# Setting up Nginx-Apache Reverse Proxy, PHP, & MariaDB with SSL on EC2/Lightsail with Amazon Linux
Final setup should consists of:
1. NGINX (reverse proxy & static contents)
- Supports SSL ([Let's Encrypt](https://letsencrypt.org)).
- Supports multiple domains, 1 IP.
1. Apache 2.4 (Dynamic content: PHP)
1. PHP 7.1
1. MariaDB 10.1
You can skip certain parts if you don't need it.
## Preparations
1. Create www directory if not exists yet: `sudo mkdir -p /var/www`
1. Give write permission: `sudo chmod -R 755 /var/www`
1. Create new directory for your subdomain: `sudo mkdir -p /var/www/domain.com/sub1/public`
1. Give ownership to current logged in user: `sudo chown $USER:$USER -R /var/www/domain.com/sub1/`
## NGINX
1. Install: `sudo yum install nginx -y`
1. Configure this file: `/etc/nginx/conf.d/default.conf` to something like this:
```nginx.conf
server {
listen 80;
server_name sub1.domain.com;
root /var/www/domain.com/sub1/public/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
}
```
1. Auto-start NGINX on system start: `sudo chkconfig nginx on`
## Apache
1. Install: `sudo yum install httpd24 -y`
1. Configure `/etc/httpd/conf/httpd.conf` as follows:
```httpd.conf
NameVirtualHost 127.0.0.1:8080 # Only accessible from localhost
Listen 8080
```
1. Configure virtual hosts at `/etc/httpd/conf.d/vhosts.conf`:
```
ServerAdmin email@sub1.domain.com
DocumentRoot /var/www/domain.com/sub1/public/
ServerName sub1.domain.com
ErrorLog logs/sub1.domain.com-error_log
CustomLog logs/sub1.domain.com-access_log common
```
1. Auto-start Apache on system start: `sudo chkconfig httpd on`
## SSL (Let's Encrypt)
1. Install Certbot:
```
sudo yum install python27-devel git -y
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo /opt/letsencrypt/letsencrypt-auto --debug
```
1. Request cert:
```
sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
```
- Go through the wizard carefully.
1. If all went well, your certs will be at `/etc/letsencrypt/live/sub1.domain.com/` and your `/etc/nginx/conf.d/default.conf` has been updated by cerbot automatically.
* In the future, to renew:
```
sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
```
## MariaDB
1. Add yum repository. Create this file: `/etc/yum.repos.d/maria.repo`:
```
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
```
- Refer https://mariadb.com/kb/en/library/yum/
1. Install:
```
sudo yum makecache
sudo yum install MariaDB-server MariaDB-client -y
```
1. Secure your MariaDB installation: `sudo mysql_secure_installation`
1. Auto-start MariaDB on system start: `sudo chkconfig mysql on`
## PHP 7.1
1. Install: `sudo yum install php71 -y`
1. Install PHP Modules
- Run `yum search php71-` to search for available modules and just yum install it.
## Start All Services
1. `sudo service nginx start`
1. `sudo service httpd start`
1. `sudo service mysql start`
## Add More (Sub)Domains
Once everything is working, you can start adding more (sub)domains.
1. Create new directory for your subdomain: `sudo mkdir -p /var/www/domain.com/sub2/public`
1. Give ownership to current logged in user: `sudo chown $USER:$USER -R /var/www/domain.com/sub2/`
1. Edit `/etc/nginx/conf.d/default.conf` to add more domains, but without the ssl settings:
```
# 1st domain settings are up here, don't remove
server { ... }
# 1st domain settings are up here, don't remove
server {
listen 80;
server_name sub2.domain.com;
root /var/www/domain.com/sub2/public/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ /\.ht {
deny all;
}
}
```
1. Edit Apache virtual hosts at `/etc/httpd/conf.d/vhosts.conf` to add more virtual host:
```
# 1st domain settings are up here, don't remove
...
# 1st domain settings are up here, don't remove
ServerAdmin email@sub2.domain.com
DocumentRoot /var/www/domain.com/sub2/public/
ServerName sub2.domain.com
ErrorLog logs/sub2.domain.com-error_log
CustomLog logs/sub2.domain.com-access_log common
```
1. Request SSL cert using certbot again, but this time pick the new domain:
```
sudo /opt/letsencrypt/letsencrypt-auto --authenticator standalone --installer nginx --pre-hook "nginx -s stop" --post-hook "nginx"
```
- If all went well, your certs will be at `/etc/letsencrypt/live/sub2.domain.com/` and your `/etc/nginx/conf.d/default.conf` has been updated by cerbot automatically.
1. Restart NGINX & Apache:
```
sudo service nginx restart
sudo service httpd restart
```
1. ???
1. Profit. :D
## Final files
You can view the final files down below.
- /etc/httpd/conf.d/vhosts.conf
- /etc/nginx/conf.d/default.conf
## References:
- https://gist.github.com/nrollr/56e933e6040820aae84f82621be16670
- https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-for-apache
- https://stackoverflow.com/questions/14434120/nginx-set-multiple-server-name-with-ssl-support
- https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-centos-7
- https://certbot.eff.org/#centosrhel7-nginx
- https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983
- https://coderwall.com/p/e7gzbq/https-with-certbot-for-nginx-on-amazon-linux
- https://mariadb.com/kb/en/library/yum/