DigitalOcean Notes
https://docs.google.com/presentation/d/1Mvf_rOFz1wZeH1irajJqhRQgzid7BkqJBd8wigpz39M/edit#slide=id.g616bd81ef8_0_58 Thanks to Jem Young from frontend masters
- create ssh key in your local system and paste ssh public key in the dashboard
$ cd ~/.ssh and ssh-keygen
$ key is created
$ ssh root@IP_ADDRESS
fails - because we didn't mention which private key to use.
$ ssh -i ~/.ssh/private_key root@IP_ADDRESS
works but we don't have to do this everytime.
$ vi ~.ssh/config
Host *
AddKeysToAgent yes
UseKeyChain yes
$ ssh-add -K ~/.ssh/fsfe
key got added to the chain now you can do
$ ssh root@IP_ADDRESS
connected.
- Buying a domain
- Map domain to IP
7. Goto digital ocean dashboard and enter your domain in networking tab
note:
Maps name to IP address - A Record
Maps name to name - CNAME
blog.prudhvi.me -> CNAME prudhvi.me
prudhvi.me -> A ip_address
ToDo:
create A record with www.domain to ip
create A record with domain to ip
map domain to nameservers, example : ns1.digitalocean.com
9. Goto domain dashboard, go with custom DNS and enter digital ocean nameservers
- server setup - create new user, disable root user
# apt update
# apt upgrade
# adduser $USERNAME
# usermod -aG sudo $USERNAME - to give root access to user
# su $USERNAME - to switch user
$ cat /var/log/auth.log - to check the log of users
$ tail -f /var/log/auth.log - to monitor the file output
$ cd ~
$ mkdir -p ~/.ssh
$ vi ~/.ssh/authorized_keys
and add your public ssh key there, it's important that you are adding as user and not as root
$ exit - to exit from user
$ exit = to exit from root
$ ssh $USERNAME@IP_ADDRESS
you should be logged in
$ chmod 644 ~/.ssh/authorized_keys
$ sudo vi /etc/ssh/sshd_config
turn off permitRootLogin
$ sudo service sshd restart
- nginx ( engine - x ) -web server
routes the requests to the right place
$ sudo apt install nginx
$ sudo service nginx start
now goto your $IP_ADDRESS in browser you will see nginx page
nginx configuration
$ sudo less /etc/nginx/sites-available/default
- Node.js - Application server
$ sudo apt install nodejs npm
$ sudo apt install git
- Application
$ sudo chown -R $USER:$USER /var/www
$ mkdir /var/www/app
$ cd /var/www/app && git init
$ mkdir -p ui/js ui/html ui/css
$ touch app.js
$ npm init
build the node basic app and $IP_ADDRESS:3000 should give the response
but we want entering $IP_ADDRESSS in browser should show the application response
$ sudo vi /etc/nginx/sites-available/default
location / {
proxy_pass http://127.0.0.1:3000/;
}
- what about when we restart server ? we want services to be run back again.
process managers
$ sudo npm i -g pm2
$ pm2 start app.js
$ pm2 save
$ pm2 startup
- nginx redirect
location /help {
return 301 https://developer.mozilla.org/en-US/;
}
- nginx file compression
vi /etc/nginx/nginx.conf
find the Gzip settings in that file
- security
$ sudo apt install unattended-upgrades
$ cat /etc/apt/apt.conf.d/50unattended-upgrades
security checklist:
- ssh
- firewalls
- unattended-upgrades
- two factor authentication
- VPN
nmap:
$ sudo apt install nmap
$ nmap YOUR_SERVER_IP_ADDRESS
$ nmap -sV YOUR_SERVER_IP_ADDRESS
try to close that you don't need, open port means it's exposed to internet and someone gonna find if any vulnerabilities show up
$ less /etc/services - to see all the ports running
Firewall :
- iptables -p tcp --dport 80 -j REJECT
- UFW (uncomplicated firewall) is easy tool to do firewall stuff
$ sudo ufw status
$ sudo ufw enable
$ sudo ufw allow ssh
test:
try disabling http so we cannot see our homepage in browser
$ sudo ufw reject http
- file permissions
TODO
- Adding https to digital ocean ubuntu server
use certbot
route your traffic to https (domain name needed for sure)
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
- Adding http/2 to server
http2 needs https enabled
$ sudo vi /etc/nginx/sites-available/default
listen 443 http2 ssl;
- Installing redis
$ sudo apt install redis-server
$ sudo vi /etc/redis/redis.conf
adding to system deamon when system restarts this will come online
supervised systemd
$ sudo systemctl restart redis.service
- Websocket
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:3000;
}
- nginx subdomain
create A record in digitalocean dashboard with subdomain.domain.com
create folder in /var/www/subdomain.domain.com/ and keep your files there
in nginx
create file in /etc/nginx/sites-available/subdomain.domain.com
and write config there
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name blog.prudhvireddy.me www.blog.prudhvireddy.me;
location / {
try_files $uri $uri/ =404;
}
}
link two files
$ sudo ln -s /etc/nginx/sites-available/subdomain.domain.com /etc/nginx/sites-enabled/subdomain.domain.com
add it to https
sudo certbot --nginx -d blog.prudhvireddy.me -d www.prudhvireddy.me