By Jeff Cleverley,Alibaba Cloud Tech Share Author
Welcome to the third tutorial in this series about installing WordPress upon a highly performant server stack on an Alibaba ECS Cloud Instance.
In the previous two tutorials, we provisioned and secured our Ubuntu 16.04 server installation, then completed the LEMP stack with NGINX, MariaDB and PHP7. Today we are going to configure a Domain to work with our server, and secure everything with an SSL certificate so our final WordPress site can only be accessed via HTTPS. In the next tutorial, we will complete the series by installing WordPress, and configuring transactional emails, before moving on to more advanced topics.
In addition to presuming you have completed the previous tutorials, this tutorial also assumes that you have purchased a domain from a registrar such as Alibaba Cloud, or one of the other many domain registrars.
If not, then you will need to go ahead and finish those tutorials and/or purchase a domain before you proceed. I will be using a domain I own specifically for testing purposes, an-example-domain.com.
Part One – Configuring your Domain
Step 1. Add a Domain to Alibaba Cloud DNS
Visit your Alibaba ECS console and make your way to the Alibaba Cloud DNS section. Then click the blue button in the top left to add a Domain Name:
<Add a domain in the Alibaba Cloud DNS>
A pop up box will appear with a text entry field, enter your domain name here and confirm:
<Enter your domain name and confirm>
Your domain will now appear in the list of Domain Names in the Alibaba Cloud DNS settings page.
Now we need to configure some DNS records to get everything working properly. Click the configure link that is highlighted in the screenshot below:
<Click the link to configure domain DNS records>
The link will take you to a configurations page where you can add your DNS records:
<Alibaba provides Nameserver redirection instructions for third party domains>
If you purchased your domain from Alibaba Cloud, then all of your nameservers should already be configured correctly. If like me, however, you are using a third party domain registrar, then the Alibaba DNS settings page will detect that. It will let you know that your domain registrars name servers are not correctly configured, and give you instructions to change them with the correct Alibaba Cloud nameservers.
Step 1a. Change Nameservers at your domain registrar
skip this step if you are using a domain registered with Alibaba Cloud.
If you are using a third party domain registrar, sign into your account with them. Once there, locate the setting for DNS or nameservers. Somewhere within those settings, there will be an option for 'Change Nameservers' or 'Use Custom Nameservers', or something similar.
My domain is registered with Namecheap, their nameservers setting can be found in a dropdown under Nameservers > Custom DNS, as illustrated below:
<Change your domain nameservers with your domain registrar>
All you need to do is enter the nameservers provided by Alibaba Cloud, and click save.
Step 2. Enter DNS records
Now return to the Alibaba Cloud DNS settings page, and add the DNS records for your domain.
For this tutorial we are only adding two A records. A records are for your server's ipv4 address, if this were a production site you would also need to add matching AAAA records for ipv6 address, and several other records, such as an MX record for your email server etc.
Add one type A record for the Host @ , and another for the Host www . The shortest TTL (Time Till Live) setting allowed by Alibaba's DNS system is 10 minutes, which means that these changes will take at least that long to take effect on their end. Having said that, for changes to propagate across the entire internet can take up to 24 hours or more.
Your settings should look something like this:
<Configure your domain's DNS A records>
You can check to see if your DNS changes have propagated with a service like whatsmydns.com, or by using the Domain Information Groper dig terminal command.
Step 3. Test your domain
Once these changes have propagated you should be able to visit your site by using the domain, with or without the www subdomain:
<Domain being served without www >
<Domain being served with www >
Now we have our domains configured properly we can visit our server by using its url. Once this has been completed, we can begin to install our SSL certificate.
Part Two – Securing NGINX with Let's Encrypt SSL certificates
The web is moving towards a more secure future. SSL certificates protect visitors of your site by enabling HTTPS encryption on web servers. In the past, SSL certificates were a moderately expensive addition to your hosting deemed only necessary for eCommerce sites or other sites that transmitted sensitive information.
Things have changed since those days, now it is considered best practice in web development to secure all sites with an SSL certificate. This has additional benefits to just increasing security, the latest generation of the HTTP protocol, HTTP/2, requires an SSL certificate to be installed before it can be used.
HTTP/2 can dramatically increase the speed of a well configured site due to a range of improvements such as Single Connection Loads, Multiplexing, Header Compression, and more. You can find out more about HTTP/2 here.
There is also the not inconsequential matter that sites without SSL certificates are now being penalized by search engines such as Google, with Chrome even beginning to throw warnings for unsecured sites.
Let's Encrypt is a free, automated, and open certificate authority (CA) provided by the Internet Security Research Group, they have almost single-handedly accelerated the widespread adoption of SSL certificates in recent years, we should all be very grateful.
We will be using the Let's Encrypt Certbot to obtain a free SSL certificate, Certbot is an awesome package that will automatically make most of the necessary NGINX configuration changes.
Step 4. Configuring Ubuntu to enable access to external repositories
We will be installing the certbot software from Let's Encrypt's separate external package repository. That means we will need to add a new repository to our apt package manager.
Unfortunately our Instance's Ubuntu installation doesn't yet have the package installed that will allow us to add external repositories.
Not to worry, that's a quick fix, just enter the following command to install this necessary package:
$ sudo apt-get install -y software-properties-common
Step 5. Installing Certbot
With that additional package installed we can now install certbot with the following commands.
To add the repository:
$ sudo add-apt-repository ppa:certbot/certbot
Then update the package list to pick up the new repository's package information:
$ sudo apt-get update
And finally, install certbot with apt-get :
$ sudo apt-get install python-certbot-nginx
Now Certbot is ready to use, but before we can proceed we need to add some additional parameters to our NGINX configuration.
Step 6. Setting up NGINX to serve domains
Yes I know, I did say Certbot can automatically configure the SSL certificate for NGINX and add the necessary settings in the NGINX configuration file server block.
But before it can do that NGINX needs to be configured for your domain name, at present it is only configured for an IP address.
Let's update the config file:
$ sudo nano /etc/nginx/sites-available/default
Now replace the servers ipv4 address on the server_name line with your domain name, remember to add both the domain with and without www :
server_name an-example-domain.com www.an-example-domain.com;
Your NGINX default config file server block should look something like the following:
<Configure NGINX for your domain>
Since the NGINX config file has been changed, it should be checked for syntax errors again:
$ sudo nginx -t
All being well, reload it to load in the new configuration:
$ sudo systemctl reload nginx
With these changes made, Certbot will now be able to locate the correct server block and update it automatically.
Next we'll update the UFW firewall to allow HTTPS traffic.
Step 7. Updating the UFW Firewall
The UFW firewall we configured previously in the series has only been configured for HTTP connections, this now needs adjusting to allow HTTPS traffic.
To do this we will allow 'Nginx Full' first:
$ sudo ufw allow 'Nginx Full'
And then delete the redundant 'Nginx HTTP' profile that we previously allowed:
$ sudo ufw delete allow 'Nginx HTTP'
Finally, check the firewall status with:
$ sudo ufw status
Your terminal should output the following:
<Ubuntu UFW configured for NGINX https connections>
With our firewall configured properly, we are nearly ready to obtain our SSL certificate, but we still need to configure our Security Group for connections on port 443.
Step 8. Configure Alibaba Cloud Security Group for HTTPS connections
Remember in the first tutorial, when we first provisioned the ECS instance, we added it to a Security Group? That is Alibaba Cloud nomenclature for their server firewall, so that's where we need to go now.
In the Alibaba Cloud Security Groups, you will see the default security group you attached, click the link to configure it's rules:
<Click the link to configure security group rules>
For HTTPS connections with an SSL, we need our server to be listening on Port 443. Currently the security group has no rule configured to allow inbound connections to the server on this port.
Add a rule for Port 443 as follows:
<Add an inbound security rule top open Port 443>
<Security group with connections via port 443 enabled>
Now we're ready to run Certbot to obtain and configure our SSL certificates, and configure server settings.
Step 9. Obtaining a Let's Encrypt SSL Certificate
We will use Certbot's NGINX plugin to obtain an SSL certificate for our domain, it will automagically take care of configuring NGINX and reloading the config when necessary.
Enter the following command, replacing my domain name with your own domain:
$ sudo certbot --nginx -d an-example-domain.com -d www.an-example-domain.com
This command runs certbot with the aforementioned -nginx plugin, and uses -d to specify the domain names for which the certificate will be valid.
If everything was successful certbot will check to verify you control your domain, and upon verification will issue your certificate and ask you how you would like to configure your HTTPS settings:
<configure HTTPS requests>
I recommend to configure the redirects so that all traffic is served via HTTPS.
At this point you will be able to access your site using https:// , and you will get the reassuring green lock and security indicator.
Step 10. Increase SSL security – Update Diffie-Hellman Parameters
Even though your site is secured with an SSL, it is still using weak Diffie-Hellman parameters which means that the initial key exchange is still more vulnerable than we may wish.
To fix this create a new dhparam.pem file and add it to the server block.
Create the file using openssl :
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This may take some time, and will look like this:
<Update diffie-helman parameters>
When this process is complete, open up the default sites NGINX config file again:
$ sudo nano /etc/nginx/sites-available/default
And paste in the following code, this can be anywhere inside the server block:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
The entire server block should look like the following, notice the SSL configuration settings that have also been added by certbot :
<Fully configured server block>
Save the file and close the editor. And since we have altered the NGINX configuration again, we will need to check the syntax again:
$ sudo nginx -t
If there are no errors, reload NGINX:
$ sudo systemctl reload nginx
The site is now a lot more secure. You can test it using the SSL Labs Server Test, and it should get an A rating.
Step 11. Setting up Certificate Auto Renewal with a Cron job
Let's encrypt certificates are currently only valid for 90 days to encourage users to automate their certificate renewal process, which is exactly what we are going to do.
To do this we will use a cron job. This is the system Linux uses for running periodic system jobs. To add a cron job we must edit a file called a crontab :
$ sudo crontab -e
The text editor will open the default crontab , paste the following code at the end of the file, then save it and close it:
0 0 * /usr/bin/certbot renew —quiet
This command translates to means run the /usr/bin/certbot renew –quiet command at this 0 0 * time.
0 0 * translates to every day at midnight. To find out more about cron timings you can visit CronTab.Guru.
The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days.
The -quiet command tells Certbot not to wait for user input, or output any information.
Your SSL certificate is now installed, has an A rating, and is configured to renew automatically.
Time to test things out.
Step 13. Test your server for HTTPS connection
You should now be able to visit your website by visiting your domain using https:
or
https://www.an-example-domain.com
<Visit your site using https://>
And that's it, this tutorial is complete.
Your ECS instance should now have a secured and highly performant LEMP stack installed, with a domain configured, and a secure SSL certificate protecting visitors information.
In the next tutorial we will move on to installing WordPress, see you then.