Table Of Content
- Amazon Linux - Frequently used commands (CLI)
- Crontab settings for backups (pushed to S3)
- How to add SSL to Amazon Linux 2 instance
- Steps in launching EC2 from AMI
- Upgrade to PHP7 – EC2 instance (from 5.6, 7.0, 7.1, 7.2)
- Connect to an RDS in one AWS account from an EC2 in another
- Codedeploy
- WordPress HTTPS Redirect
- Enabling ENA support on your AWS EC2
- Cross-site cookie error messages when running WordPress on EC2
- Issues with email throttling when using EC2
- WordPress Issue “Uncaught Exception: Invalid data store”. No access to Admin.
- Could not execute Node.js – Cloud9
- Launching WordPress in AWS Lightsail
- How to install SSL on Amazon Linux instance (legacy)
Here are some useful tips for DevOps teams using AWS CLI on a regular basis.
- Amazon Linux - Frequently used commands (CLI)
sudo service httpd restart
sudo nano /etc/httpd/conf.d/vhost.conf
sudo nano /etc/httpd/conf/httpd.conf
sudo nano /etc/php.ini
sudo cp -R /var/www/html/* /var/www/vhosts/staging
sudo rm -rf /var/www/html/*
sudo rm -rf /var/www/html/.htaccess
sudo rm -rf /var/www/vhosts/staging/*
sudo rm -rf /var/www/vhosts/staging/.htaccess
sudo zip -r html.zip /var/www/html/*
aws configure
AWS Access Key ID [None]: accesskey
AWS Secret Access Key [None]: secretkey
Default region name [None]: eu-west-1
Default output format [None]:
aws ec2 authorize-security-group-ingress --group-id sg-******** --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id sg-******** --protocol tcp --port 80 --cidr 0.0.0.0/0
mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example > /var/www/backup/daily/daily_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
mysql -hyour-host-name --port=3306 -uroot -pyour-password example < /var/www/backup/daily/daily_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
sudo nano /var/log/message
sudo nano /var/log/auth
sudo nano /var/log/kern
sudo nano /var/log/cron
sudo nano /var/log/httpd/access_log
- Crontab settings for backups (pushed to S3)
crontab -e (not sudo)
30 4 * * * aws s3 sync /var/www/backup/ s3://example-backup/
0 2 * * * mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example > /var/www/backup/daily/daily_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
45 1 * * * zip -r /var/www/backup/daily/html.zip /var/www/html
10 3 * * * find /var/www/backup/daily* -mtime +2 -exec rm {} \;
1 2 * * 0 mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example > /var/www/backup/weekly/weekly_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
1 2 * * 0 zip -r /var/www/backup/weekly/html.zip /var/www/html
1 3 * * 0 find /var/www/backup/weekly* -mtime +8 -exec rm {} \;
0 1 1 * * mysqldump -hyour-host-name --port=3306 -uroot -pyour-password --databases example> /var/www/backup/monthly/monthly_`date +\%Y-\%m-\%d_\%H-\%M-\%S`.sql
0 1 1 * * zip -r /var/www/backup/monthly/html.zip /var/www/html
0 2 1 * * find /var/www/backup/montly* -mtime +32 -exec rm {} \;
30 5 1 * * /opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos
ESC - :wq to save
- How to add SSL to Amazon Linux 2 instance
cd
wget -O epel.rpm –nv https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y ./epel.rpm
sudo yum install python2-certbot-apache.noarch
You only need to install it because of default settings in Apache ssl configuration
sudo /etc/pki/tls/certs/make-dummy-cert localhost.crt
sudo service httpd restart
sudo certbot -i apache -a manual --preferred-challenges dns -d example.com
sudo crontab -e
39 1,13 * * * root certbot renew --no-self-upgrade
- Steps in launching EC2 from AMI
Select IAM Role (or create new)
Paste this into user data section
#!/bin/bash
service httpd start
chkconfig httpd on
Select Key Pair (or create new)
Connect to Workbench
3rd party App to schedule backups
- Upgrade to PHP7 – EC2 instance (from 5.6, 7.0, 7.1, 7.2)
sudo service httpd stop
sudo yum remove httpd* php*
sudo yum repolist
sudo yum remove remi-safe
sudo yum install httpd24
mkdir -p /tmp/php7
cd /tmp/php7
wget https://mirror.webtatic.com/yum/el6/latest.rpm
sudo yum install latest.rpm
sudo vi /etc/yum.repos.d/webtatic.repo - set repo to enabled
sudo yum clean all
sudo yum install --enablerepo=webtatic php73
sudo yum install --enablerepo=webtatic php74
php -v
sudo yum install php73-opcache php73-xml php73-pdo php73-mysqlnd php73-gd php73-pecl-apcu php73-mbstring php73-imap php73-mcrypt php73-intl
sudo yum install php74-opcache php74-xml php74-pdo php74-mysqlnd php74-gd php74-pecl-apcu php74-mbstring php74-imap php74-mcrypt php74-intl
sudo yum install mod24_ssl
post_max_size 25M
upload_max_filesize 10M
max_execution_time 180
max_input_time 180
memory_limit = 25M
short_open_tag = On
- Connect to an RDS in one AWS account from an EC2 in another: The following example allows an EC2 instance in your ‘Source’ account to connect to an RDS instance in your ‘Target’ account (destination). This can be done via CLI but I find it easier through the console.
1. Create VPC peering: [1]
You will need to create a new VPC to avoid a conflict between the default CIDR block IP’s. This will require the creation of new subnets for the new VPC (created automatically with default VPC)
2. Route Tables [2] [3]
a. Source: Update the route table(to which the subnet is associated with your EC2 instance) with the Destination IP address of target and Target as VPC Peering connection(target).
b. Target: Update the route table(to which the subnet is associated with your RDS instance) with the Destination IP address of source and Target as VPC Peering connection(source).
3. Security Groups [4]
a. Source instance’s security group outbound rule is allowing ALL to Anywhere.
b. Destination RDS security group’s inbound rule must allow Port (1024) from source IP. Add a security rule in the security groups in master account.
- CodeDeploy: How to install the codedeploy agent on an EC2 instance
sudo yum install ruby
sudo yum install wget
cd /home/ec2-user
wget https://aws-codedeploy-eu-west-1.s3.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
yum -y update
yum install -y ruby
yum install -y aws-cli
cd /home/ec2-user
aws s3 cp s3://aws-codedeploy-us-east-2/latest/install . --region us-east-2
chmod +x ./install
./install auto
sudo service codedeploy-agent status
/var/log/aws/codedeploy-agent/codedeploy-agent.log
/opt/codedeploy-agent/deployment-root
- WordPress HTTPS Redirect: After adding an SSL (above), add the following to your WP .htaccess to redirect all to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
- Enabling ENA support on your AWS EC2 Enhanced networking with the Elastic Network Adapter (ENA) is required for the ‘t3.****’ instance type. Ensure that your instance ‘i-XXXXXXXXXXXXXXXXX’ is enabled for ENA – You may experience this issue if trying to switch to the t3 range of EC2 instances. To remedy:
aws ec2 stop-instances --instance-ids i-XXXXXXXXXXXXXXXXX --region eu-west-1
aws ec2 modify-instance-attribute --instance-id i-XXXXXXXXXXXXXXXXX --region eu-west-1 --ena-support
aws ec2 modify-instance-attribute --instance-id i-XXXXXXXXXXXXXXXXX --instance-type "{\"Value\": \"t3.*****\"}"
aws ec2 start-instances --instance-ids i-XXXXXXXXXXXXXXXXX --region eu-west-1
- Cross-site cookie error messages when running WordPress on EC2 How to add cookie HTTP header flag with HTTPOnly, Secure & SameSite to remove the browser warnings in WordPress and protect your instance from XSS attacks
sudo nano /etc/httpd/conf/httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
- Issues with email throttling when using EC2 SMTP Email failing intermittantly and nothing showing on your application/WordPress logs. Here is how to easily troubleshoot the problem:
sudo yum install telnet
sudo yum install nmap-ncat -y
sudo yum install openssl
telnet email-smtp.us-east-1.amazonaws.com 587
telnet email-smtp.us-east-1.amazonaws.com 25
telnet email-smtp.us-east-1.amazonaws.com 465
openssl s_client -connect email-smtp.us-east-1.amazonaws.com:587 -starttls smtp
- WordPress Issue “Uncaught Exception: Invalid data store”. No access to Admin. Review PHP logs and if you see this error: PHP Fatal error: Uncaught Exception: Invalid data store. in /var/www/html/wp-content/plugins/woocommerce/includes/class-wc-data-store.php:107 (or similar ‘Invalid order’ etc.), this is caused by no returned response.
sudo nano /var/www/html/wp-content/plugins/woocommerce/includes/class-wc-data-store.php
if ( ! $order->get_id() || ! ( $post_object = get_post( $order->get_id() ) ) || ! in_array( $post_object->post_type, wc_get_order_types() ) ) {
throw new Exception( __( 'Invalid product.', 'woocommerce' ) );
}
if ( ! $order->get_id() || ! ( $post_object = get_post( $order->get_id() ) ) || ! in_array( $post_object->post_type, wc_get_order_types() ) ) {
return false;
throw new Exception( __( 'Invalid product.', 'woocommerce' ) );
}
- Could not execute Node.js – Cloud9 launch error this error occurs frequently when launching an existing instance (as apposed to launching default c9 instance) in AWS Cloud9
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
. ~/.nvm/nvm.sh
nvm install node
node -e "console.log('Running Node.js ' + process.version)"
- Launching WordPress in AWS Lightsail frequently used commands
sudo /opt/bitnami/ctlscript.sh restart apache
sudo /opt/bitnami/bncert-tool
sudo chown daemon:daemon -R /opt/bitnami/wordpress
sudo nano /opt/bitnami/wordpress/wp-config.php
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define( 'WP_DEBUG_DISPLAY', false );
- How to install SSL on Amazon Linux instance (legacy)
sudo su root
yum install python27-devel git
git clone https://github.com/letsencrypt
/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto
--debug
rm -rf ~/.local/share/letsencrypt
rm -rf /opt/eff.org/certbot/
unset PYTHON_INSTALL_LAYOUT;
rm -rf /root/.local/share/letsencrypt/;
echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
echo "email = example@example.com" >> /etc/letsencrypt/config.ini
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/vhosts/staging -d uat.example.com --config /etc/letsencrypt/config.ini --agree-tos
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/vhosts/staging -d www.uat.example.com --config /etc/letsencrypt/config.ini --agree-tos
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html -d example.com --config /etc/letsencrypt/config.ini --agree-tos
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html -d www.example.com --config /etc/letsencrypt/config.ini --agree-tos
rmdir /var/www/vhosts/staging/.well-known
rmdir /var/www/html/.well-known
Listen 443
ServerName uat.example.com
DocumentRoot "/var/www/vhosts/staging"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/uat.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/uat.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/uat.example.com/chain.pem SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
AllowOverride All ServerName example.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
AllowOverride All # www alternative on live ServerName www.example.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
AllowOverride All
To renew, run this command
/opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos
rm -rf /etc/letsencrypt/live/remove.com
rm /etc/letsencrypt/renewal/remove.com.conf