share/nginx/www;

index index.php index.html index.htm;

server_name www.myservername.com myservername.com localhost;

# ssl on;

# ssl_certificate /etc/nginx/ssl/cert_chain.crt;

# ssl_certificate_key /etc/nginx/ssl/myservername.key;

# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # disable some old ciphers

# ssl_prefer_server_ciphers on;

# ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# server_tokens off;

# ssl_session_cache shared:SSL:40m; # More info: http://nginx.com/blog/improve-seo-https-nginx/

# Set SSL caching and storage/timeout values:

# ssl_session_timeout 4h;

# ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked

# ssl_stapling on; # Requires nginx >= 1.3.7

# ssl_stapling_verify on; # Requires nginx => 1.3.7

# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# add_header X-Frame-Options DENY; # Prevent Clickjacking

# Prevent MIME Sniffing

# add_header X-Content-Type-Options nosniff;

# Use Google DNS

# resolver 8.8.8.8 8.8.4.4 valid=300s;

# resolver_timeout 1m;

# This is handled with the header above.

#rewrite ^/(.*) https://myservername.com/$1 permanent;

location / {

try_files $uri $uri/ =404;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

fastcgi_param PHP_VALUE "memory_limit = 512M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# With php5-cgi alone:

# fastcgi_pass 127.0.0.1:9000;

}

# deny access to .htaccess files, if Apache's document root

#location ~ /\.ht {

# deny all;

}

Test and Reload NGINX Config

sudo nginx -t
sudo nginx -s reload
sudo /etc/init.d/nginx restart

sudo nginx -t

sudo nginx -s reload

sudo /etc/init.d/nginx restart

Don’t forget to test PHP with a script that calls ‘phpinfo()’.

Install PhpMyAdmin

Here is how you can install the latest branch of phpmyadmin into NGINX (no apache)

cd /usr/share/nginx/www
mkdir my/secure/secure/folder
cd my/secure/secure/folder
sudo apt-get install git
git clone --depth=1 --branch=STABLE https://github.com/phpmyadmin/phpmyadmin.git

cd /usr/share/nginx/www

mkdir my/secure/secure/folder

cd my/secure/secure/folder

sudo apt-get install git

git clone --depth=1 --branch=STABLE https://github.com/phpmyadmin/phpmyadmin.git

If you need to import databases into MySQL you will need to enable file uploads in PHP and set file upload limits. Review this guide to enable uploads in phpMyAdmin. Also if your database is large you may also need to change the “client_max_body_size” settings on nginx.conf ( see guide here ). Don’t forget to disable uploads and reduce size limits in NGINX and PHP when you have uploaded databases.

Note: phpMyAdmin can be a pain to install so don’t be afrait of using an alternative management gui. Here is a good list of MySQL management interfaces. Also check your OS App store for native mysql database management clients.

Install an FTP Server

Follow this guide here then..

sudo nano /etc/vsftpd.conf
write_enable=YES
sudo service vsftpd restart

sudo nano /etc/vsftpd.conf

write_enable=YES

sudo service vsftpd restart

Install: oracle-java8 (using this guide)

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer
cd /usr/lib/jvm/java-8-oracle
ls -al
sudo nano /etc/environment
> append "JAVA_HOME="/usr/lib/jvm/java-8-oracle""
echo $JAVA_HOME
sudo update-alternatives --config java

sudo add-apt-repository ppa:webupd8team/java

sudo apt-get update

sudo apt-get install oracle-java8-installer

cd /usr/lib/jvm/java-8-oracle

ls -al

sudo nano /etc/environment

> append "JAVA_HOME="/usr/lib/jvm/java-8-oracle""

echo $JAVA_HOME

sudo update-alternatives --config java

Install: ncdu – Interactive tree based folder usage utility

sudo apt-get install ncdu
sudo ncdu /

1 2	sudo apt-get install ncdu sudo ncdu /

Install: pydf – better quick disk check tool

sudo apt-get install pydf
sudo pydf

1 2	sudo apt-get install pydf sudo pydf

Install: rcconf – display startup processes (handy when confirming pm2 was running).

sudo apt-get install rcconf
sudo rcconf

1 2	sudo apt-get install rcconf sudo rcconf

I started “php7.0-fpm” as it was not starting on boot.

I had an issue where PM2 was not starting up at server reboot and reporting to https://app.keymetrics.io. I ended up repairing the /etc/init.d/pm2-init.sh as mentioned here.

sudo nano /etc/init.d/pm2-init.sh
# edit start function to look like this
...
start() {
    echo "Starting $NAME"
    export PM2_HOME="/home/ubuntu/.pm2" # <== add this line
    super $PM2 resurrect#
}
...

sudo nano /etc/init.d/pm2-init.sh

# edit start function to look like this

...

start() {

echo "Starting $NAME"

export PM2_HOME="/home/ubuntu/.pm2" # <== add this line

super $PM2 resurrect#

}

...

Install IpTraf – Network Packet Monitor

sudo apt-get install iptraf
sudo iptraf

1 2	sudo apt-get install iptraf sudo iptraf

Install JQ– JSON Command Line Utility

sudo apt-get install jq
# Downlaod and display json file with jq
curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

sudo apt-get install jq

# Downlaod and display json file with jq

curl 'https://api.github.com/repos/stedolan/jq/commits?per_page=5' | jq .

Install Ruby – Below commands a bit out of order due to some command not working for unknown reasons.

sudo apt-get update
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev
sudo gem install bundler
sudo git clone git://github.com/sstephenson/rbenv.git ~/.rbenv
sudo git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
sudo git clone https://github.com/sstephenson/rbenv-gem-rehash.git ~/.rbenv/plugins/rbenv-gem-rehash
sudo echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
sudo echo 'eval "$(rbenv init -)"' >> ~/.bashrc
sudo exec $SHELL
sudo rbenv install 2.2.3
sudo rbenv global 2.2.3
sudo rbenv rehash
ruby -y
sudo apt-get install ruby-dev

sudo apt-get update

sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev

sudo gem install bundler

sudo git clone git://github.com/sstephenson/rbenv.git ~/.rbenv

sudo git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build

sudo git clone https://github.com/sstephenson/rbenv-gem-rehash.git ~/.rbenv/plugins/rbenv-gem-rehash

sudo echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc

sudo echo 'eval "$(rbenv init -)"' >> ~/.bashrc

sudo exec $SHELL

sudo rbenv install 2.2.3

sudo rbenv global 2.2.3

sudo rbenv rehash

ruby -y

sudo apt-get install ruby-dev

Install Twitter CLI – https://github.com/sferik/t

sudo gem install t
sudo t authorize# follow the prompts

1 2	sudo gem install t sudo t authorize# follow the prompts

Mutt (send mail by command line utility)

Help site: https://wiki.ubuntu.com/Mutt

sudo nano /etc/hosts
127.0.0.1 localhost localhost.localdomain xxx.xxx.xxx.xxx yourdomain.com yourdomain

1 2	sudo nano /etc/hosts 127.0.0.1 localhost localhost.localdomain xxx.xxx.xxx.xxx yourdomain.com yourdomain

Configuration:

sudo apt-get install mutt
[configuration none]
sudo nano /etc/postfix/main.cf
[setup a]

sudo apt-get install mutt

[configuration none]

sudo nano /etc/postfix/main.cf

[setup a]

Configure postfix guide here

Extend the History commands history

I love the history command and here is how you can expand it’s hsitory and ignore duplicates.

HISTSIZE=10000
HISTCONTROL=ignoredups

1 2	HISTSIZE=10000 HISTCONTROL=ignoredups

Don’t forget to check your servers IP with www.shodan.io to ensure there are no back doors.

Cont…

Next: I will add an SSL cert, lock down the server and setup Node Proxies.

If this guide was helpful please consider donating a few dollars to keep me caffeinated.

Donate and make this blog better

Ask a question or recommend an article

v1.61 added vultr guide link

Application scalability on a budget (my journey)

August 12, 2016 by

Application scalability on a budget (my journey)

Main navigation

server