How to setup a webserver
Step 1. Spin up a new server in DigitalOcean
A droplet needs to be created. To create a droplet running CentOS, you must first generate an ssh public/private rsa key pair using the program ssh-keygen. After generating the pair, add the public key to the droplet. Proceed with creating the droplet. Allowing DigitalOcean to create backups is recommended because if any mistakes are made while updating CentOS in the future or if you somehow lock yourself out of your server, you will be able to recover a backup and start anew. Once the server is up and running, you can run the following command to access the server:
ssh -i /path/to/privatekey root@ip-address
Step 2. Create a new user
Run
adduser username
to create a new user called “username” or whatever you like. Set a password for the user by running
passwd username
Add the user to the wheel group which will allow them to use the
sudo command. After setting up a firewall, which should be done as soon as possible after starting up the server, you can test logging into the server via ssh using the user credentials.
Step 3. Setup a firewall
Setup a basic firewall by running
dnf install firewalld
Activate the firewall using
systemctl start firewalld
The ssh connection will not be dropped since the firewall does not block the ssh service as you can see when you run
firewall-cmd --permanent --list-all
To allow traffic to access the eminent website, make sure to not block http traffic by running
firewall-cmd --permanent --add-service=http
Don’t forget to reload the firewall rules by running
firewall-cmd --reload
Step 4. Logging into the server with a non-root user
Since the root user already has the public rsa key that was generated before the server was up and running, the non-root user can use the same public key. To do that, copy the public key from the root filesystem to the non-root user’s filesystem by running
rsync --archive --chown=username:username ~/.ssh \ /home/username
Then verify you can sign in to the server as the non-root user.
To further harden the server, remove the ability to ssh into the server as the root user.
Step 5. Install HTTP server
Install the Apache HTTP server.
dnf install httpd
All HTTPS traffic through the firewall.
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo systemctl start httpd
The default apache http server index page should now be publicly available (via HTTP and not HTTPS). Just type in the ip address of your server, which can be retrieved by running
hostname -I in your browser and you should see the index page.
Step 6. Some HTTP Server Hardening
For a security reasons, I like to manually restart the http server when the server is restarted because if it ever goes down, it will become obvious to me by simply visiting the website. Also, if the HTTP server is down, there isn't much else to attack. Run the following to enable this feature
sudo systemctl disable httpd
Modify the following file to prevent the default Apache HTTP server splash page from being available to the public.
/etc/httpd/conf.d/welcome.conf
Step 7. Upload a website
Get a simple website from http://www.oswd.org or wherever else and paste the website’s content in the /var/www/html/ directory.
And that’s all that’s really needed to get a website live. There are still some things we can do to perfect it and make the website more accessible.
Step 8. Assigning Domain Name
If you are using Namecheap, follow the instructions below. If you are using another DNS provider, please refer to resource 4 below.
- Create domain name using a DNS provider.
- Give the DigitalOcean nameservers to the DNS provider.
Reference Material
- Initial Server Setup with CentOS 8
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-8
- How to Install the Apache Web Server on CentOS 8
https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-centos-8
- W3C HTML validator
https://validator.w3.org/nu/
- How To Point to DigitalOcean Nameservers From Common Domain Registrars
https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars