Deploying a Secured Apache Server on Amazon AWS EC2

Image for post
Image for post
Photo by Tony Webster from Minneapolis, Minnesota, United States

In this post I am going to guide you how to enable a secured communication between an Apache server and its clients using Transport Layer Security (TLS) which is a necessary requirement for basic cyber security.

Requirements

  1. Windows 10 development machine
  2. This guide assumes that you already have your own domain name (your-domain-name.com) hosted by some domain registrar. We will use a subdomain of this domain (app.your-domain-name.com) for our new server.
  3. We will install the Apache server on EC2 which is the Amazon’s service for running virtual machines. If you don’t have one, you will need to open an account in AWS (Amazon Web Services) in https://aws.amazon.com.

Before starting, here are the main steps

  1. Creating a virtual machine in AWS
  2. Connecting to the virtual machine using SSH
  3. Installing Apache server on the virtual machine
  4. Directing the sub domain to your AWS account
  5. Installing the security certificate

So, let’s begin!

Step 1 — Creating a virtual machine in AWS

  1. Open AWS Console (https://console.aws.amazon.com/) and select EC2 Service. You can find this service by typing “EC2” in the find services search box.
Image for post
Image for post

2. Click on “Launch instance” button.

Image for post
Image for post

3. From “Step 1: Choose an Amazon Machine Image (AMI)” screen, choose “Amazon Linux 2…” by clicking the “Select” button which is next to it.

Image for post
Image for post

4. From “Step 2: Choose an Instance Type” screen, choose the hardware specification for your machine. You can choose the General purpose t2.micro marked as “Free tier eligible” and click on “Next: Configure Instance Details” button.

Image for post
Image for post

5. Skip “Step 3: Configure Instance Details” by clicking “Next: Add Storage”.

Image for post
Image for post

6. Skip “Step 4: Add Storage” by clicking “Next: Add Tags”.

Image for post
Image for post

7. Skip “Step 5: Add Tags” by clicking “Next: Configure Security Group”.

Image for post
Image for post

8. From “Step 6: Configure Security Group” screen, open ports 443 for HTTPS communication and port 80 for HTTP communication by doing as following:

8.1. Click “Add Rule” button.

Image for post
Image for post

8.2. In the new row that has just been added to the table:

8.2.1. Select “HTTPS” in the type field.

8.2.2. Select “Anywhere” in the Source field.

Image for post
Image for post

8.3. Click “Add Rule” button

8.4. In the new row that has just been added to the table:

8.4.1. Select “HTTP” in the type field.

8.4.2. Select “Anywhere” in the Source field.

Image for post
Image for post

9. Click “Review and Launch” button.

Image for post
Image for post

10. Click “Launch” button.

Image for post
Image for post

11. In “Select an existing key pair or create a new key pair” dialog that will appear at this stage you have two options: using an existing key pair or creating a new key pair.

Image for post
Image for post

If you don’t already have a key pair file, do as following:

11.1. Select “Create a new key pair” in the upper drop-down box

11.2. Fill the “key pair name” text box with the name “app”

11.3. Click on “Download Key Pair” — a file named “app.pem” will be downloaded into your Downloads folder.

Image for post
Image for post

11.4. Click “Launch Instances” button.

Image for post
Image for post

12. Click “View Instances” button.

Image for post
Image for post

13. At this point you will see a table of all the EC2 machines (instances) running on your AWS account.

Image for post
Image for post

14. Give your new machine a name by clicking on the empty area under “Name” column and typing “app” as a name.

Image for post
Image for post

15. Wait while the machine is initialized until its “Instance State” is “running”

At this point you have a running virtual machine on AWS

Step 2 — Connecting to the virtual machine using SSH

  1. Install a Linux sub system for Windows 10 (if it is not installed yet) according the following steps:

1.1. Enable the “Windows Subsystm for Linux” optional by opening a Power-Shell window as Administrator and executing the following command:
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart

1.2. Open “Microsoft Store”

1.3. Type “Ubuntu 20” in the search box

1.4. Click on one of the Ubuntu distributions, for example “Ubuntu 20.04 LTS”

1.5. Click on “Get” button.

Image for post
Image for post

2. Start Ubuntu application — a Linux command line console window will appear.

Image for post
Image for post

3. Copy the key pair file you created while creating the virtual machine according the following steps:

3.1. Find the full path of your Downloads folder by opening it using Windows Explorer and copying it from the path box.

3.2. Type a Linux copy command of the key-pair file from “Downloads” folder into your Linux local folder while converting the Windows path into a Linux path by replacing “c:” with “/mnt/c” and replacing all backslashes with slashes. The following example will make it clearer.

3.2.1. Assuming the Windows path of your Downloads folder is:

C:\Users\97252\Downloads

3.2.2. The copy command should be:
cp /mnt/c/Users/97252/Downloads/app.pem .

(don’t miss the dot at the end)

Image for post
Image for post

4. Limit the access permission of the key file using the command:
chmod 400 app.pem

Image for post
Image for post

5. Open the “Connect to your instances” dialog box by doing as following:

5.1. Select your “app” machine from the list of instances

5.2. Click on “Connect” button

Image for post
Image for post

6. Copy the ssh command appears in the dialog box under “Example:”.It should be something like this:
ssh -i "app.pem" ec2-user@ec2-72-201-999-155.compute-1.amazonaws.com

Image for post
Image for post

7. Paste the command you copied in the previous step into your Ubuntu command line window

Image for post
Image for post

There are other options of connecting to your Linux instance in the following link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html

At this point you are connected to your running virtual machine using SSH.

Step 3 — Installing Apache server on the virtual machine

Execute the following steps using the SSH connection which was established in Step 2.

  1. To ensure that all of your software packages are up to date, type:
    sudo yum update -y
  2. Install the Apache web server by typing:
    sudo yum install -y httpd
  3. Start the service by typing:
    sudo service httpd start

At this point you should have an empty unsecured website.

For testing your website do as following:

  1. Find the IP address of your virtual machine:

1.1. Select the machine from the Instances table

1.2. You can find the IP address in the lower part of the screen, in the “Description” tab, beside the text “IPv4 Public IP”

Image for post
Image for post

1.3. Select the IP address and copy it

2. Paste the IP address in the address bar of your browser. The following page should be displayed in the browser:

Image for post
Image for post

Step 4 — Directing the sub domain to your AWS account

  1. Log in into the website of your domain registrar and open the Domain Setting table of your domain name (your-domain-name.com)
  2. Add two new records into the table according the following example. Put the IP address of the virtual machine (which was found in step 3) instead of 11.11.11.11.
Image for post
Image for post

It might take several minutes until this setting will take effect.

For testing it, try browsing the URL (app.your-domain-name.com). You should see the same Apache’s test page as in Step 3.

Step 5 — Installing the security certificate

Execute the following steps using the SSH connection which was established in Step 2:

  • Edit the main Apache configuration file, /etc/httpd/conf/httpd.conf (you can do it using “nano” editor by typing sudo nano /etc/httpd/conf/httpd.conf). Locate the “Listen 80” directive and add the following lines after it:
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName "app.your-domain-name.com"
ServerAlias "www.app.your-domain-name.com"
</VirtualHost>
  • Save the file and restart Apache:
sudo systemctl restart httpd
  • Install and enable EPEL
cd /tmp
wget -O epel.rpm –nv \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y ./epel.rpm
  • Install certbot, the Let’s Encrypt client to be used to obtain an SSL/TLS certificate and install it into Apache
sudo yum install python2-certbot-apache.noarch

Respond “Y” to all requests for approval to install the software.

  • Use the following command to install certbot (replace your-domain-name with your domain name):
sudo certbot -i apache -a manual \
--preferred-challenges dns -d app.your-domain-name.com

You are prompted for the following information:

  1. E-mail address for renewals? Enter an email address for certificate renewals.
  2. Accept the terms of services? Respond as appropriate.
  3. Send your e-mail address to the EFF? Respond as appropriate.
  4. Log your current IP address? Respond as appropriate.

You will be asked to insert a challenge string into your domain registrar for validating that you are the owner of the domain name.

Image for post
Image for post

Don’t click Enter before completing setting the challenge as following:

  1. Log in into the website of your domain registrar and open the Domain Setting table of your domain name (your-domain-name.com)

2. Add a new record into the table with the following values:

2.1. Type: TXT

2.2. Name: _acme-challenge.app

2.3. Value: BMDCv9tpB9FKnDNz6tHMivBMDCv9tpB9FKnDNz6tHMiv (replace with the challenge string you got in the console window)

3. Open an additional SSH connection window (as done in Step 2)

4. Type nslookup in the other SSH window

5. Type set ty=txt in the other SSH window

6. Type _acme-challenge.app.your-domain-name.com in the other SSH window

7. It can take several seconds or minutes until setting the challenge takes effect. Repeat step 6 until the challenge string is displayed in the other SSH window

8. Now you can click Enter in the first SSH window.

Validate the installation:

Browse to the http://app.your-domain-name.com site. You are redirected to the SSL/TLS page https://app.your-domain-name.com.

Image for post
Image for post

You can read more details about this step here https://aws.amazon.com/blogs/compute/extending-amazon-linux-2-with-epel-and-lets-encrypt/

I hope that this tutorial did help. Please let me know if you find any mistake.

Originally published at https://www.orensifri.meddevsoft.com.

Written by

Software developer & architect. CTO at MedDev Soft