Statement: We have to create a web portal for our company with all the security as much as possible.
So, we use Wordpress software with dedicated database server.
Database should not be accessible from the outside world for security purposes.
We only need to public the WordPress to clients.
So here are the steps for proper understanding!
1) Write a Infrastructure as code using terraform, which automatically create a VPC.
2) In that VPC we have to create 2 subnets:
a) public subnet [ Accessible for Public World! ]
b) private subnet [ Restricted for Public World! ]
3) Create a public facing internet gateway for connect our VPC/Network to the internet world and attach this gateway to our VPC.
4) Create a routing table for Internet gateway so that instance can connect to outside world, update and associate it with public subnet.
5) Launch an ec2 instance which has Wordpress setup already having the security group allowing port 80 so that our client can connect to our wordpress site.
Also attach the key to instance for further login into it.
6) Launch an ec2 instance which has MYSQL setup already with security group allowing port 3306 in private subnet so that our wordpress vm can connect with the same.
Also attach the key with the same.
WHAT IS VPC?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
STEP 1. Create a vpc for our web portal using terraform
Here in the cidr block we have to give the range of the ip for the vpc and the keyword enable_dns_host will give the dns hostnames to the instances.
STEP 2. Create the subnet (labs) for our vpc in which one is the public subnet where everyone can interact with the webapp and one is the private subnet where only the database server is running and only the instances from the public subnet are allowed to connect.
Note- Use 1a and 1b availability zone only because we cannot run the t2.micro instances in 1c data centres
here the map_public_ip_on_launch keyword will enable the public ip on the launched instances so that anyone from the outside world can connect through it. On the other hand the subnet2 will only have the private ip.
STEP 3. Create an internet gateway for the instances. This internet gateway will help us in setting the routing table. All the instances can connect to the gateway id and then from their using route tables we can give them the outside world connectivity.
STEP 4. Create the route table for the instances and attach it to the public subnet.
STEP 5. Create the security groups for the public and private subnet. Allow port 22 , 80 for the public subnet so that in future we can change anything from it and also the port 80 will allow us to access the webserver pages. Allow port 3306 for the private subnet so that only the webserver can connect through this instance.
Here the egress is used for the outbound rules setup and -1 means ‘all’.
STEP 6. Launch the instances using the ami images in their respective subnets.
In my case i have created some customized images and configured the complete webserver and dbserver in it. I will explain that part also in this blog.
After running the terraform init , validate, apply command.
All the security groups, route tables, internet gateways, subnets etc will be created after these commands.
And the instances launched on different subnets are shown here.
After this copy the public dns of the wordpress instance and run it on the browser.
While setting up the wordpress site give the private ip of the mysql instance in the local host field and the password and username must be the same as you have configured while creating the mysql db table in the database server. I will start to explain that part now.
I have tried to use the pre created ami images but cannot understand about their database server. As they have used the same instance to install the database. So I created my own image and for that I have tried multiple instances to configure i used amazon linux , rhel but their have always been some dependencies issue. At last i used the ubuntu 16.04 image and configured the complete setup on this.
Use this ami and launch two different instances from it. One is for the webapp server and the second one is for the database server.
Now after launching these images. Connect with the instances as shown
After connecting to the instances first configure the wordpress server
apt-get upgrade -y
apt-get install apache2 -y
apt-get install php7.0 php7.0-curl php7.0-mysql php7.0-mbstring php7.0-dom php7.0-gd -y
apt-get install libapache2-mod-php7.0
apt-get install mysql-client -y
First use these commands to install the necessary programs then
rm -rf *
mv wordpres/* /var/www/html
tar -xzvf latest.tar.gz
chown -R www-data:www-data /var/www/html
Use these commands to download the wordpress site pages and copy them to the /var/www/html folder and change the ownership of that folder.
Now configure the db server
apt-get upgrade -y
apt-get install mysql-server mysql-client -y
When you see the upper violet screen you can either give a password or simply press enter to skip it.
Use these commands to install the necessary programs and then made some changes in the server file.
Enable Validate Password Plugin? No
Change the password for root? No
Remove anonymous users? Yes
Disallow root login remotely? Yes
Remove test database and access to it? Yes
Reload privilege table now? Yes
I will share a text file and some screenshots on how to do this parts on my github repo.
After that change the conf.d file and change the bind-address to the dbserver ip. And then restart the service.
service mysql restart
Now login to the mysql user using the root password which you set during the secure installation part and the create a wpuser and give the privateip of the wordpressserver.
mysql -uroot -p;
CREATE DATABASE wordpress-db;
CREATE USER ‘User‘@’wpserver-private-ip‘ IDENTIFIED BY ‘kjl134‘;
GRANT ALL PRIVILEGES ON wordpress.* TO ‘User‘@’wpserver-private-ip‘;
After this you can check from the cli of the wordpress application server to login to this database which you created on a different subnet.
mysql -uwordpressUser -p -hdbserver-private-ip
Now you can create a snapshot of this volume and can create a customized image of your own.
Even though their is one more constraint in this project. Every time we launch a new instance it will give different private ip to the instances and we need to create a static ip for this.This means we can launch this instances only once and after configuring and launching it again it will give a database connection error.
I dont know much about the ubuntu os but before completing the task 4 i’ll do this part and update the file for the same in that blog.
If you have any doubts in setting up this instance you can ask me anytime.
LINKEDIN PROFILE: https://www.linkedin.com/in/akshat-soni-011b461a6
GITHUB URL: https://github.com/akshat-crypto/HCC_TASK3.git