diff options
Diffstat (limited to 'server-build/Server-Build-Instructions.md')
-rw-r--r-- | server-build/Server-Build-Instructions.md | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/server-build/Server-Build-Instructions.md b/server-build/Server-Build-Instructions.md new file mode 100644 index 0000000..eb9ec0f --- /dev/null +++ b/server-build/Server-Build-Instructions.md @@ -0,0 +1,212 @@ +# Purpose of this document + +This document is an instruction manual to install WordPress, WooCommerce, and the Taler WooComerce plugin on a bare system and have it serve a Taler-enabled WordPress/WooCommerce site using HTTPS withi a LetsEncrypt SSL certificate. + +## Assumptions + +* The target system for this build is a Debian 10 stable system. + +* You have root-level access to this system. + +* Apache2 will be the default web server. + +* Your server will have a domain name such as _domain.com_. This is necessary for the LetsEncrypt SSL certificate. If you will use this server locally or using the raw IP address, you may choose to configure a self-signed certificate instead. + +## Configure firewall + +You may use the file in `scripts/ufw-setup.sh` to install ufw (uncomplicated firewall) and automatically open ports 80 and 443 (needed for LetsEncrypt and for access to the WordPress/WooComerce site.) + +Alternatively, configure your firewall of choice to accept requests on ports 80 and 443 (and whatever port(s) you may be using to access your server, ex: SSH port 22.) + +## Software from Debian Repositories + +Please note that all software can be installed at one time. The separations are only to make the instructions more clear. + +### Install Apache2 + +`$ sudo apt install apache2` + +### Install PHP and Supporting Packages for Wordpress + +`$ sudo apt install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php + +### Install Certbot for LetsEncrypt + +`$ sudo apt install certbot` + +### mariaDB + +`sudo apt install mariadb-server` + + +## Configure SSLEngine + +### Using LetsEncrypt + +#### Get the certificate: + +You must have ports 80 and 443 open on your firewall before running this command: + +`$ sudo certbot certonly -d _domain.com_` + +LetsEncrypt will save the certificate and key as: + +`/etc/letsencrypt/live/_domain.com_/fullchain.pem` and +`/etc/letsencrypt/live/_domain.com_/privkey.pem` + +#### Set the certificate to auto-renew: + +Become `root`: + +`$ su` + +(Now enter the root user's password) + +`# crontab -e` + +Add these lines to the crontab (please note you can change the date by adjusting this command. Look up _cron_ jobs for details): + +``` +# Weekly Certbot Renewal Check +25 11 4 * * certbot renew --rsa-key-size 4096 --pre-hook "service apache2 stop" --post-hook "service apache2 start" +``` + +### Using a self-signed certificate + +If you prefer to use a self-signed SSL certificate (for example, if your server does not have a public IP address), you may use the script in `/scripts/ssl-create-selfsigned.sh`. You can also do this manually as follows: + +`$ openssl req -x509 -newkey rsa:4096 -keyout selfsigned-key.pem -out selfsigned-cert.pem -days 365 -nodes -subj '/CN=localhost'` + +Leave off the `-subj '/CN=localhost'` flag if you prefer to add identifying information to the certificate. + +The output will look something like this: + +``` +Generating a RSA private key +.................................................................................++++ +..............................................................................................................................................................................................................................................................................................................................................++++ +writing new private key to 'key.pem' +Enter PEM pass phrase: +123976305214592:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1024 characters +123976305214592:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:545:while reading strings +123976305214592:error:0906406D:PEM routines:PEM_def_callback:problems getting password:../crypto/pem/pem_lib.c:59: +123976305214592:error:0907E06F:PEM routines:do_pk8pkey:read key:../crypto/pem/pem_pk8.c:83: +``` + +Next, copy the certificate and key to a location where you will keep them permanently: + +`$ sudo mv selfsigned-key.pem selfsigned-cert.pem /etc/ssl/certs/`` + +Remember this location for inclusion in your web server configuration files. + + +## Configure Apache2 + +### Apache2 modules + +#### Enable modules for Apache2 to support PHP + +`$ sudo a2enmod actions fastcgi alias proxy_fcgi php7.2 a2enmod proxy_fcgi setenvif php7.2-fpm` + +Please note that you may need to change the version from php7.2, depending on your system. + +#### Install modules for HTTP -> HTTPS, and SSL + +`$ sudo a2enmod rewrite ssl` + +#### Restart Apache2 + +`$ sudo systemctl restart apache2` + +### .conf file + +Copy the `wordpress.conf` file in `/tools/wordpress.conf` and customize for your system. + +Save this file as _wordpress.conf_ and put it in `/etc/apache2/sites-available`. To make it active, issue this command: + +`$ sudo a2ensite wordpress && sudo systemctl reload apache2` + +You may also wish to remove the default `000-default.conf` apache2 configuration with this: + +`$ sudo a2dissite 000-default` + +Now reload apache2: + +`$ sudo systemctl reload apache2` + + +## Install WordPress + +You are recommended to follow the official Wordpress instructions at https://wordpress.org/support/article/how-to-install-wordpress/ + +Alternatively, instructions follow: + +### Download the latest Wordpress version: + +`$ wget https://wordpress.org/latest.tar.gz` + +### Unpack to /var/www/wordpress + +Untar WordPress to this directory (all files should be in `wordpress/` subdirectory): + +`$ sudo tar -xf latest.tar.gz -C /var/www` + +Set permissions and ownership: + +`$ sudo chmod -R 755 /var/www/wordpress` + +`$ sudo chown -R www-data:www-data /var/www/wordpress` + +### Create mariaDB database and password + +1. (Optional but highly recommended:) Secure the mariaDB installation: + +`$ sudo mysql_secure_installation` + +You will be prompted to accept some security defaults, and to set the root password. Make sure to write this down. + +2. Create the WordPress database and user + +a. Log into the mySQL/mariaDB command line interface + +`$ sudo mysql -u root -p` + +Enter your password. You should now be at the `MariaDB [(none)]>` prompt. + +b. Create the database: + +`MariaDB [(none)]> CREATE DATABASE wordpress;` + +c. Create the user to use the _wordpress_ database: + +`MariaDB [(none)]> GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "somepassword";` + +Please note that you should choose a secure password instead of "somepassword". You will need to remember this password later when installing WordPress. + +d. Flush Privileges + +`MariaDB [(none)]> FLUSH PRIVILEGES;` + +e. quit + +`MariaDB [(none)]> quit` + +### Configure WordPress to use the database + +`$ sudo cp /var/www/wordpress/wp-config-sample.php /var/www/wordpress/wp-config.php` + +Now open your favorite text editor and edit `/var/www/wordpress/wp-config.php`. Change the values for the `database_name_here`, `username_here`, and `password_here` to match the values you created in mariaDB. + +Save this file and exit. + +## Test the WordPress installation + +At this point, you should have an Apache2 web server, using a LetsEncrypt certificate, pointing to a WordPress installation on your server. + +If everything is correct, you should be able to open a web browser to _domain.com_ (or a local IP address if you are not using a public IP) and see a default WordPress site. If you do not see this, please troubleshoot by looking back over the instructions above. They have been tested on a Debian 10 system. + +If you do see Wordpress, please configure your Wordpress site and proceed to the next step when complete. + +## Install WooCommerce plugin + +You can install the WooCommerce plugin using the admin interface at `https://_domain.com_/wp-admin` |