Welcome

Deploying a Secured Apache Server on Amazon AWS EC2

In this post I am going to guide you how to enable a secured communication between an Apache server and its clients using Transport Layer Security (TLS) which is a necessary requirement for basic cyber security.

Requirements

  1. Windows 10 development machine
  2. This guide assumes that you already have your own domain name (your-domain-name.com) hosted by some domain registrar. We will use a subdomain of this domain (app.your-domain-name.com) for our new server.
  3. We will install the Apache server on EC2 which is the Amazon’s service for running virtual machines. If you don’t have one, you will need to open an account in AWS (Amazon Web Services) in https://aws.amazon.com.

Before starting, here are the main steps

  1. Creating a virtual machine in AWS
  2. Connecting to the virtual machine using SSH
  3. Installing Apache server on the virtual machine
  4. Directing the sub domain to your AWS account
  5. Installing the security certificate

So, let’s begin!

Step 1 – Creating a virtual machine in AWS

  1. Open AWS Console (https://console.aws.amazon.com/) and select EC2 Service. You can find this service by typing “EC2” in the find services search box.
  2. Click on “Launch instance” button.
  3. From “Step 1: Choose an Amazon Machine Image (AMI)” screen, choose “Amazon Linux 2…” by clicking the “Select” button which is next to it.
  4. From “Step 2: Choose an Instance Type” screen, choose the hardware specification for your machine. You can choose the General purpose t2.micro marked as “Free tier eligible” and click on “Next: Configure Instance Details” button.
  5. Skip “Step 3: Configure Instance Details” by clicking “Next: Add Storage”.
  6. Skip “Step 4: Add Storage” by clicking “Next: Add Tags”.
  7. Skip “Step 5: Add Tags” by clicking “Next: Configure Security Group”.
  8. From “Step 6: Configure Security Group” screen, open ports 443 for HTTPS communication and port 80 for HTTP communication by doing as following:
    1. Click “Add Rule” button.
    2. In the new row that has just been added to the table:
      1. Select “HTTPS” in the type field.
      2. Select “Anywhere” in the Source field.
    3. Click “Add Rule” button
    4. In the new row that has just been added to the table:
      1. Select “HTTP” in the type field.
      2. Select “Anywhere” in the Source field.
  9. Click “Review and Launch” button.
  10. Click “Launch” button.
  11. In “Select an existing key pair or create a new key pair” dialog that will appear at this stage you have two options: using an existing key pair or creating a new key pair.
    If you don’t already have a key pair file, do as following:
    1. Select “Create a new key pair” in the upper drop-down box
    2. Fill the “key pair name” text box with the name “app”
    3. Click on “Download Key Pair” – a file named “app.pem” will be downloaded into your Downloads folder.
    4. Click “Launch Instances” button.
  12. Click “View Instances” button.
  13. At this point you will see a table of all the EC2 machines (instances) running on your AWS account.
  14. Give your new machine a name by clicking on the empty area under “Name” column and typing “app” as a name.
  15. Wait while the machine is initialized until its “Instance State” is “running”

At this point you have a running virtual machine on AWS

Step 2 – Connecting to the virtual machine using SSH

  1. Install a Linux sub system for Windows 10 (if it is not installed yet) according the following steps:
    • Enable the “Windows Subsystm for Linux” optional by opening a Power-Shell window as Administrator and executing the following command:
      dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
    • Open “Microsoft Store”
    • Type “Ubuntu 20” in the search box
    • Click on one of the Ubuntu distributions, for example “Ubuntu 20.04 LTS”
    • Click on “Get” button.
  2. Start Ubuntu application – a Linux command line console window will appear.
  3. Copy the key pair file you created while creating the virtual machine according the following steps:
    • Find the full path of your Downloads folder by opening it using Windows Explorer and copying it from the path box.
    • Type a Linux copy command of the key-pair file from “Downloads” folder into your Linux local folder while converting the Windows path into a Linux path by replacing “c:” with “/mnt/c” and replacing all backslashes with slashes. The following example will make it clearer.
      • Assuming the Windows path of your Downloads folder is:
      • C:\Users\97252\Downloads
      • The copy command should be:
        cp /mnt/c/Users/97252/Downloads/app.pem .
      • (don’t miss the dot at the end)
  4. Limit the access permission of the key file using the command:
    chmod 400 app.pem

  5. Open the “Connect to your instances” dialog box by doing as following:
    1. Select your “app” machine from the list of instances
    2. Click on “Connect” button
  6. Copy the ssh command appears in the dialog box under “Example:”.It should be something like this:
    ssh -i "app.pem" ec2-user@ec2-72-201-999-155.compute-1.amazonaws.com

  7. Paste the command you copied in the previous step into your Ubuntu command line window

There are other options of connecting to your Linux instance in the following link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html

At this point you are connected to your running virtual machine using SSH.

Step 3 – Installing Apache server on the virtual machine

Execute the following steps using the SSH connection which was established in Step 2.

  1. To ensure that all of your software packages are up to date, type:
    sudo yum update -y
  2. Install the Apache web server by typing:
    sudo yum install -y httpd
  3. Start the service by typing:
    sudo service httpd start

At this point you should have an empty unsecured website.

For testing your website do as following:

  1. Find the IP address of your virtual machine:
    1. Select the machine from the Instances table
    2. You can find the IP address in the lower part of the screen, in the “Description” tab, beside the text “IPv4 Public IP”
    3. Select the IP address and copy it
  2. Paste the IP address in the address bar of your browser. The following page should be displayed in the browser:

Step 4 – Directing the sub domain to your AWS account

  1. Log in into the website of your domain registrar and open the Domain Setting table of your domain name (your-domain-name.com)
  2. Add two new records into the table according the following example. Put the IP address of the virtual machine (which was found in step 3) instead of 11.11.11.11.
TypeNameValueTTL
Aapp11.11.11.111/2 Hour
Awww.app11.11.11.111/2 Hour

For testing it, try browsing the URL (app.your-domain-name.com). You should see the same Apache’s test page as in Step 3.

Step 5 – Installing the security certificate

Execute the following steps using the SSH connection which was established in Step 2:

  • Edit the main Apache configuration file, 
    /etc/httpd/conf/httpd.conf
    (you can do it using “nano” editor by typing
    sudo nano /etc/httpd/conf/httpd.conf
    ). Locate the ”
    Listen 80
    ” directive and add the following lines after it:

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "app.your-domain-name.com"
    ServerAlias "www.app.your-domain-name.com"
</VirtualHost>
  • Exit “nano” editor by typing 
    CTRL+X
    , then 
    Y
     and 
    ENTER
     to confirm.
  • Save the file and restart Apache:

sudo systemctl restart httpd
  • Install and enable EPEL

cd /tmp
wget -O epel.rpm –nv \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y ./epel.rpm
  • Install certbot, the Let’s Encrypt client to be used to obtain an SSL/TLS certificate and install it into Apache

sudo yum install python2-certbot-apache.noarch

Respond “Y” to all requests for approval to install the software.

  • Use the following command to install certbot (replace your-domain-name with your domain name):

sudo certbot -i apache -a manual \
--preferred-challenges dns -d app.your-domain-name.com

You are prompted for the following information:

  1. E-mail address for renewals? Enter an email address for certificate renewals.
  2. Accept the terms of services? Respond as appropriate.
  3. Send your e-mail address to the EFF? Respond as appropriate.
  4. Log your current IP address? Respond as appropriate.

You will be asked to insert a challenge string into your domain registrar for validating that you are the owner of the domain name.

Don’t click Enter before completing setting the challenge as following:

  1. Log in into the website of your domain registrar and open the Domain Setting table of your domain name (your-domain-name.com)
  2. Add a new record into the table with the following values:
    1. Type: TXT
    2. Name: _acme-challenge.app
    3. Value: BMDCv9tpB9FKnDNz6tHMivBMDCv9tpB9FKnDNz6tHMiv (replace with the challenge string you got in the console window)
  3. Open an additional SSH connection window (as done in Step 2)
  4. Type
    nslookup
    in the other SSH window
  5. Type
    set ty=txt
    in the other SSH window
  6. Type
    _acme-challenge.app.your-domain-name.com
    in the other SSH window
  7. It can take several seconds or minutes until setting the challenge takes effect. Repeat step 6 until the challenge string is displayed in the other SSH window
  8. Now you can click Enter in the first SSH window.

Validate the installation:

Browse to the http://app.your-domain-name.com site. You are redirected to the SSL/TLS page https://app.your-domain-name.com.

You can read more details about this step here https://aws.amazon.com/blogs/compute/extending-amazon-linux-2-with-epel-and-lets-encrypt/

I hope that this tutorial did help. Please let me know if you find any mistake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Bitnami banner
Bitnami