Hello, This guide will help you buying a new domain and SSL certificate from NameCheap, a self-managed Ubuntu 16.04 Server from Digital Ocean and configuring it with NGINX Web server, SSL etc. I have older guides ( The quickest way to setup a scalable development ide and web server, Adding a commercial SSL certificate to a Digital Ocean VM etc ) but this one is updated (November 2016).
Advertisement:
You can use this link to create a digital ocean account and get $10 free credit (enough to have a free ubuntu server for 2 months).
How to Purchasing a domain from NameCheap.
Namecheap is an awesome domain reseller, go to the registration page, search for your desired domain, add it to a cart ( tip: look for coupons ) and go to the checkout.
You will want to purchase the Whois Guard as this protects your private details from the domains public listing whois database. Also it is recommended you secure your site with PositiveSSL Certificate. If you have a good coupon you can pick up a new domain name, SSL certificate, Whois Guard for under $5 for your first year.
When you have purchased your domain you are ready to order your server from digital ocean.
Ordering a server from Digital Ocean
Use this link to create a digital ocean account and get $10 free credit (enough to have a free server for 2 months).
Digital Ocean offer very fast and flexible servers that you are in full control of. Managing your server is a #geeky way to host a web server. You will not be stuck on a slow shared CPanel server with hundreds of others users wiht poor quality web hosts. Digital Ocean do not restrict you and you can do anything you want when you want with your server (as long as it is legal).
Buying a Server Steps
- Create a Digital Ocean account and login (use this referral link to get $10 free credit: https://m.do.co/c/99a5082b6de5 ).
- You will need to create a SSH key to use with your account. Read this guide and learn about how to create an SSH key (required to connect to your domain’ server). Creating and adding your SSH key to your droplet is the hardest part of the whole guide but the SSH key can be used for future servers. I have more tips on creating a SSH key in my old guide.
- Go here and add your SSH key to your Digital Ocean Account. Info here: Initial Server setup guide, How to setup and use SSH Keys
- Click Create new Droplet ($5, Ubuntu 16.4, San Francisco region, SSH Key, Private networking (VLAN), Backups and IPV6).
- Give the server a name and click create.
- You get billed by the month or by the hour if you delete the server if you only need a server for a few weeks.
After a few minutes, your new server will be ready to use. The only issue is the server has no web server installed (we need to install it) so don’t try and connect to the servers IP in a web browser.
Login to Digital Ocean and click on Droplets, then Click on Access then Launch Console. This is the backup/default way into your domain.
Note we don’t have a username or password yet. Close the console and then go back to the access screen for your droplet and click Reset Root Password and this will shut down the server and setup a root password. The new root password will be emailed to you.
Note: Root passwords are generally not a good idea but we can disable this after we setup the server.
You can choose the Digital Ocean web console or a third party SSH terminal app like vSSH for iOS/Windows/OSX etc . I prefer vSSH as the Digital Ocean web console can be a tad slow.
Once you login to your server you will be forced to change your root password (remember it).
Setting the Timezone (housekeeping)
1 | dpkg-reconfigure tzdata |
I don’t like interacting with the server via command line so time to connect our server to the awesome Cloud9 IDE from www.cloud9.io)
Installing NodeJS
The first thing we need to do is install NodeJS on to our new server (as this is required by Cloud 9). The good thing about Digital Ocean is they have a guide for everything ( How To Install Node.js on Ubuntu 16.04 ). I am going to install the latest (non-stable development build of NodeJS).
1 2 3 4 5 6 7 8 | sudo apt-get update sudo apt-get upgrade cd ~ curl -sL https://deb.nodesource.com/setup_6.x -o nodesource_setup.sh sudo bash nodesource_setup.sh sudo apt-get install nodejs sudo apt-get install build-essential sudo apt-get install python |
Now run the following command to see where nodeJS is installed
1 2 | which nodejs > /usr/bin/nodejs |
Signing up to Cloud 9 IDE
Ok, Cloud 9 is highly recommended because you can connect to your site, open multiple files and terminal windows in a nice IDE and close the browser tab go to a new PC and login and everything will follow you (right where you left off). I am locked into a grandfathered $9 a month Cloud 9 plan but $19 a month is well worth it as you can have connections to multiple websites making it an invaluable tool for the developer or website owner.
Signup for Cloud9 Individual plan at http://www.c9.io Getting started guide here: https://docs.c9.io/docs/
Connecting to your server with Cloud9 IDE (c9.io)
Go to the Cloud 9 settings and add your SSH key. This will allow you to connect to any Digital Ocean droplet without the root password (as long as you have added you SSH key to the digital ocean account and any new servers).
Now you can go back to your Cloud 9 dashboard and Create a New Workspace. Click Remote SSH workspace.
Use the following settings (but use your Digital Ocean droplet IP).
That’s it, you should now have a link to your Digital Ocean server saved in Cloud 9. Let’s connect to it.
The Cloud 9 IDE is very powerful. I love it for the files system tree view, drag and drop files and multiple tabs and panes.
Cloud 9 also has collaborative features so you can allow multiple team members or developer in and even share the same terminal.
At this point, you can change the root password or disable the root login.
Read this article on adding alternative non-root users and disabling the root user here (scroll down to step 5).
1 2 | sudo nano /etc/ssh/sshd_config PasswordAuthentication no |
Then..
1 | sudo systemctl reload sshd |
Configuring NGINX Web Server
Now we need to install a web server following this guide. You can run these commands in the C9 IDE instead of the console or SSH application.
1 | sudo apt-get install nginx |
You can then check your web server by loading your digital ocean IP (e.g http://123.123.123.123 ).
I won’t lock down the firewall but will install curl.
1 | sudo apt-get install curl |
I can check my public IP.
1 2 | curl -4 icanhazip.com > 123.123.123.123 |
In the Cloud 9 files system tree view, I located the “/var/www/html” folder and then right clicked on it and set it as a Favourite. This will move the folder to the top of the tree view. I edited the “/var/www/html/index.nginx-debian.html” while I was there.
fyi: The NGINX config file is located at “/etc/nginx/nginx.conf” and the sites file is located at “/etc/nginx/sites-available/default”.
Tip: Add the Nginx folder your Cloud 9 favorites.
Now we can link the Domain name to the digital ocean server IP.
Linking the new domain name to the digital ocean server.
First, we need to login to Namecheap and sent any DNS requests for yournewdomain.com (this is not my domain (just a random name)) to go to Digital Ocean DNS servers. Login to your NameCheap account and open your domain list. Add the following custom DNS entries and save.
Next to your domain Droplet click More then Add a Domain.
Type your domain name then select the droplet then click Create. Then click the domain in the list below.
Make the following A and CNAME record changes. The IPV4 and IPV6 details can be obtained from the Digital Ocean Droplet settings.
Depending on where you are in the world the changes we made at Digital Ocean and Namecheap may take 48 hours but for me, I can see the domain on my mobile phones network but not my ADSL2 network. Here is a good site for tracking DNS replication around the world: https://www.whatsmydns.net/#A/fearby.com
Also, this handy tool can be installed to add whois query abilities to your VM.
1 2 3 | sudo apt-get install whois whois yournewdomainname.com > ... the whois record for your web server will be displayed here. |
Also flushing your DNS records of your laptop can help. As soon as I flushed my DNS I was abe to see my domain.
Flush DNS on macOS Sierra:
1 | sudo killall -HUP mDNSResponder |
Flush DNS on other systems.
Adding SSL
I do have an older guide here on setting up SSL on a digital ocean VM.
Namecheap’s domain and SSL order confirmation mentions this about SSL certificates.
1 2 3 4 5 6 | SSL Certificates: If you've purchased an SSL certificate, you'll want to visit your Account Panel soon to enter your CSR and activate the certificate. Our Knowledgebase( https://www.namecheap.com/support/knowledgebase/category.aspx/14/ ) contains instructions on how to create a CSR and install the certificate on your server. |
This namecheap guide will tell you how to activate a new certificate and how to generate a CSR file. Note: The guide to the left will generate a 2048 bit key and this will cap you SSL certificates security to a B at http://www.sslabs.com/ssltest so I recommend you generate an 4096 bit csr key and 4096 bit Diffie Hellmann key.
Confession: I was an idiot and created a 2048 bit key (below) and re-edited this guide for 4096 bit. If you do this you just reissue the certificate at Namecheap and follow the steps again. Reissuing only takes 15 minutes. There are sites where you can download freshly generated DH primes that can save you time generating stronger DH keys.
This is what a SSLLabs SSL report looks like if you don’t generate a fresh 2048or 4096 DH key.
To generate a stronger 4096 bit DH key login into a terminal on the Digital Ocean server and run these commands.
1 2 3 4 | cd /etc/nginx/ mkdir ssl4096 cd ssl4096 openssl dhparam -out dhparams4096.pem 4096 |
Note: This may take a few hours to generate but it essential to have an A+ rated SSLLabs certificate. If you stick with a weak DH key it is only a matter of time before hackers can exploit it and get into your site. You could generate a 2048 DH key but 4096 is better in the long run.
Creating the SSL Certificate
- Log into the Namecheap dashboard (click on the SSL Product lists page ).
- Click Activate next to Positive SSL (Comodo SSL Certificate).
- I created the CSR files on the Droplet terminal. (IMPORTANT: The Common name is the name of the server, don’t add your name).123456789101112131415161718192021222324252627282930cd ~/mkdir sslcsrmaster4096cd sslcsrmaster4096/openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csrGenerating a 4096 bit RSA private key.............................................................+++......writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:AUState or Province Name (full name) [Some-State]:New South WalesLocality Name (eg, city) []:TamworthOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Fearby.com SoftwareOrganizational Unit Name (eg, section) []:DevelopmentCommon Name (e.g. server FQDN or YOUR name) []:www.yournewdomain.comEmail Address []:your@email.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:*********************************An optional company name []:// Completed the wizard questions
This outputted two files.1234drwxr-xr-x 2 root root 4096 Nov 5 10:54 .drwx------ 8 root root 4096 Nov 5 10:53 ..-rw-r--r-- 1 root root 1106 Nov 5 10:54 server.csr-rw-r--r-- 1 root root 1704 Nov 5 10:54 server.key
Output the server.csr file to the terminal1cat server.csr
Paste the contents of the CSR into the Namecheap wizard and click Next
- Click Next if the data from the CSR is displayed.
- To verify you own the domain choose HTTP for the “DCV Method” and click Next
- Enter your contacts details then click next and submit to end the activation.
- In the yellow box click the “go to certificate Details page” next to HTTP validation.
- Click the Edit Methods button and click download file and follow (take note of the filename and location to upload the file to). Simply save the file and drag and drop it into the favorited /var/www/html/ folder in Cloud 9 IDE.
- Go back to the Namecheap, click Domain Lists, Click your domain then Click Products then next to the SSL click Manage. The status should say In Progress. This guide says the verification will take some time and when verified the appropriate files will be emailed to you.
- After 15 minutes the status changed to Issued and I received two emails from Comodo.
- I extracted and uploaded the two files in the zip file to ~/sslcsrmaster4096/ folder on my server.
- Made the following directory /etc/nginx/ssl4096/
- Now we need to combine the certificates. Goto https://certificatechain.io/ and paste in the contents of the crt file that were emailed to your from Comodo. The site will get all public intermediate certificates and combine them. The combined certificate will look like this.12345678910111213-----BEGIN CERTIFICATE-----xXxxXXXXXXXXXXXXXxxxxxxxXXXxXXXxXXxXxxXXXxXXXxxXxxxxXXxXXXXXxxXXXxXxxXXxxxxXXxXXxxxXXxxXXxxxxxxxxX=-----END CERTIFICATE----------BEGIN CERTIFICATE-----xXxxXXXXXXXXXXXXXxxxxxxxXXXxXXXxXXxXxxXXXxXXXxxXxxxxXXxXXXXXxxXXXxXxxXXxxxxXXxXXxxxXXxxXXxxxxxxxxX=-----END CERTIFICATE----------BEGIN CERTIFICATE-----xXxxXXXXXXXxxXXXxXXXxxXxxxxXXxXXXXXxxXXXXXXXXXxxxxxxxXXXxXXXxXXxXxxXXXxXXXxxXxxxxXXxXXXXXxxXXxXxxXXXXXXXXXXXXXxxxxxxxXXXxXXXxXXxXxXxxXXxxxxXXxXXxxxXXxxXXxxxxX=-----END CERTIFICATE-----
- Save the combined certificate to /etc/nginx/ssl4096/yournewdomain.com.chained.crt
- Copy all files from ~/sslcsrmaster4096/*.* to /etc/nginx/ssl4096/
- Now we can configure the NGINX configuration: /etc/nginx/sites-available/default12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455server {listen 80;server_name yournewdomain.com;rewrite ^/(.*) https://yournewdomain.com/$1 permanent;}server {listen 443 ssl default_server;listen [::]:443 ssl default_server;root /var/www/html;index index.php index.html index.htm index.nginx-debian.html;server_name yournewdomain.com www.yournewdomain.com localhost;ssl on;ssl_certificate /etc/nginx/ssl4096/yournewdomain.com.chained.crt;ssl_certificate_key /etc/nginx/ssl4096/server.key;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";ssl_prefer_server_ciphers on;ssl_dhparam /etc/nginx/ssl4096/dhparams4096.pem;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;server_tokens off;ssl_session_cache shared:SSL:20m;keepalive_timeout 5;ssl_session_timeout 60m;ssl_session_tickets off; # Requires nginx >= 1.5.9ssl_stapling on;ssl_stapling_verify on;gzip off;add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;# Use Google DNSresolver 8.8.8.8 8.8.4.4 valid=60s;resolver_timeout 1m;location / {# First attempt to serve request as file, then as directory, then fall back to displaying a 404.try_files $uri $uri/ =404;}location ~ /\.ht {deny all;}}
- Restart NGINX1sudo service nginx restart
- Use this page to test your SSL Certificate: https://decoder.link/sslchecker/
- Test the SSL certificate for security at SSLLabs.com
- If you want more security, try disabling TLS 1 in your NGINX Configuration.
I’d like to thank Vadim Kovshar on the Namecheap live chat for speeding up the reissue of the SSL cert as it stalled with Comodo because I blocked the HTTP port 80 in NGINX after I got the weaker cert working. Thanks
Installing and configuring MySQL
I will follow this guide to install phpMyAdmin
Installing and configuring MongoDB
todo
Use this link to create a digital ocean account and get $10 free credit (enough to have a free server for 2 months).
Donate and make this blog better
Ask a question or recommend an article