Webserver Configuration and Installation

Firewall Configuration

Inbound Rules

Type	Protocol	Port Range	Sources
SSH	TCP	22	143.58.215.147, 152.89.76.109/32, 152.89.76.111/32, 185.22.208.0/25, 185.22.211.0/24, 2a00:67a0:a:1::/64, 2a03:2800:0300::/64, 86.14.230.138, Bastion (tag)
HTTP	TCP	80	mg-ub-lb-001
HTTPS	TCP	443	mg-ub-lb-001
Custom	TCP	2049	mg-ub-nfs-001
Custom	TCP	6379	ProductionWebserver (tag)

Outbound Rules

Type	Protocol	Port Range	Destinations
ICMP	ICMP	-	All IPv4, All IPv6
All TCP	TCP	All ports	RabbitMQ (tag)
HTTP	TCP	80	All IPv4, All IPv6
Custom	TCP	123	mg-ub-web-001
HTTPS	TCP	443	All IPv4, All IPv6
Custom	TCP	587	All IPv4, All IPv6
Custom	TCP	2049	mg-ub-nfs-001
MySQL	TCP	3306	Database (tag)
Custom	TCP	6379	All IPv4, All IPv6
Custom	TCP	8080	All IPv4, All IPv6
Custom	TCP	8081	ProductionWebsocket (tag)
Custom	TCP	27017	Mongo (tag)
All UDP	UDP	All ports	All IPv4, All IPv6
DNS UDP	UDP	53	All IPv4, All IPv6
Custom	UDP	123	All IPv4, All IPv6
Custom	UDP	323	All IPv4, All IPv6

Webserver Installation

Initial Setup

Spin up a new droplet in Digital Ocean
Specify London as the region to deploy to
Select Ubuntu 24.04 (LTS) as the OS
Select 'Regular' → '4GB/2 CPUs' (this may change, depending on the scenario which requires a new server)
For SSH keys, 'Select all'
Select 'Add improved metrics monitoring and alerting (free)
Make the hostname match the new number in the naming standard 'mg-ub-web-00x'
Update the OS

SSH into bastion and into the new server by ip as root (might need to tweak ~/.ssh/known_hosts).

apt update && apt upgrade -y

If you receive a screen mentioning versions of openssh server, select 'keep existing version'.

Add Relevant Users

useradd -m -d /home/marc.north -s /bin/bash marc.north
useradd -m -d /home/eudald.rossell -s /bin/bash eudald.rossell
useradd -m -d /home/andrew.cruickshank -s /bin/bash andrew.cruickshank
useradd -m -d /home/deployhq -s /bin/bash deployhq
sh -c "echo 'marc.north ALL=NOPASSWD: ALL' >> /etc/sudoers"
sh -c "echo 'eudald.rossell ALL=NOPASSWD: ALL' >> /etc/sudoers"
sh -c "echo 'andrew.cruickshank ALL=NOPASSWD: ALL' >> /etc/sudoers"
sh -c "echo 'deployhq ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2' >> /etc/sudoers.d/deployhq"

Configure Users SSH Keys

Create users folders and authorized keys:

mkdir /home/marc.north/.ssh
chmod 700 /home/marc.north/.ssh
touch /home/marc.north/.ssh/authorized_keys
chmod 600 /home/marc.north/.ssh/authorized_keys
chown -R marc.north:marc.north /home/marc.north

mkdir /home/eudald.rossell/.ssh
chmod 700 /home/eudald.rossell/.ssh
touch /home/eudald.rossell/.ssh/authorized_keys
chmod 600 /home/eudald.rossell/.ssh/authorized_keys
chown -R eudald.rossell:eudald.rossell /home/eudald.rossell

mkdir /home/andrew.cruickshank/.ssh
chmod 700 /home/andrew.cruickshank/.ssh
touch /home/andrew.cruickshank/.ssh/authorized_keys
chmod 600 /home/andrew.cruickshank/.ssh/authorized_keys
chown -R andrew.cruickshank:andrew.cruickshank /home/andrew.cruickshank

Copy the public ssh keys from /root/.ssh/authorized_keys into each of the authorized_keys files:

vim /home/marc.north/.ssh/authorized_keys
vim /home/eudald.rossell/.ssh/authorized_keys
vim /home/andrew.cruickshank/.ssh/authorized_keys

Install Apache, PHP8.4 and Certbot/Let's Encrypt

apt install apache2 -y
add-apt-repository ppa:ondrej/php
apt install libapache2-mod-php8.4 php8.4-redis php8.4-imagick php8.4-mongodb php8.4-mysql php8.4-zip php8.4-xml php8.4-xmlrpc php8.4-gd php8.4-imagick php8.4-curl php8.4-dev php8.4-mcrypt php8.4-mbstring php8.4-amqp -y
a2enmod headers && a2enmod ssl && a2enmod rewrite && a2enmod proxy_http && systemctl restart apache2

Use the link for installing and auto-renewing SSL certs: Configuring Certbot for auto-renew

Get Updates and Install Necessary Apps

apt update && apt upgrade -y
apt install net-tools vim nfs-common postfix mailutils ntp -y

Select 'Internet site' on the screen displayed & accept proposed name.

Configure PHP

Open /etc/php/8.4/apache2/php.ini:

Locate session.save_handler and comment out the line
Add the following below that line after replacing {redis-server-private-ip} with the private IP of mg-web-001 (not mg-ub-web-001):

session.save_handler = redis
session.save_path = "tcp://{redis-server-private-ip}:6379?auth=905q6v930nMNHEl"

Change the directive max_execution_time to 300:

max_execution_time = 300

Change the directive max_input_vars to 10000:

max_input_vars = 10000

Change the directive memory_limit to 1024M:

memory_limit = 1024M

Change the directive post_max_size to 50M:

post_max_size = 50M

Change the directive upload_max_filesize to 50M:

upload_max_filesize = 50M

Change the directive max_file_uploads to 50:

max_file_uploads = 50

In the opcache section, add the following:

; Determines if Zend OPCache is enabled
opcache.enable=1

; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1

; The OPcache shared memory storage size.
opcache.memory_consumption=512

opcache.save_comments=1
opcache.jit_buffer_size=256M
opcache.jit=tracing

Create a new file /etc/php/8.4/apache2/conf.d/90-upload_max_filesize.ini with contents:

upload_max_filesize = 50M
post_max_size = 51M

Firewall Rules

Add the new droplet to the mg-ub-webserver: - Go to Digital Ocean Firewall Rules - For TCP port 6379, add the name of the webserver

FYI, firewalls here: Firewall configuration

Most rules will automatically be applied. This is more of a sanity check to ensure they are. This will all be made simpler once the DO tags have been updated.

Required firewall rules: - New webserver needs to allow outgoing connections on all TCP ports for RabbitMQ - RabbitMQ needs to accept incoming connections on all TCP ports from the new webserver - New webserver needs to allow outgoing connections on TCP port 123 to mg-ub-web-001 - mg-ub-web-001 needs to accept incoming connections on TCP port 123 from the new webserver - New webserver needs to allow outgoing connections on TCP port 2049 to mg-ub-nfs-001 - mg-ub-nfs-001 needs to accept incoming connections on TCP port 2049 from the new webserver - New webserver needs to allow outgoing connections on TCP port 3306 to Database (tag) - Database (tag) needs to accept incoming connections on TCP port 3306 from the new webserver - New webserver needs to allow outgoing connections on TCP ports 8080 and 8081 to ProductionWebsocket (tag) - ProductionWebsocket (tag) needs to accept incoming connections on TCP ports 8080 and 8081 from the new webserver - New webserver needs to allow outgoing connections on TCP port 27017 to Mongo (tag) - Mongo (tag) needs to accept incoming connections on TCP port 27017 from the new webserver - Add mg-ub-web-00x to mg-websocket firewall, allowing inbound connections on ports 8080-8081 - Add mg-ub-web-00x to mg-mongo firewall, allowing inbound connection on port 27017 - Add mg-ub-web-00x to mg-rabbitmq firewall, allowing inbound connections on All TCP ports - Attach the tag 'Webserver' to the new webserver

Configure NFS Mount

Paste the following at the end of /etc/fstab, after replacing {nfs-server-private-ip} with the private IP of mg-ub-nfs-001:

vim /etc/fstab

Add:

{nfs-server-private-ip}:/mnt/volume_lon1_07 /mnt/mg-ub-nfs-001/volume_lon1_07 nfs defaults 0 0

SSH into mg-ub-nfs-001:

vim /etc/exports

Add the below, replacing {new-webserver-private-ip} with the private IP of the new webserver:

/mnt/volume_lon1_07 {new-webserver-private-ip}(rw,sync,no_subtree_check)

Save the file and run:

exportfs -ra

Exit back to new webserver.

Create mount directory and reboot:

mkdir /mnt/mg-ub-nfs-001
reboot

Once back up, SSH into the webserver and verify the directory exists:

cd /mnt/mg-ub-nfs-001/volume_lon1_07/storage
ls -al

Verify the following subdirectories exist: - customise - documents - grid-exports - keys - profile-images - tmp

Configure Webserver Details

Create necessary directories:

mkdir -p /var/www/vhosts/app.methodgrid.com/httpdocs
chown deployhq: /var/www/vhosts/app.methodgrid.com/httpdocs

DeployHQ Configuration

In DigitalOcean, modify the webservers firewall rules to allow access to SSH for DeployHQ.

Current IP ranges are as follows: - 185.22.211.30-185.22.211.31 - 185.22.211.97-185.22.211.100

These are liable to change, so check the rules when setting up DeployHQ.

Configure a new webserver in DeployHQ for the Grid project using mg-ub-web-004: - Select 'No Server Group' in the 'Group (optional)' dropdown - Select SSH as the method to deploy - Set the 'Hostname' as the external IP of the server - Set the 'Username' as deployhq - Select 'Use an SSH rather than password or authentication - Set the deployment path to be /var/www/vhosts/app.methodgrid.com/httpdocs - Under 'deployment options', set 'Subdirectory to deploy from' to /httpdocs/miab

Add the deployhq ssh key to new webserver:

mkdir -p /home/deployhq/.ssh
chmod 700 /home/deployhq/.ssh
chmod 600 /home/deployhq/.ssh/authorized_keys
chown -R deployhq: /home/deployhq/.ssh

Add deployhq public key to /home/deployhq/.ssh/authorized_keys.

Save the server in DeployHQ.

Postfix Configuration

Back to the webserver:

cd /etc/postfix

Backup the main.cf file:

cp -p ./main.cf ./main.cf.bck

Open main.cf, empty the file, and enter the contents from postfix.txt (see Confluence for template).

In main.cf, change any reference to 'ubuntu-s-1vcpu-1gb-amd-lon1-01' to the hostname of the new server.

Create a new file called sasl_passwd_ms. Enter the following:

[smtp.office365.com]:587 noreply@methodgrid.com:{get password from one of the other servers}

Exit, and then run:

postmap /etc/postfix/sasl_passwd_ms
systemctl restart postfix

Apache Configuration

cd /etc/apache2/sites-available
nano production.conf

Enter the contents from production.conf (see Confluence for template).

Edit the file to set the specific letsencrypt folder (it's different for some servers).

Exit and create symlink:

ln -s ../sites-available/production.conf /etc/apache2/sites-enabled/production.conf

ClamAV Installation

Install ClamAV:

apt install clamav clamav-daemon -y
systemctl enable clamav-daemon
systemctl start clamav-daemon

Open /etc/systemd/system/sockets.target.wants/clamav-daemon.socket:

Comment out the line ListenStream=/run/clamav/clamd.ctl and uncomment the line below, changing the port to 3310.

The [Socket] section should now look like this:

[Socket]
#ListenStream=/run/clamav/clamd.ctl
ListenStream=3310
SocketUser=clamav
SocketGroup=clamav
RemoveOnStop=True

Reload ClamAV:

systemctl daemon-reload
systemctl restart clamav-daemon
systemctl restart clamav-daemon.socket

Run systemctl status clamav-daemon.socket and verify that it shows Listen: [::]:3310 (Stream).

Run netstat -peanut | grep 3310 and verify that it shows port 3310 being listened on.

Allow ClamAV permission to read files:

echo '/mnt/mg-ub-nfs-001/volume_lon1_07/storage/** r,' >> /etc/apparmor.d/local/usr.sbin.clamd
apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
systemctl restart clamav-daemon

Clean Up

systemctl reload postfix
systemctl enable postfix
systemctl enable apache2
reboot

Configure DeployHQ Commands

Go into DeployHQ, select 'Grid' project → Select 'SSH Commands'.

Add the new webserver to: - Delete folders for domain customisation and profile images (mg-ub-web-*) - Restart apache - Delete cache files

Pre Full Deployment (Webserver)

On new webserver:

cd /var/www/vhosts/app.methodgrid.com/httpdocs/app
mkdir logs cache
chown deployhq: cache
chmod 777 cache
chown deployhq: logs
chmod 777 logs

Full Deployment (DeployHQ)

Select the 'Grid' project
Click 'Deploy project'
Select the new webserver in the dropdown
Click the purple icon in the 'Start Revision' area
Select 'Deploy the entire repository'
Deploy
Verify the deployment completes

Clean Users

Ensure you can login as your own user in new webserver
Remove SSH keys from /root/.ssh/authorized_keys

Stop Here For Testing Purposes

Post testing of the new webserver: 1. Do a normal deployment of the new webserver 2. Go into DeployHQ, and in the Grid, update the server group for the new server to 'MG - Production' 3. Add the new webserver to the Load Balancer in Digital Ocean

Last modified by: Unknown