Skip to content

Instantly share code, notes, and snippets.

@irman

irman/_ec2-lightsail-amazon-linux-nginx-apache-proxy-php-7.md

Last active May 11, 2025 19:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save irman/22ae655fc3f8aa20bc1d82a776065fd3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save irman/22ae655fc3f8aa20bc1d82a776065fd3 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up Nginx-Apache Reverse Proxy, PHP, & MariaDB with SSL on EC2/Lightsail with Amazon Linux
Raw
_ec2-lightsail-amazon-linux-nginx-apache-proxy-php-7.md

Setting up Nginx-Apache Reverse Proxy, PHP, & MariaDB with SSL on EC2/Lightsail with Amazon Linux

Final setup should consists of:

  1. NGINX (reverse proxy & static contents)
  2. Apache 2.4 (Dynamic content: PHP)
  3. PHP 7.1
  4. MariaDB 10.1

You can skip certain parts if you don't need it.

Preparations

  1. Create www directory if not exists yet: sudo mkdir -p /var/www
  2. Give write permission: sudo chmod -R 755 /var/www
  3. Create new directory for your subdomain: sudo mkdir -p /var/www/domain.com/sub1/public
  4. Give ownership to current logged in user: sudo chown $USER:$USER -R /var/www/domain.com/sub1/

NGINX

  1. Install: sudo yum install nginx -y
  2. Configure this file: /etc/nginx/conf.d/default.conf to something like this: 
    server {
    listen 80;
    server_name sub1.domain.com;
    root /var/www/domain.com/sub1/public/;
    index index.php index.html index.htm;
    
    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
     }

    location ~ /\.ht {
        deny all;
    }
}
  3. Auto-start NGINX on system start: sudo chkconfig nginx on

Apache

  1. Install: sudo yum install httpd24 -y
  2. Configure /etc/httpd/conf/httpd.conf as follows: 
    NameVirtualHost 127.0.0.1:8080  # Only accessible from localhost
Listen 8080
  3. Configure virtual hosts at /etc/httpd/conf.d/vhosts.conf: 
    <VirtualHost 127.0.0.1:8080>
    ServerAdmin [email protected]
    DocumentRoot /var/www/domain.com/sub1/public/
    ServerName sub1.domain.com
    ErrorLog logs/sub1.domain.com-error_log
    CustomLog logs/sub1.domain.com-access_log common
</VirtualHost>
  4. Auto-start Apache on system start: sudo chkconfig httpd on

SSL (Let's Encrypt)

  1. Install Certbot: 
    sudo yum install python27-devel git -y
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo /opt/letsencrypt/letsencrypt-auto --debug
  2. Request cert: 
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
    • Go through the wizard carefully.
  3. If all went well, your certs will be at /etc/letsencrypt/live/sub1.domain.com/ and your /etc/nginx/conf.d/default.conf has been updated by cerbot automatically.
  • In the future, to renew: 
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"

MariaDB

  1. Add yum repository. Create this file: /etc/yum.repos.d/maria.repo: 
    [mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
  2. Install: 
    sudo yum makecache
sudo yum install MariaDB-server MariaDB-client -y
  3. Secure your MariaDB installation: sudo mysql_secure_installation
  4. Auto-start MariaDB on system start: sudo chkconfig mysql on

PHP 7.1

  1. Install: sudo yum install php71 -y
  2. Install PHP Modules
    • Run yum search php71- to search for available modules and just yum install it.

Start All Services

  1. sudo service nginx start
  2. sudo service httpd start
  3. sudo service mysql start

Add More (Sub)Domains

Once everything is working, you can start adding more (sub)domains.

  1. Create new directory for your subdomain: sudo mkdir -p /var/www/domain.com/sub2/public
  2. Give ownership to current logged in user: sudo chown $USER:$USER -R /var/www/domain.com/sub2/
  3. Edit /etc/nginx/conf.d/default.conf to add more domains, but without the ssl settings: 
    # 1st domain settings are up here, don't remove
server { ... }
# 1st domain settings are up here, don't remove

server {
    listen 80;
    server_name sub2.domain.com;
    root /var/www/domain.com/sub2/public/;
    index index.php index.html index.htm;
    
    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
     }

    location ~ /\.ht {
        deny all;
    }
}
  4. Edit Apache virtual hosts at /etc/httpd/conf.d/vhosts.conf to add more virtual host: 
    # 1st domain settings are up here, don't remove
<VirtualHost 127.0.0.1:8080> ... </VirtualHost>
# 1st domain settings are up here, don't remove

<VirtualHost 127.0.0.1:8080>
    ServerAdmin [email protected]
    DocumentRoot /var/www/domain.com/sub2/public/
    ServerName sub2.domain.com
    ErrorLog logs/sub2.domain.com-error_log
    CustomLog logs/sub2.domain.com-access_log common
</VirtualHost>
  5. Request SSL cert using certbot again, but this time pick the new domain: 
    sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
    • If all went well, your certs will be at /etc/letsencrypt/live/sub2.domain.com/ and your /etc/nginx/conf.d/default.conf has been updated by cerbot automatically.
  6. Restart NGINX & Apache: 
    sudo service nginx restart
sudo service httpd restart
  7. ???
  8. Profit. :D

Final files

You can view the final files down below.

  • /etc/httpd/conf.d/vhosts.conf
  • /etc/nginx/conf.d/default.conf

References:

Raw
default.conf
server {
listen 80;
server_name sub1.domain.com;
root /var/www/domain.com/sub1/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub1.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub1.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https"){
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name sub2.domain.com;
root /var/www/domain.com/sub2/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub2.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub2.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https"){
return 301 https://$host$request_uri;
} # managed by Certbot
}
Raw
vhosts.conf
<VirtualHost 127.0.0.1:8080>
ServerAdmin [email protected]
DocumentRoot /var/www/domain.com/sub1/public/
ServerName sub1.domain.com
ErrorLog logs/sub1.domain.com-error_log
CustomLog logs/sub1.domain.com-access_log common
</VirtualHost>
<VirtualHost 127.0.0.1:8080>
ServerAdmin [email protected]
DocumentRoot /var/www/domain.com/sub2/public/
ServerName sub2.domain.com
ErrorLog logs/sub1.domain.com-error_log
CustomLog logs/sub1.domain.com-access_log common
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment