TOP ▲ itcore TOPTIPSaws_apache.php  タグ:aws apache php ssl ファイアーウオール

AWS AL2 apache PHP インストール | itcore 2021年

事前準備 Apache PHP インストール 起動 .htaccess 許可 ファイアーウオール 動作確認 apache 動作確認 PHP IP固定化 DNS SSL ログ確認 タイムゾーン設定

事前準備

AWS EC2インスタンス作成

Apache PHP インストール

sudo yum update -y
amazon-linux-extras| grep php
42 php7.4 available [ =stable ]
51 php8.0 available [ =stable ]
sudo amazon-linux-extras install -y php7.4
または
sudo amazon-linux-extras install -y php8.0
sudo yum install -y httpd

起動

sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl is-enabled httpd

.htaccess 許可

sudo vi /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
AllowOverride All

sudo systemctl restart httpd

ファイアーウオール

インスタンス>セキュリティグループ
インバウンド
 HTTP TCP 80 0.0.0.0/0
 HTTPS TCP 443 0.0.0.0/0

動作確認 apache

インスタンスの詳細で パブリック IPv4 アドレス を確認する。
http://xxx.xxx.xxx.xxx/

動作確認 PHP

sudo vi /var/www/html/phpinfo.php
<?php phpinfo(); ?>

http://xxx.xxx.xxx.xxx/phpinfo.php

IP固定化

AWS > Elastic IP > Elastic IP アドレスの割当
割り当て
アクション>Elastic IP アドレスの関連付け
インスタンスを選択
プライベートIPを選択
関連付ける
割り当てられた固定IPで動作確認
http://xxx.xxx.xxx.xxx

DNS

DNSに登録する。
xxx.itcore.jp. A IN xxx.xxx.xx.xxx
サーバ名で動作確認
http://xxx.itcore.jp

SSL

Let's Encrypt で無料SSLを設定する。

インストールの準備

cd /home/ec2-user
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum repolist all
sudo vi /etc/httpd/conf/httpd.conf
/Listen 80
以下を追加
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "xxx.itcore.jp"
</VirtualHost>

sudo systemctl restart httpd

Certbot インストールと実行

sudo yum install -y certbot python2-certbot-apache
sudo certbot

Certbot 実行ログ

Saving debug log to /var/log/letsencrypt/letsencrypt.log
以下のエラーは問題ない。
Error while running apachectl configtest.
AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

期限通知を受け取るメールアドレスを入力する。
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxx@itcore.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxx.itcore.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
改行ですべて対象となる。

Requesting a certificate for xxx.itcore.jp
Performing the following challenges:
http-01 challenge for xxx.itcore.jp
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration
Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://xxx.itcore.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: yamada@itcore.jp).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxx.itcore.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxx.itcore.jp/privkey.pem
   Your certificate will expire on 2021-07-02. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF: https://eff.org/donate-le

HTTPS動作確認

https://xxx.itcore.jp

証明書 自動更新

sudo crontab -e
39 1,13 * * * root certbot renew --no-self-upgrade > /tmp/certbot.log 2>&1
※セキュリティ対策のために1日2回の実行が推奨されている。

ログ確認

sudo chmod o+r /var/log/httpd/
sudo chmod o+x /var/log/httpd/

tail /var/log/httpd/error_log
tail /var/log/httpd/ssl_error_log
tail /var/log/httpd/access_log
tail /var/log/httpd/ssl_access_log

タイムゾーン設定

sudo vi /etc/php.ini
:902
date.timezone = 'Asia/Tokyo'

sudo systemctl restart httpd
sudo systemctl restart php-fpm