- Server IP: 52.10.176.92
- Port: 2200
- Project Accessible at: http://ec2-52-10-176-92.us-west-2.compute.amazonaws.com/
- SSH access via
ssh -i ~/.ssh/grader.rsa [email protected] -p 2200
- Create Grader Account
- Give Grader SUDO
- Create SSH Keys
- Update Packages
- Configure Timezone
- Change SSH Port
- Configure Firewall
- Install Apache
- Serve A Python mod_wsgi Application
- Install PostgreSQL
- Install Git
- Install App
- Additional Steps
-
Created grader account with the following command:
sudo adduser grader
-
Resources used for this step.
-
Create the file
grader
in /etc/sudoer.d/ withtouch /etc/sudoers.d/grader
. -
Add the following text to the newly created file:
grader ALL=(ALL:ALL) ALL
-
Fix "sudo: unable to resolve host" error.
-
Resources used for this step.
-
Create SSH key with the command
ssh-keygen
on your local machine(OSX or Linux). -
Create an
.ssh
direcory in/home/grader/
on the server withmkdir .ssh
. -
CD into the the directory just created with
cd ~/.ssh/
. -
Create an
authorized_keys
file in the.ssh
dirctory withtouch authorized_keys
. -
Paste the public key into
/home/grader/.ssh/authorized_keys
-
Set directory permissions
- Using
chmod
set~/.ssh
to 700 withchmod 700 /home/grader/.ssh/
. - Again, using
chmod
set theauthorized_keys
file to 644 withchmod 644 /home/grader/.ssh/authorized_keys
.
- Using
-
Check owner and group of
~/.ssh
and~/.ssh/authorized_keys
. -
If the owner and group are not grader, set them to grader with
chown -R grader:grader /home/grader/.ssh/
-
Check to ensure you can log into the grader account with
ssh -i ~/.ssh/grader.rsa [email protected]
.- Recheck you followed the steps above in the event of an issue or Google the error message. This how I figured out that password login was disabled on my instance already.
-
Resources used for this step.
-
Use the following commands to update the packages on the server.
sudo apt-get update
sudo apt-get upgrade
. Type "Y" when asked if you would like to proceed.
-
Resources used in this step.
-
Check the current timezone with
date
. -
If you do not see UTC in the output, change the timezone with
dpkg-reconfigure tzdata
.- Select "None of the above" from the first menu.
- Select "UTC" at the second menu.
-
You can improve the accuracy of the clock by installing
ntp
withsudo apt-get install ntp
. -
Resources used for this step.
- Use
nano
to edit the SSH config file withsudo nano /etc/ssh/sshd_config
. - Change the default port from 22 to 2200 by changing the following
# What ports, IPs and protocols we listen for
Port 22
to
# What ports, IPs and protocols we listen for
Port 2200
-
Check to see that password login is disabled.
-
You should see the following in the file. If set to "yes" change it to "no" and save the file.
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
-
-
Disable ssh login for root user by changing "yes" to "no" on the following line
PermitRootLogin yes
-
Restart ssh with
sudo service ssh restart
. -
Exit the root session with
exit
and log back in as grader.ssh -i ~/.ssh/grader.rsa [email protected] -p 2200
-
Check the status of the firewall with
sudo ufw status
. -
Ensure that by default inbound connections are denied with
sudo ufw default deny incoming
. -
Ensure the all outbound connections are allowed with
sudo ufw default allow outgoing
. -
Open ports for SSH, HTTP, and NTP with the following commands.
sudo ufw allow 2200/tcp
sudo ufw allow www
sudo ufw allow ntp
-
Activate the firewall with
sudo ufw enable
. -
Resources used for this step.
-
Check to see if Apache is installed with
apache2 -v
-
If Apache is installed you will see something like this:
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jan 14 2016 17:45:23
-
If you do not have Apache installed you will see a message like this:
The program 'apache2' is currently not installed. To run 'apache2' please ask your administrator to install the package 'apache2-bin'
-
To install Apache use the following commands:
sudo apt-get update
sudo apt-get install apache2
-
If you have installed Apache correctly you should see this page at the public IP address.
-
Resources used for this step.
-
Install libapache2-mod-wsgi with this command:
sudo apt-get install libapache2-mod-wsgi python-dev
-
Enable libapache2-mod-wsgi:
sudo a2enmod wsgi
-
Resources used for this step.
-
Install PostgreSQL:
sudo apt-get update sudo apt-get install postgresql postgresql-contrib
-
And while we are at it, let's install
libpq-dev
. It is required to build psycopg2.sudo apt-get install libpq-dev
-
Ensure remote connections are disabled.
sudo nano /etc/postgresql/9.3/main/pg_hba.conf
- The default configuration disables remote connections by default. Here is a cleaned up version of the section that controls connections.
Type | Database | User | Address | Method |
---|---|---|---|---|
local | all | postgres | peer | |
local | all | all | peer | |
host | all | all | 127.0.0.1/32 | md5 |
host | all | all | ::1/128 | md5 |
The host IPs point to local addresses by default.
-
Create a new role named catalog with:
sudo su - postgres psql
CREATE USER catalog WITH PASSWORD 'somepassword'; ALTER USER catalog CREATEDB; \du
-
Create the catalog database:
CREATE DATABASE catalog WITH OWNER catalog;
-
Switch to catalog database:
postgres=> \c catalog You are now connected to database "catalog" as user "postgres". catalog=>
-
Ensure that the database is not able to be modified by unauthorized users.
REVOKE ALL ON SCHEMA public FROM public; GRANT ALL ON SCHEMA public TO catalog;
-
Resources used for this step.
- https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-14-04
- https://www.digitalocean.com/community/tutorials/how-to-secure-postgresql-on-an-ubuntu-vps
- https://www.digitalocean.com/community/tutorials/how-to-use-roles-and-manage-grant-permissions-in-postgresql-on-a-vps--2
- http://www.postgresql.org/message-id/[email protected]
-
Install git:
sudo apt-get install -y git
-
Move to the directory where the app will be installed and clone app:
cd /var/www/ sudo mkdir catalog cd catalog sudo git clone https://github.com/larrytooley/Udacity-FSND2015-P3.git catalog
-
Configure and Enable New Virtual host
-
Create a new configuration file:
sudo nano /etc/apache2/sites-available/catalog.conf
-
Add this code to catalog.conf:
<VirtualHost *:80> ServerName http://ec2-52-40-51-21.us-west-2.compute.amazonaws.com/ ServerAdmin [email protected] WSGIScriptAlias / /var/www/catalog/catalog.wsgi <Directory /var/www/catalog/catalog/> Order allow,deny Allow from all </Directory> Alias /static /var/www/catalog/catalog/static <Directory /var/www/catalog/catalog/static/> Order allow,deny Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
-
-
Enable the virtual host:
sudo a2ensite catalog
-
Create a .wsgi file:
cd /var/www/catalog sudo nano catalog.wsgi
-
Add code to file:
#!/usr/bin/python import sys import logging logging.basicConfig(stream=sys.stderr) sys.path.insert(0,"/var/www/catalog/") from catalog import app as application application.secret_key = 'Add your secret key'
-
I generated application.secret_key locally and substituted it in the file:
python
import os os.urandom(24)
-
Restart apache2
sudo service apache2 restart
-
Secure .git
-
Create an .htaccess file in the .git directory:
cd /var/www/catalog/catalog/.git sudo nano .htaccess
-
Add the following code to the file:
Order allow,deny Deny from all
-
-
Resources used for this step:
-
Install Dependancies
sudo pip install flask httplib2 requests oauth2client sqlalchemy psycopg2
-
Rename the main application file to init.py.
-
Update the database connection to use PostgreSQL by change the reference to SQLite to the following to the db_model.py and __init.__py:
'postgresql://catalog:<password>@localhost/catalog'
-
Create the database schema.
-
Run the following to create the database schema:
python db_model.py
-
-
Install Dependancies:
sudo apt-get install python-pip sudo pip install virtualenv cd /var/www/catalog/catalog/ sudo virtualenv venv source venv/bin/activate sudo pip install Flask deactivate
-
Update client_secret.
- Use the full file path in the init.py file.
/var/www/catalog/catalog/client_secret.json
- Download client_secret.json from the https://console.developers.google.com.
- Create client_secret.json file and copy the contents of the download from above into the new file.
sudo nano client_secret.json
-
Go to http://ec2-52-10-176-92.us-west-2.compute.amazonaws.com/ and use app.