4.5 KiB
Linux 201: Web Server Setup
Introduction
-
Goals
- Understand the process of setting up a web server
- Understand why security is important when setting a web server.
- Setup a basic web server to serve static files
-
Non-goals - links to useful tutorials will be provided at the end of this lab sheet
- Setting up HTTPS - This requires a domain name
Things to mention in the slide deck
- Apache vs Nginx
- Thread-based vs event-based servers
Basic Security
- Creating a non-root account
adduser
"yourusername"sudo
permissions- The Linux security model: Knowing why you're typing your password
- SSH
- Disable root login
- SSH Keys
- Firewall
Setting up a firewall
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called ufw
, the 'uncomplicated firewall' is already present. It acts as a nice front-end to iptables
, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
sudo apt install ufw
Activation
Ufw, by default, allows all outgoing connections and denies all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first before enabling ufw. Do that like this:
sudo ufw allow 22/tcp
ufw will automatically configure iptables
to allow incoming connections on port 22 that use tcp
. I will talk more about allowing and denying different connections later.
Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called at
to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with sudo apt install at
.
sudo at -vM now +10 minutes
ufw disable
^D
Where ^D
stands for CTRL + D
. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:
sudo ufw enable
It will warn you that this may disrupt any existing ssh connections you have open. Reply yes
to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.
Now that we have ufw enabled, we can cancel the at
job we created to disable ufw. Type sudo atq
to list the jobs you have schedules, and sudo atrm <number>
to remove it, where <number>
is the number of the jobs that you want to delete.
You may also want to check the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:
sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere
Allowing connections
Since we're going to be setting up a web server, we'll need to allow ti through ur new firewall. Doing so is easy. Simply do this:
sudo ufw allow 80/tcp
Ufw will automatically configure iptables, in this example, to allow all connections on port 80 that use TCP. It will also configure it appropriately for both ipv4 and ipv6.
If you ever want to incoming connections on another port in the future, replace 80
with the port number you want to allow and tcp
with udp
if needed.
Ufw also understands several protocol names, and can configure itself accordingly:
sudo ufw allow http
sudo ufw allow imap
Installing a Web Server
With our server secured, we can now install our web server. In this tutorial, we'll be using Nginx.
- systemd services
- Nginx is a service
- Installing Nginx
sudo apt install nginx
Configuration
/etc/nginx/nginx.conf
/etc/nginx/sites-available/*
/etc/nginx/sites-enabled/*