Automate NGINX Hosts with EasyEngine

Automate NGINX Hosts with EasyEngine

Automate NGINX Hosts With EasyEngine. The Perfect WordPress and ownCloud server on a DigitalOcean Ubuntu 14.04 Droplet

Sure, you could totally install and configure NGINX (pronounced Engine X) manually… But WHY on earth would you?? EasyEngine (ee) is a Python utility that automates the tasks of installing the framework for WordPress and non-WordPress sites, PHP, MySQL, etc., and configures the NGINX host file AUTOMATICALLY and EFFICIENTLY. I would need to learn several new languages to find enough words to describe the time and headaches this will save you!

Things to remember if you’re new to Linux: nano is a simple text editor that you can invoke from the command line to edit files. You will be using these shortcuts a lot when you’re editing files.

  • CTRL+O to Save
  • ENTER to Confirm
  • CTRL+X to Close the active file.

Create a DigitalOcean Droplet:

Login to your DigitalOcean account. If you don’t have one, you can click here to create one – they’ll give you a $10 credit to get started and I’ll earn a few bucks too. 🙂 Give your Droplet a hostname, choose a size, select a region and an image (Ubuntu 14.04 x64). The prerequisites for installing EasyEngine are Debian or Ubuntu. This tutorial is based on Ubuntu 14.04_x64 LTS, but the steps are generally the same for Debian Wheezy. I should mention that I’ve performed all of the steps logged in as root, which isn’t recommended. For info on creating a new user with elevated sudo privilges, click here.

do-create-droplet-1

If you already have a key pair, you can upload your public key to your droplet in the final step before provisioning it. If not, we need to create one and attach it to the droplet. You can do this later, but it’s way easier to do right now, before creating your droplet. If you’re on windows, Download PuTTY and PuTTYgen and follow this tutorial to create your SSH key pair. On OSX or Linux, you can follow this guide to create your key pair in your terminal. When your SSH keys are generated, add your public key to your droplet. You’ll use your private key to authenticate your session and connect to your Droplet with your SSH client.

do-create-droplet-ssh

Map your domain(s) to your new Droplet:

If you already have a domain name, lets configure DNS while your Droplet is spinning up. There are several ways to achieve this. The cleanest way, is to point your domain’s name servers to the DigitalOcean name servers and set up new DNS records. Here’s how. Just make sure if you already have services like MX, TXT and SRV records setup in your existing DNS manager, that you accurately document the settings, so you can replicate them in the DigitalOcean DNS, or you could break things like email. godaddy-dns-exportIf your domain is registered with Godaddy, you can easily export the current DNS records from the classic DNS manager. Just click the Import/Export icon and choose Windows or Linux. You can open the file in your favorite text editor (like Sublime Text) to grab your records.

Namecheap.comIf you don’t have a domain yet, I recommend namecheap. As the name implies, you can pick up a domain for less money than most registrars.

Bring server up-to-date:

Configure UFW firewall:

UFW is the Ubuntu Uncomplicated FireWall wrapper for iptables, so you don’t have to learn complicated syntax for locking down your server. It should already be installed by default in your Droplet. Use it. More info about UFW, can be found here.

Install EasyEngine:

Execute the following to finish the install:

By default, EasyEngine generates random SQL DB NAME/USER NAME and WordPress DB prefix. I like to have a little more control here, so the names make sense to me at a glance, but this is totally optional.

Editing the [wordpress] section of ee.conf to “prefix = true” will prompt you for a WP database prefix during site creation. This adds an extra layer of security, because the default wp_ prefix makes it easier for hackers to find and exploit your database with SQL injection attacks.

Let’s edit the ee.conf file so it will prompt you for these details during site creation:

In the [MySQL] section, enter the following (optional):
db-name = true
db-user = true

Set the following in the [wordpress] section (recommended):
prefix = true
save and exit nano

Can we talk about security for a moment? If it were possible to define the password strength policy in the ee.conf file, we could just skip all of this. But since WordPress is powering the majority of websites on the planet and is aggressively hacked, we need to take extra precaution. The password strength ee applies to SQL databases is great. I’m not sure why they aren’t applying the same policy to root/http passwords. In my opinion, the root passwords that ee generates for MYSQL just aren’t strong enough, so we’re taking matters into our own hands in a moment. But first…

Let’s create our first site:

We would’ve already installed phpMyAdmin manually, but MySQL isn’t configured until we create our first site, lets skip ahead and get your first site set up. Come back here when that’s done: Choose Site Type

NOTE: If you changed “prefix = true” in the [wordpress] section of ee.conf in the previous step, you will be prompted to specify a WP prefix manually during site creation. I recommend a random alpha-numeric string, like: R7sj4Y_ (make it unique and don’t forget the trailing underscore).

Welcome back, ee just installed your specified site type and created your NGINX host file. Now we’re ready to install phpMyAdmin manually. You can use the command below to install phpMyAdmin automatically with the following caveat: if you issue mysql_secure_installation and change the password ee generated, you may get storage and blowfish security errors in phpMyAdmin later. Skip this step for manual phpMyadmin installation. To let ee install phpMyAdmin automatically, (keeping the default root MySQL password) issue the following:

Manually install phpMyAdmin:

In order to install phpMyAdmin manually, we need to know the root password ee generated for MySQL, so issue the following and make a note of it:

Update and install:

  1. When it asks for web server to reconfigure automatically, tab to “OK” to skip the web server options.
  2. Choose “YES” when it asks if you want dbconfig-common to configure a database for phpmyadmin.
  3. Enter root mysql password, from step above, when promopted.
  4. Create a strong phpmyadmin password and enter it twice to confirm. I like this password generator. Set it for 16 characters and check all the boxes – just make sure you copy all your secure passwords somewhere safe so you don’t get locked out of MySQL/phpMyAdmin!

We can place a symbolic link to phpMyAdmin in the utilities webroot, so you can access it directly from the ee admin page – https://example.com:22222

Now, secure that shit!

  1. At the prompt, enter the default root MySQL password.
  2. Change your password to something more secure.
  3. Confirm the NEW password
  4. Remove anonymous users: Enter Y for YES
  5. Disallow root login remotely? Depends: it’s definitely more convenient, but less secure to be able to login as root. You decide.
  6. Remove test database: Enter Y for YES
  7. Reload privilege tables now: Enter Y for YES

If you changed the root MySQL password, don’t forget to also change it in the following file, or ee won’t be able to create new databases.

While we’re locking things down, I recommend creating your own username and a more secure password for the EasyEngine admin tools. To change the default HTTP USERNAME and PASSWORD, issue the following:

Enter desired username and password.

Optional: install Webmin

add the following 3 lines to sources.list:

save and close nano, then add the webmin key, update the sources and install webmin:

You can access Webmin by replacing example.com with your actual domain and going to — https://example.com:10000
Enter your Linux username and password.
Since we’ve already locked down the ports to your IP, you can safely log in as root, but you may need to create a password for root if you haven’t already done so.

  1. Enter your current user password
  2. Create secure root password (I’m not playing here, this should be the most secure password on your whole system)
  3. Enter again to confirm

Optional: install ownCloud

NOTE: This tutorial is based on ownCloud 8.0.2. The next point release (8.0.3) was released May 1, 2015, but has a known issue with MySQL/MariaDB that may cause your installation to fail. There are two potential solutions, but I’d rather skip 8.0.3 and wait for a proper fix in the next point or major release.

To be able to accommodate large file uploads, we need to tune PHP for ownCloud. ownCloud will throw errors if the default_charset isn’t set to utf-8. If it isn’t already defined in php.ini, just add it to the bottom of the [PHP] section. Open up php.ini and change the values to match the ones below:

upload_max_filesize = 10G
post_max_size =10G
output_buffering = 0
max_input_time = 54000
memory_limit = 128M
default_charset = “utf-8″
always_populate_raw_post_data = -1

We need to replace the default ee host file that EasyEngine created for ownCloud to get everything working with NGINX. Open the host file for your ownCloud install:

CTRL+K to delete every line in there. Then, copy and paste the contents of the config below and don’t forget to replace “cloud.example.com” with your actual domain.

We need to know the MySQL DB user, DB name and password that ee generated. Execute the following to find it:

Now, point your browser to cloud.example.com (obviously, replace with your actual domain) so we can finish installing ownCloud from the web front-end.

  1. Create and admin account: Choose a username and give it a strong password
  2. Keep the default data folder
  3. Enter Database user from previous step
  4. Enter DB password from previous step
  5. Enter DB name from previous step
  6. Keep default localhost
  7. Click “Finish setup” button

Voila! You should be staring at the First Run Wizard in your ownCloud Admin page. That’s it! Just repeat the steps below for each domain/site you’d like to host on your Droplet and adjust the DNS records for each domain. Details on securing your site with SSL and concatenating the certs for NGINX and adding Amazon S3 remote storage to your ownCloud coming soon!

Decide what type of website you’re building:

Just replace “example.com” with your actual domain and execute the appropriate command below, for the type of site you’re installing:

Standard WordPress Sites

Next Step

WordPress Multsite with subdirectory

WordPress Multsite with subdomain

Non-WordPress Sites

WordPress with HHVM Site

WordPress with Pagespeed Site