Configure linux server and deploy dockerized apps on it

First note for AWS fans: You can test and learn AWS functionalities and services via localstack. But it is good i you plan to use AWS in production as well as development env.

What is a SMTP provider?

It sends, and receive emails. And it provides us a RESTful API, or SDK, and or dashboard to see what we are doing. It is important to use a good provider to decrease the chance of counted as a spam. You have to set their DNS records on your cloud provider or on your DNS server. Then your APP can connect to them through SMTP protocol.

What is CDN?

It stands for Content Delivery Network and basically it is a bunch of servers that helps your website delivered across internet faster by:

• Transferring assets - HTML/CSS, images, JS, Media - quickly
• Protecting your APP agains DDOS
• Reducing bandwidth usage by caching

So it tries to deliver content as quick, cheap, reliable, secure as it is possible,

But why Ubuntu?

• It has stable release (LTS)
• Great support for softwares(NSFW, I hear multiple times that there are other releases that has a better app support than Ubuntu)
• Great community and tuts
• Official support (Ubuntu owned by canonical)

And Why Debian?

• It's politically and economically free.
• On top of that it's an easy and stable distro for servers.
• Just enable unattended-upgrades and only install software from the official repositories and you'll have a boring - Exciting is bad for servers ;) - and productive server

Ubuntu server Configuration

BTW we have two option at the beginning of our pass to start learning Linux Server if you have been choices the ubuntu. A very solid env for our tests:

• VirtualBox (sudo apt install virtualbox)
• multipass (sudo snap install multipass)

Install multipass

Our choice is multipass. Therefore I do install it on my local PC and then launch a new instance of Ubuntu server:

$ sudo snap install multipass
$ multipass launch --name foo --dist 20G        

Note if you have multipass instance and now you want to increase its size you have to take a look at this comment on VM is too small Issue in multipass repo in GitHub. Then we need to install and configure our Nginx. In this step we have 2 option:

1. Install it via apt
2. Compile its source code

My suggestion is the second option, and here is my reason behind it:

• You screw up everything and now you need a Ubuntu server but without any /etc/nginx, /var/www, and /var/log/nginx director. So you cannot just issue this command in the terminal and think all the nginx stuff will be vanished. No you need to remove those directories manually.
• You have more flexibility to add and remove nginx modules.
• Also It is cool and fun

Update and Upgrade repositories

I am not sure 100%, deferentially, that upgrading Linux server is a good thing or not - Based on what I heard from someone who said we do not want to make our server unstable - But here we will update and upgrade our Linux at least once to install lib/bin.

sudo apt update
sudo apt upgrade        

SSH

• Stands for Secure Shell.
• It is a communication protocol
• Secure communication due to encryption for each packet
• ssh is our client and sshd is our server.
• We can config our sshd through /etc/ssh/sshd_config file. e.x. disable root login and root password.
• Authenticate to server through ssh is more secure than password. You can add you're/you're colleague public key in the authorized_keys file, Now you can disable login with password and everyone who has the public key and private key can ssh to the server.

Steps to configure ssh

1) sudo apt-get install openssh-server

2) sudo systemctl enable ssh

3) Before anything you have to add the ssh in your firewall rules by:

sudo ufw allow ssh
sudo ufw enable        

4) sudo systemctl start ssh

5) Disable root login by putting PermitRootLogin no in /etc/ssh/sshd_config.

6) Put the pub keys in the ~/.ssh/authorized_keys to allow them login in the server.

7) Change ssh port in /etc/ssh/sshd_config, from 22 to something else.

8) systemctl reload sshd

9) If you created new users do not forget to put your public key in its .ssh/authorized_keys. Because as we said further we have to disable root and ubuntu users due to security.

* Passphrase is a good thing. Use it for sure.

Multiple ssh key

Usually I prefer to use generate different ssh keys for different services. For example one or GitHub, one for Gitlab, etc. It is as simple as passing different location for saving id_rsa file.

1. ssh-keygen
2. ssh-add /path/to/newly/generated/ssh/id_rsa

Create new user

To create new user we can use the following command. But why new user/s?

• To track who did what.
• To decrease the chance off brute force attack on default usernames (e.x. ubuntu, admin, root, etc)

sudo useradd --create-home --home-dir /home/r1 --shell /bin/bash --group docker,sudo --comment "This comment can be handy in organizations" r1        

On most Linux distributions, when creating a new user account with useradd, the user’s home directory is not created. Therefore I prefer to specify it right away. If you do not need to change user directory you can issue sudo useradd -m r1 and it will create the user directory by default.

And the in the last part we assign user necessary groups. In my opinion it is good to determine the user shell while creating user. We can check the users shell in the /etc/passwd. As you saw we also add a comment to user, The comment field is also known as GECOS.

Finally each user can put his/her public key into /home/r1/.ssh/authorized_keys or we can get their pub key and put it on behalf of them. just if this is the case please login as them - su r1 - and then create the /home/r1/.ssh/authorized_keys file to prevent this error:

r1@ip Permission denied (publickey).        

Basically we cannot use r1 username because you have to set its password first and then you can login into it. So we need to issue this command in the terminal:

sudo passwd r1        

Important notes while creating new user:

• I highly suggest you to generate random username and random password with a tool like m5sum or something like that.
• Use --expiredate flag if you want to create a user just for a while - IDK maybe 1 month or 1 year - The date must be specified using the YYYY-MM-DD format.

Disable root user after creating new user with sudo privilege

To prevent brute force attack against root user we must disable root user account (ref).

sudo vim /etc/passwd
# change root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/usr/sbin/nologin        

Create a shared directory between users to access shared files/directories easier and more simple:

sudo mkdir -p /home/shared-directory
sudo groupadd sharedUsres
sudo chgrp -R SharedUsers /home/shared-directory
sudo chmod -R 2775 /home/shared-directory        

Ref1, Ref2,

Compile Nginx codebase

• Download the codebase into your multipass instance/server. You can find the download link here (wget)
• extract it (tar -xvf file-name.tar.gz)
• Install C compiler stuff (sudo apt install gcc make build-essential)
• Install common modules for nginx, We need to install libpcre3, and libpcre3-dev to have regex in our nginx, zlib1g, and zlib1g-dev to have gzib, and libssl-dev for SSL. You can find more details about it in this link and this one.

sudo apt install libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev        

• Now cd into the extracted directory (cd nginx-1.20.2/)
• Issue this command to config Nginx with most common modules and features:

./configure --sbin-path=/usr/bin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-pcre --pid-path=/var/run/nginx.pid --with-http_ssl_module        

• And finally make and install it

sudo make
sudo make install        

• Finally check the Nginx init script in the /lib/systemd/system/nginx.service, it should be there. BTW if you had not it please create it and grab its content from here - Grab the content based on your system, But if you followed along with me you need the systemd - and paste it into that file.
• The last step should enabling the nginx service (sudo systemctl enable nginx)

Now you install the nginx server, You can confirm it with sudo systemctl status nginx.service. Now we have to enable nginx in ufw, We can achieve it via sudo ufw allow "Nginx Full". But sometimes it throws an error therefore we need to create its application ini first, We can open the vim /etc/ufw/applications.d/nginx.ini and then paste the following content in it:

[Nginx HTTP
title=Web Server?
description=Enable NGINX HTTP traffic
ports=80/tcp


[Nginx HTTPS] \
title=Web Server (HTTPS) \
description=Enable NGINX HTTPS traffic
ports=443/tcp


[Nginx Full]
title=Web Server (HTTP,HTTPS)
description=Enable NGINX HTTP and HTTPS traffic
ports=80,443/tcp]        

If you need to delete a rule from ufw we need to do this:

Install docker on the server

• Follow the official guideline (click me) and the follow this steps.
• Please guarantee access to the docker for necessary user (sudo usermod -aG docker username)

#NSFW, Is it a good idea to dockerize PostgreSQL?

• Is it just for testing purpose or production? IMO it does not matter, We usually mount our volumes outside of dockerized postgres. So we can simply restart our postgres container.
• It is right that containers designed to move fast. But it is also good for our prod servers too.

#NSFW, Do I have to dockerize anything? A much much preciser Question: is it good to dockerize Nginx?

Before that let me tell you why we do need Nginx or other reverse proxy?

• Serving static files efficiently
• Terminate SSL
• Get useful headers such as country/city code.
• Set headers
• Control deny/allow list
• Redirect HTTP to HTTPS, www to your apex domain or vise versa

And now let me answer the first question, should I dockerize reverse proxy server?

Short answer is no, long answer is no (based on what I read). But here is why:

• Chances are that you upgrade you docker, It means down time

Unless you have a cluster and that's another title.

Copy file to the server

Use scp to copy your files from server into your local machine. In this example I decide to copy a directory in my local machine and I used to use .pem file (I do not suggest using .pem file):

scp -r -i privatekey.pem [email protected]:/path/to/directory /anywhere/        

And you can also copy files from your local machine to the server with this command:

scp -i privatekey.pem node.16.14.0-alpine3.15.tar [email protected]:/tmp?