VPS Mastery: Build your own PHP web server with Ubuntu

1. Welcome: I'd like to say a big thank you for signing up on my course. Hopefully, you get what the course is about. I'm really happy with VPs servers. And I'd like to tell you why on what you can do with them and how you could replace other servers. Like, see, panel. Because these hosting providers that offer you some sort of manage solution, they just install some software and then they sit back. They don't really do anything. They just have software that does it for them. If something goes wrong is I, uh I'm sorry. It just happens. That was a bug in this version we've accidentally turned off. Hey, https and all your website. Sorry. It's not an official service we offer. So problems like this take me like, half a day dealing back and forth of their ticket systems. Where's a server that I manage? I can solve the problem in five minutes. It boggles the mind. So I'm trying to teach you guys how you can do this for yourselves. If you can do it for a couple, then you'll understand how easy it is. And maybe manually. It's not the best way forward, but you could automate it. You just need to have an understanding of what it is and why you need to do it. And I'm hoping in this course that you'll appreciate that. I really hope you love this course on. If you don't, Then tell me why I can't improve the course if I don't know. But this is coming from me. And I've been doing the service setups for the last 10 years, so I'm trying to cram it. As much information into this course is possible. I can't do it all at once, but I've tried to put, inasmuch as I cannot launch and I have gotten anything. Then again, drop me a message. Ask question the Q and A because I want to help. And I would like this course to grow with everybody, Thank you and enjoy the learning 2. Hosting types: in this lecture, I'd like to talk about the different types of hosting you. Vote Chad hosting dedicated hosting on VPs hosting. So let's talk about those in a bit more detail. Shared hosting. This is where you have lots of people sharing the same physical hardware. Because of this, providers can cram a lot more users onto one box. Andi slows everybody on a fraction, but most of the time people don't notice it. You do have some providers that when at peak times, the several crawl to a snail's pace, and this is because all the websites of generating traffic at the same time if you pay a bit more money for a shared hosting, then you're you're less I to come across this problem. If you go on hosting where you pay £1.1 dollar a month, then you're more like hit. This problem, The benefit of shared hosting, is cheap because of all these, all these extra users providers don't need to charge as much per user for the cost of the hardware for the cost of the networking. So it's a trade off whether you want to. If you don't mind your website going a little bit slow, then it's perfect. It's also easy because most of them have got a very simple user interface. And because it's simple, another negative would be. The configuration is, unless flexible, you can do less things. They've got less things installed because the MAWR flexibility the offer theme or chance of including a feature that could slow down the server. Because you've got all these users on one server, you've got a lot more chance of there being a security risk. If the service badly configured, then any one of those users could then potentially attack your website and download your data. Your database. The flip side of shared hosting is dedicated. Hosting. Dedicated hosting is where you own for you are the sole user off a piece of hardware physical server. Most of the time, you can dictate watch operating system gets installed, which services get installed? I mean, usually you get given up server on, then just told you even s ascension. Here's your user name and password. Off you go. Usually you get support, but a lot of the time it's just hardware support. If you got software problems because you've configured that server then you're a lot less likely to be out of. I mean, you can get. You can have what's known as managed dedicated hosting, which is where you have the shared hosting environment installed on your dedicated host. You'll have some of the negatives from shared hosting like it's less flexible. You can't install what you want because the hosting provider doesn't understand it doesn't support it. That's all thing. Usually the biggest negative for dedicated hosting is that is very expensive. You're usually talking a couple $100 a month versus a few dollars. Which brings us on to the third type, VPs hosting or virtual private server. This, in a way, is kind of Ah ah, hybrid between shared hosting and dedicated hosting. There is a physical machine, but that's partitioned up. It's the hardest kind of sliced up Andi. Each segment has been given its own offering system so they can guarantee you hardware resources of the CPU, the memory, the desk, this something so it's a lot harder to over provision. This sort thing. You tend to give 1 to 1, so if you have ah, a server with 16 cause in it. 16 CP use Then you slice it up into 16 virtual servers or four servers with full sea views in it. So with a VPs, you have basic control of the hardware. It's usually just a slide us off, saying I want one core one CPU to see abuse, and that will come with, like, 12 gigabytes of RAM, and that's enough to get you started. There usually is basic support, usually protecting your phone, and you'll tell them that you've got a problem with this and that, and they will help you to the best of their ability. Usually you're on your own with the community support forums. This or think. So why would I recommend VPs hosting over dedicated or shared? Well, I like to think that you get the best of both worlds. You get the cheapness of shared hosting but is no over provisioned. You get the complete control of the software that you do with dedicated hosting, but you don't have everybody using your operating system using your software so there's less chance of being hacked from within. So that's what I'm gonna talk to you about throughout this course is how to set up a VPs and host your website on it and at the same time making it secure or at least a secures. We can make it with today's known information. In the next lecture, I'll talk about the software that I'm gonna install on it. 3. Software: in this lecture, I'm gonna be talking about the software that I'm going to install on VPs. I'm going to install a bun to on. I'm gonna use the LTs 16 04 The reason for this is because it's been around for a long time . It's stable and it will be supported for another three years, which would take us to about 2021. So it would do us for another three years. Every good Sava that's doing website hosting needs a Web server. And there's been a debate on the Internet for almost a slow holders the Internet, now of which to use, and it usually comes down to Apache or Engine X. Apache was the current king and then in Genet's came along and because it was fast but serving static files by images or video. Now, five years ago, I started using Engine X, Andi I stopped using Apache, and this was because it was quicker. But more importantly, I felt the convict or the configuration was a lot simpler. So for these reasons, I'm gonna tell you how to use Engine X in this course rather than Apache for a database. There's lots of choices, But I found my school is the best supported. And I also like some of the tools that I use on the Mac that connect directly to it, like sequel Pro. So I'm going to use my skull for this course. One of the sites I'm going to use is WordPress. We also need to install PHP the bun two ships with PHP seven green zero. And since then, since of unto shipped, 7.1 has been released on 7.2, and I'm sure some 0.3 soon. So one thing to do in a later lecture is show you how to install the latest version of PHP . And that is the basic software I'm gonna be using on this bps. I'll see you in the next lecture. 4. Ssh keys: the Internet isn't a safe place. Passwords are being brew. Forced accounts of being hacked. There's no safe. So how do you connect to a server securely? Why use on what most people do use is something called Ssh! And they use ssh keys instead of passwords. This is a lot more secure than just having some eight character password or even a 20 character password instead of taking years to crack, would take centuries to crack, if not longer. So for this reason, so let me show you how to generate an ssh key on a Mac or Linux. If you're on Windows, you need to use ankle party on up. Put in a link in The resource is so we need to do is open up your command, prompt your term no type in SS age Cajun and what that would do. It will generate your keypad. Tell you what, saving it. You just press enter. And in my case, I've already done this, so I don't write it. When it's finished, you will have these key pairs and they will live inside. You're dot ssh directory inside your home directories. Let's make that bit more obvious. Gosh, on. You can see there. I created my ssh keys back in 2012. And what you'll need to do is your need content off your your public keep I d underscore. Arcee is your private key and I d underscore Are Sadat Pub is your public key. The idea is your private key. You keep ah 100 cents safe. You don't reveal it to anybody. Your public key, you can give it out to everybody. And they used that to verify that you are you based on some challenges they do between the two keys, so it's pretty secure. So what you need to do is view the contents, your public key and her later lecture. You need to copy and paste that and we can add it into Digital ocean or another server to allow automatic log in. I'll see you in the next lecture. 5. Digital Ocean Account: for my online hosting. I use a company called Digital Ocean. Their philosophy is very simple. They give you the royal computing power and then you build something awesome on top and that's reflected in their pricing. The ones I will be looking at other standard droplets and depending on your needs, you can pay as little as $5 a month or you can pay as much as you want, have as many services you want. But for this course, I'm gonna focus on the $5 a month one which with free credit, if you use my referral link, you can have at least a couple of months free without him toe to pay anything. And when you're testing, you don't need to spend a lot. But when you're in production, it might be that you need a little bit more a little bit more memory for cashing or more cause to enable Mawr to enable your application toe handle mawr traffic. But we can talk about that later, so you're gonna want to sign up. But I already have an account. So let me log into mine, so I'm gonna shoot me, have an account, and when you log in. This will be what you're greeted with, so the first thing you're gonna want to do is create a drop. And you want to make sure you're choosing your bun, too. 16 04 And we'll scroll down to the size. And for this purpose is we're going to choose the one gigabyte $5 a month. We don't need to worry about block storage. And for data center, you need to choose the location. That's closest your customers. I'm gonna leave on London. Additional options is right. You have backups, which, as it says, it adds 20% to the monthly droplet cost, and it takes a back up once a week and retains the last four weeks. So it's pretty handy if you you want to roll back for these purposes. I'm not going to enable back ups. However, I recommend that you consider it, and certainly if you're in production for I p six i p v six. Rather, you don't need it. However, if you add it, it's a lot easier than adding it later. You don't have to take advantage of it, but if it's enabled, then at least your assigned an I p address. Don't worry about user data, Andi. I would recommend you turn on monitoring because it gives you some nice metrics about the CPU and memory utilization. Ssh. Keys. With these service, there are two different ways you can authenticate when you lock it. One is with the user name and password. Unfortunately, most people know what the user name is, which is root. So it could be a matter of time. You get around it by creating a second account and disabling log in to root. However, what I like to do is use ssh keys. There are a lot harder to guess who have had nine. Impossible. But you do have to look after. If anyone gets your private key, then it's kind of game over. They can log into anything you can. So I'm gonna show you how to set up Ssh. Keys on this server, which also has the nice side effect of disabling the password log in. So what? Do new ssh key. And then here we just need to paste in your public key. So let's get the one we generated earlier. So we copy that based in here on give it a name, so you remember which one it is. You can also edit your account. Teoh store your ssh keys and next have you create several. Just appear here and you can just take it rather pasting it every time in this instance, we're gonna want once, ever. So unless you're creating a whole load of service at the same time, just leave. This one is one droplet and host name. You can leave it is blank or you can treat This is the reverse domain name. So someone was trying to find the i P address on the host name associate ID. This would be what would be resolved so you can type in a full domain name here. This will only benefit you if you set your domain name to point out this server on you can also add tanks if you want whatever you want toe help you filter on the dashboard, the news type end, enter on and hit Craig. And there you go my server, my I P address. And if you click into it, we just click on here. You can actually see everything about it. So you want to turn it off? Snapshots is a good one. It's like backups, but you're in control of when you take them. So if you're gonna do anything you're not sure about, you can take a snapshot and you can always roll back to it, and that's it for this lecture. 6. Free alternative: During this course, I'm gonna be using digital ocean. However, if you don't want to use digital ocean, you can use any other provider as long as they provide your BPS with ssh! Log in. That said, there was also a free alternative. It won't delaying to test your your server online, but if you just need it for local access and you only need it running on your computer, then you can use a thing called Virtual Box and you can download it from here. And Virtual Box is supported on Windows. Mac OS, Linux and others we need to do is download package, you know, the to install the package. And whilst we're here remarks, we get the extension pack that's down like that as well. Let's install virtual box. So this is the Mac. It will be different on the window on the Windows computer. Okay, so let's install it. No, it's byo up Indians and reading on the Internet on. It seems like this new security procedures west, they're stopping this less salt. Wow. So you want to go to security? Is that security and privacy? Yeah, system software from Oracle was blocked from loading, so we just want to allow that. And now, hopefully, if we re run the installer, we shouldn't have the same problem. Every guy seems to working fine now, Onda. We don't need the installer anymore, so move it to the trash. So we need to get a copy of the 12 So we just need to goto a bun, too. Let's go to town. Loads on. We need to get the server version, not the desktop version when we click download. So let's take a little while to download. Okay, so that's downloaded. Okay, the first thing we're gonna do who's one of installing extension pack. So wherever is on your desktop or your downloads directory, you just need to double click it and that we'll ask if you want to install inside Virtual Box. I recommend you do read the terms and conditions, Um, but when you do like a great this is just installing extra drivers on our machine toe slightly better. So let's create our first virtual machine. I call mine example machine virtual boxes, trying to guess what type of machine I'm going to be installing. But as it's gotten Mac, it's kind of guessing it's a Mac, but we need to choose Lennox on a bun, too. If I named above into it would've picked it for us and we're just gonna use the same defaults is distillation. So that's one gigabyte of Ram on the hard drive. We're going to choose 25 gigabytes, but because it's a dynamic drive, it doesn't matter. It's not gonna take up the whole 25 gigabytes until you actually start using that within the virtual machine. So let's quickly go into the settings. I want to make sure that we caught one core, which is exactly what we're going. Digital Ocean audio. I'm gonna disable because we don't need audio and storage. We need to Basie choose. We need to choose the ice. So we just downloaded from a bun, too. We just say OK to that. Now we need to do is start the virtual machine, and if everything going to plan, it'll boot up. So we just need to choose the language to you most comfortable with and hit enter enter again. And for a lot of these defaults, you could just gonna be choosing, enter or using the arrow keys to move around I'm not too worried about detecting the layout because your operating system will be doing that for you, as in your your host operating system. This in store is gonna be slightly different to the digital ocean one. But it's mostly because Digital Ocean will have customized their install to remove a lot of the extras that the bundu server may be coming with all they may have. I didn't a few extras of their own networking being configured. This is just like the digital ocean host name. You can have whatever you want, but again, I'm just gonna call example exactly the same and hit Enter. This doesn't have the niceties of asking for an ssh key. To start with, you're gonna have to create a user that you can then escalate to route to do all your editing. I'm just gonna go with Daniel and then I'm gonna choose a password. And here enter on and again repeat the same password on No, I don't want to encrypt it. Yes, the time zone is correct. And again, unless you know what you're doing, I would just stick with the default for how to format your disk and you need to say yes, right. The changes to the disk enter again. Finally, say yes again. Okay, unless you connect to a proxy to use the Internet, just leave this blank. Whether you want to install automatic updates is up to you. Installing security updates automatically won't make sense unless this virtual machine isn't is on a long time, but the simplest. It's probably better to just leave it as no automatic updates. And then you manually run the updates later, which I'll go over in another lecture on what we need to do here is we need to turn on open Ssh server Do is use the arrow keys and then the space barter to select and de select. And that is it own hit tab to come down to the continue and then her enter. And this is going to install the system packages on the ssh because by the end of this, we will be connecting to it the same way as we do the digital Ocean server. And finally, you do need to install the crab loader, the crab boot loader, because that's how your virtual machine boots on. Let's hit continue to reboot. Okay, so logging in is a simple matter of remembering the user name and password you set okay that you locked in. You can log in this way, but I find this terminal a little bit clunky. You can't resize as much as you want. The copy and paste sometimes works sometimes doesn't. So what I recommend is logging out of this. Have a One thing we do need to know is what your I P addresses, and you can see it that $10.0 dot to 0.0.15. Now you can carry on using this interface if you want, but I prefer to use my native terminal. So let's look out and forget the success and find load up terminal. Here's when we had earlier and we type Ssh, daniel 10.0 dot 2 50 It doesn't work right. It's loaded virtual box again, quickly going to Settings Network. It's try bridged adapter, and then we'll choose the WiFi that amusing in your case, it could be uneven at port. Let's do that. That's reboot this box just to be sure. - Okay , so what we've done is we put the virtual machine directly on the network, which is why the I P address has changed format, so in this case it's 192.168 dot 1.3131 So let's try that, Okay, because we've never connected to this virtual machine before. We don't know what the fingerprint is. Computers way of identifying the remote server. So let's just say yes because we know type in your password on. There we go. You got much better terminal right here now to get to the state where we are with Digital ocean or we'll be in the next lecture with Digital Ocean. We need to create the directory called Ssh! On inside there. We need to put a file called Authorized under school keys on all that we need in there is our ssh key. Now, this is something the digital ation will have done for us. And then you just hit control Axe Press. Why? To save and hit? Enter. Now, if we look out and we reconnect, we shouldn't be prompted for the password. So let's have a look at what's happened. What we've done is we've created the authorized keys file, but we've not put it in the ssh photo so let's type move. Authorized keys. Don't Ssh! That's gonna move it into that. So now if we exit and now connect There we go. We're now connected without requiring the password. But there's one more thing that digital Ocean will do is that we'll be connecting directly to the root user. And for this we need to go far. How, user? So to get to the root user, we just need to type Su do Dash s. And that will give us super user doing with a shell So tired that and then we type password . That is where we will be with digital ocean. So if you see me connecting to digital ocean as root at I P address, then you need to follow the steps here. You need to type Ssh your user name at your local I P address and then type su do dash s followed by a password. I'll see you in the next lecture 7. Whats wrong with passwords: in this lecture, I want to take a minute to talk about passwords briefly spoke about using ssh keys to log in. And I've said passwords aren't necessary the best thing to use. But I want to talk about why the trouble with passwords is You can brute force them on by brute forcing. I mean, you try always all A's and then the last one being be all A's and then the last one being see and keep going. Computers are very good at this, and humans are really bad at choosing unique passwords, which is why we've got past with complexity, like your password needs to be at least eight characters. It needs to use upper case and lower case and include a number and include a symbol. And this makes it really hard for people to remember the password. So people using password managers we could bypass that with ssh keys. But let's talk about why. Let's talk about bits of entropy. If you created a seven character password that's 40 bits of entropy to computer. That's just finally that it just calculates its way through it on assuming that the system allows you to check the passport as often as you want then that part of that password could be broken in 20 minutes or within 20 minutes if you pass with seven characters and was out for numeric and included the symbol. And that's assuming your password of seven characters and included Alfa Numeric six on symbols. If the same password was 11 characters, long would be 64 bits of entropy. And then you're looking at nearly 585 years to crack that password, which is not bad. But if you use a dictionary word, then that's dramatically lower because computers can easily figure that one out. They just need a dictionary, even if you just start substituting a for the at symbol or L's for ones, there's a lot less possibilities combinations that you could be using. When you create an ssh key, you're likely to get 2000 and 48 bits of entropy. And if you think going from 40 bits to 64 bits went from minutes two years, think what going from 64 bits to 2048 bits will do. It is unfathomable that you could brute force that maybe in the future with quantum computers. But at this moment in time, ssh keys give you the best possibility for securing your server. So I'm going to tell you how to turn off password authentication. Because if you're with digital Ocean, you should have put this ssh key in creation. If you didn't, you can follow the free alternative in the last lecture to add your key into the authorized keys file. So let's assume that you've done that. You've done the authorize keys file so you can log in with your ssh key or your password. Well, if you're using ssh keys, great. But then you still got the still with the possibility of locking him with your password so somebody could still brute force you. Let's turn off password and authentication. It's cramp the i p. Address again. And this is the first time I've connected to this situation box. And what we want to do is type no, no e t c ssh! And then ss HD underscore conflict. And if we scroll down, we're looking for password authentication now, mind says password authentication. No. And that means ssh will no allow passwords by default. You'll probably see password authentication with the hash symbol in front of it. That means that it's commented out and it has no effect. So you'll need to remove the hash symbol. And also make sure this says no and then you'll need to exit out control X press why and then presented to write the fall. Now you've updated the convict, but ssh is still running in the background on it won't have made any difference. So you need to restart SS age, which is service as a sage. Re stop. And now you're no longer We have to log in with a map password. By doing this. There was one less avenue. The attacker can attack your server. I'll see you in the next lecture. 8. Package Manager & Checking for Updates: in this lecture. I want to take a moment to talk about the package manager, the package manager for a bun to is called Aptitude or a P T for short. So let's reconnect to the server. Now we've locked in on. The first thing I can see is there are 27 packages that could be updated, three of which are security updates. So that's not great, because ideally, we want to keep keep on top off, at very least, the security updates. Now there's a come on court apt update on this. All this does is gets aptitude, update its source of information. It lets it know what versions are available by Defoe. I believe aptitude will be once a day running this update, but we can do it manually and it won't hurt and you can see. Actually, it was a little bit behind because there's now 28 packages that could be upgraded instead of the 27. So how can we upgrade the packages? Well, as it says, you anti act list upgradable, but I tend not to worry too much, and I just tend to run apt upgrade on. This will tell you which ones will also be upgraded with a little less information so you don't get the version number, but most of the time you don't care. So let's say yes, we won't talk. Great. Um, it's best to do this guy kind of once a week. But bear in mind if an update happens to a service that you're relying on, like mask Hello, the Web server. Then when it applies, it will have to take it down and then Rio to apply it so you could have a brief after age. You also have apt water removed, and that removes things are no longer needed, which we saw earlier. We say yes to that one as well. You've also go act clean, but we haven't really downloaded or installed anything, so it's not. There's nothing really to clean. If you want to search for anything, So a package, then you have app such, and it will basically dio a plain text match and try and find you as much as possible that matches. So you see the top answer there is actually the figure is what was looking for. You also go apt in stool, and that will install the application you were looking for. So I, the package manager, is fairly standard on will be making extensive use installing packages. But just remember to keep them updated because it's the security updates that will keep you secure, the other updates or just potentially adding features. But most the time fixing bugs, certainly in an LTs. Another thing we can install is NTP. The network time protocol. No. Yes, and what this will do is keep you in sync with, Well, keep your clock in sync because sometimes clocks can drift on. That makes debugging with logs era logs quite hard. So the time date control set time zone. I like to use UTC because that is, it's the easiest one to work with. If you want to use your native time zone, then feel free. This process will periodically check your date and time and correct if necessary. All right, I'll see in the next lecture 9. Skel Directory: in this lecture, I want to talk about the Skeleton Directory, The Skeleton Directory in Lenox. It is the directory used to create a new user folder, so anything in there gets copied across when a new user is created. So let's check it out. Connect to the server and its location is slash e. T. C slash scout. So you're seeing that is already a few files. But one of the tricks I've got is if we create an SS age folder in there and inside their unauthorized keys file, we can look directly into any new user we crate. So let's do that. So we'll make a directory dot ssh and will change the permissions of that, too. 0 700 which just means only the owner of that folder has full reading. Write permissions on. What we can do is if you're happy with your authorize keys file, you can copy that to hit, so let's check that out. So there you go. You can see the dot ssh folder with reading write permissions for the owner, the R W X, and if we go into the dice S h fota, let's check it out. We now have the authorized keys, vile. And then there will be the original key that you created. If you have more than one machine, you can copy those in. So whichever computer you're on, you can log into from it. So now when you create a new user, you'll be able to log into it just as you've walked into route. And it would just be user at and then the server I p address or server name. I'll see you in the next lecture. 10. Nginx install: In the last lecture, we set up the skeleton directory. So in this lecture, let's set up the Web server. As I said in the beginning, we're gonna be using Engine X. Now. I don't want to use the engine X that comes with a bun two LTs because it is getting a little old and I don't see any harm in using the latest stable release of it. So we need to have something called a P p a. And to do this, let's connect to the server. And what we need to do is type add apt repository, and then we need to type P p a engine X forward slash stable. So is telling us that these are the only chips they support and these were the distributions of a bundu they support. So if you're happy to proceed, I know I am. Then enter. And when you hadn't a p p a. You need to do out to update just to let aptitude pull in the latest sort file changes from them. And now we can do captain stall Engine X, and this is gonna tell us exactly what its installing as Why's the Defoe? We can hit. Enter and this will install engine X for us. I'm gonna show you a quick minor change to engine. It's calm. Pick. So we take server tokens and make them off. This is just so we don't advertise which version of NGX we're currently using. It's just a minor thing. Toe ate a little bit Insecurity Onda few control X and why to save in. A later lecture will be configuring engine X. But for now, we're gonna move on to installing your database and PHP. 11. Nginx config default page: Let's talk about engine. It's come pick. Let's connect to the Sabbath Festival. Andi Internets Conflict lives in slash e. D. C slash engine X. Now in here, you got some bits and pieces. We've already had a look at the engine. It's dot com, which we removed the signature. The version numbers. You also have confidante D. And inside that directory is configuration you want loaded for globally. You have a snippets folder and inside snippets that is configuration. You want to include on a site by site basis. You've got far C G I prams and Farsi. Gee, i dot com. They are mostly the same, but there's a subtle difference on Farsi. G I underscore prams is there for legacy issues. You've got some various other parameter files which were not gonna touch on you got modules , which we haven't done installed. But the idea is, if you install modules, they will be available. And then you can link length, um, or sim length, um into modules enabled. We're gonna be talking about how to do that for sites available and sites enabled. All right, so let's go onto the site, said it Sites available. Defoe, you have a devote website, and by default, this website is not very exciting at all. But this could serve as your holding page or you're under maintenance page. So if aside, it's not configured, or somebody just typed in the the I. P address yesterday I created in a record. So the example toe off dan dot com pointed to my server, as you can see from the Euro, And how is this controlled? Well, it's controlled from this default file on in here is very basic. It's listening on poor 80 which is Hey, http, and this conflict here with the double Coghlan's Is it telling it to Lissan i p. Six. Why PV six as well. And the default server means that if engineers can't match anything else, it's going to use this configuration, which is why it's a catchall site. You've also go here route, which is where Engine X will look for the Web files so we can have a look at that in a minute. Server name. Underscore again. That's another way of sort of saying match everything and you got location slash location. Slash is a pretty fixed match, so anything after that it'll match slash If you had slash welcome, it would only match slash Welcome slash something or other, No slash, not the home directory. So this location block matches absolutely everything on inside you've got try files on what that means is try these parameters. And if not, if they don't match anything, finally do this. So it's gonna look for a file, which is what? The dollar your eyes inside that root directory. It will Then look for a directory called Whatever you're you're passing in. And finally, if it finds nothing, will return a 44 and that's Ah, http response code. So that could easily be up 43 for forbidden or 500 for an internal server ERA on for May I tend to put a 500 in there or something similar so that goo doesn't cash my holding page or my maintenance page before I carry on. It was just going to show you the root directory for the default page, so that was in far W w. Paged him out, and you see, in there there is a single file and that if you want to change, you can change. So if you want to. We changed that. And if we look at engine and if we look at the holding page again, the UK it's very simple. You just got to come with some creative style. You could also upload some images to that directory. I would recommend keeping it static. And don't try to make it dynamic because you don't want to introduce any security problems in your your holding page. 12. Installing Mysql version 5.7: in this lecture, We're going to install my ask you out. So let's jump right in. We're gonna tie apt, install Mask UL there, and this is going to install Mask. You also have a 5.7. I'm not too fussed about pulling in the latest changes from my school because not a lot has changed. There is a big release coming out soon, which is masked. Relate, but I'm waiting to see what happens with that. So for the moment, we're gonna stick with 5.7 and we just hit why? Or enter, which is the default? You need to choose a secure password, something that you're going to remember because you're gonna need to log into it potentially to give you an overview of all your databases. But it needs to be secure enough that nothing can brute force your password. The risk of it being brute force is a lot less than with us a sage, because we're not gonna expose Moscow to the world. But still, a militia script on your server could be checking your my scroll. I'm trying to prove brute force connection without you even noticing it. So I would recommend a good strong password. But the moment I'm going to just choose a very simple password. And there you go, my skies installed and it's also running, and the next lecture will install PHP. 13. Installing Mysql version 8.0: in the previous lecture I mentioned, Mask relates, Andi, I've given it a bit of time, and it has been out. It was out in April 2018 and there's been a few releases since then. What I'm going to do is tell you how to install mask. You relate. I leave up to you to decide whether you want Mask relate or my Skull 5.7. However, what would recommend you do is not do this on a servant using production. So I recommend you duplicate your existing server, and you can do that with digital ocean by using either backups or snapshots and finding the right snapshot. You can create a droplet from it. It will spin up exactly like your existing server. You need to make a note of the past what they give you, because it's going to force you to log in and change your password. Unfortunately, even if we've disabled password Loggins, they still need to change your password. So make a note of that so you can reset your password. Okay, so once you service span up making over the I P address, so the first thing you need to do is go along to mask ual dot com, and when you're there, you can click on downloads, and we want to configure our APP repository. So click on that proposal tree, and this will tell you which versions it works with. So we're using 18 04 which is great, and it has muscular late in there, So the first thing you need to do is click on download, but we don't want the actual file. We want to copy and paste that link. Well, I will say Is this works better if it's a fresh installation. So if you're setting up a new server rather than migrating, but it should work either way, the issue you'll get is potentially with applications. First thing we need to do is get that file now. You could just type this in manually rather than going through the whole getting the link from the previous website. However, sometimes the version numbers increment, so it makes sense to get the latest version. Do you have a Deb file, and now we need to install it into act repository so a type D package Dash I for installation and then we'll just give it that file and hit Enter. So I've already installed 5.7. So I'm gonna need to change this. If you haven't installed my school before, then it should default to Moscow late and then we just go down, okay? And once that's done, you just need to do apt update and at install Maskell server. But in my case, because I've already got inst old. Okay, It's happy to upgrade it even though I had it installed. But you can see that it is removing my Moscow 5.7 and it would install the Moscow servo, which is version eight. This is where you're going to end up with problems. The strong encryption, which is great, and you should be using it. However, older applications might have struggled. And this is why I recommend trying this out in a a temporary machine because you don't know which ones are gonna work which ones on. So this is entirely up to you, but the legacy ones is going to allow you to migrate. Your current applications was getting the latest version of Mars quell. If your application doesn't work, it just it won't connect. It will throw up some some era and it won't work until it's been updated to support this. So Okay, that there we go. We're running. Must relate. So now you should get it. Either in store Maskell Server 5.7 or install mask. Well, server version eight. I'll see you in the next lecture. 14. Php install: let's install PHP. That's reconnect. And for this one, we will be using a P p A. Because PHP is fast moving. When 16 04 was released a couple of years ago, you had 7.0. We've now got ph B 7.2, so it makes sense to get the latest one. So we need to use at at Repository, huh? P p a. How long, Andre Forward slash page people. And all this is saying is that you need toe. He only provides, but they only provide supported releases of page P. So enter to carry on. And like last time, we need to do apt update. And let's have a look what we've got so we could do a list. And you can see here all the different PHP options you have. So let's look at 7.2. You got the main version you got F p m. Which is what we're gonna use and a few other modules. So let's just install some of the basic modules. So, after install pit PHP, some went to F p M PHP 7.2 xml PHP 7.2 international support on. We're gonna need pitch be seven went to Moscow. Well, I think we should also get Patri. Seven Week two Oh Cash. Most were here. Why not get Jason on? Probably a good idea is to get G D, which is allows PHP two minute play graphics. We don't need to pick everything at once, but these are some of the common ones that you'll probably need later. We can always install Maura late today, so let's just install those. Okay, let's have a look. And there you go. You got PHP running. It's using its default convict, which is why I've got pool Www. But we'll change that later. One per website on. Before we go, I want to tweak the come pick to basically no exposed PHP. So what we're looking for is exposed page pay Okay by Defoe, it's already off, but it's worth double jacking because of its on. You'll be saying this was generated using PHP with this version. If it's off, then on attacking needs to guess so I save That's it for this lecture and all the dependencies will move on to actually setting up a website in the next lecture 15. Package Manager for PHP: We've now installed patch pay, but a lot of PHP is now starting to come in, distributed with something called package ist. And this is ah, package manager for PHP. In the past, if you had a dependency in your code, no, then you need to go and find the library and install it and do it all manually. This was okay. The trouble was you didn't know if there was a later version or you could look, but nobody really did. So you you had a library. So deal with zips or images and you ship to the reputation and that's it. You forgot about it. Sometimes you have multiple copies of the same library because you forgot about it in the same project. So a lot of clever people came up with something called Composer on. This is a package manager for PHP and you know, a project uses composer if the read me mentions it, or if there's a composer dot Jason file or composer dot lock file in the project route. And that's just a file that tells you on composer what? The dependencies of this application is off this project. So what we need to do because a few of the projects I'm going to install use composer is we need to install it ourselves. So the first thing we need to do is head over to get composed and you'll see a website similar to this. And you need to tell you want to download now here is the install of how well in this case script. So we're gonna copy and paste that. No, this all uses PHP. So you you need to have done the previous step of installing PHP and let's go over to the server. Well, wait. We're in our root directory, which is great. So he paced all that in. And that should give us a composer dot Phar. No, you can use that, but you need to make it in a more accessible place for every user of your website. So the first thing we need to do is we're gonna move it to us, our local then. And if you recall composer dot Phar Great for me. I like to change the name. I like to just call it composer. So now when you're typing composer, you'll see it. It's a warning us. They're not to running his route. But that's the simplest is to install composer, but it will save your PHP projects a phenomenal amount of dependency management. I'll see you in the next lecture. 16. Website Setup introduction: I know when I set up servers, I don't know all the possible websites. I'm gonna host on it when I first set it up. For that reason, I'm trying to design this course so that you go through the course once per user per website so that every time you need to set a new user, you can go through and then pick your own adventure for different types of website for different types of calm pick. And I'm hoping that this will allow you to extract more value from this course. So this section is all about setting up the website user on the PHP conflict that goes with it. Because that's not gonna change too much. The PHP calm fig, You'll be training a few values. Yes, but engine ex convict can get quite complex, so we'll talk about that in another section 17. Add website user: in this lecture. I want to talk about how so far all we've done is set up a few dependencies. Why don't we now set up our first user? The way I treat uses when I set up servers is each website is encapsulated in with a single user. That way, if a website has been attacked, there's very little they can do. They could potentially brute force mask UL, but hopefully put secure password when you create them or your route user for mask you out . We've turned off. Ssh! We turned off user passwords. There's some potentially some come pick for Engine X and PHP. They could look at arguably. They can't do a damage with it, but it would give them more intel to attack other websites in another lecture will well look a hardening your server against this. So let's at this Fuser. And as I say, this is a particular one for a website. So it's connect to the server, and I'm going to set up example off down dot com because it's what I named the server. It makes sense. It's the first website, so we need to do is type user at Dash D and this is the home directory. I tend to put everything in far Www and then I give it a home directory and I typically used the domain name. We also want to give it a group users. This will help us later. And we're using dash M to get it to make the user directory. And this will also copy in the scale directory, which we modified earlier. Dash s to give it a shell been slash bash is good enough And then the user name. This could be example. I tend to go with the domain name so off down or the domain name underscores sub domain. So I'm gonna go with often An underscore example this way is easier to remember which user toe log into which website if you enter and then that's been created. So we have a looking for a B W. Example. There you go. That is exactly like the Skeleton directory. We also want to change the group that owns this folder to W W data. So this will let Engine X get into the folder on also stop other users being able to get in on just to complete it We need to type C h mod and change the permissions toe reading. Right. Execute for the owner. Read and execute for engine X on DFO everybody else. No permission. You should put the zero at the front. It could be inferred without it, but kind again on one last step. If we log in to this user, we can also type Ssh, Cajun. And this will give us a private key and a public key for this particular user. So if we use, get to deploy later, weaken, use this particular one. So that's it for the user. Creation in a later lecture will talk about how to put your web falls in there. 18. Website php config: in this lecture. We're gonna talk about setting up the PHP convict. Now, I know every website needs Ph Bay. It could be a static website with just hate to mile in images. Okay, you don't need Ph. B. So don't bother with this step. If you're using WordPress or symphony, then you're gonna need page pate. So I'm going to assume I'm gonna need PHP for this example Website. So let's connect to the server on what we need to do is go into the Page P directory and in here will be a folder for each version of PHP we installed. Some went to. So there's only seven week to here. But what happens if we installed 7.2 and 7.1? What, you'd have conflict for both. And you can actually run both versions of PHP very happily on the same server, But it'll come down to how you configure him to see whether it work, and we'll go over that in a bit. So let's go into the 7.2 directory and in here you again have two different directories. Very multi veil. Herbal is just all the different modules available, which a link to so ignore that directory. The other two directories cli in f p m cli is the page be configuration for the Come online now most of time. You don't need to worry about that. F p m is what we use to connect engine X two PHP So that is where the conflict lies that we need to modify the f p m come pick is pretty much you're not gonna need to tell to change it is how PHP spawns new polls. So you can see at the bottom there is. That's where the pool directories live, but a lot. These conflicts, you're not gonna need to change. You may change them later on when you know a lot more about it. But for this moment time don't don't touch. Well, we have in here. You've got the comp directory and that is where the modules are linked in that we saw a minute ago. So if you want a new module installed act will be putting a link in here to the module. You can also go into one of these on board put module specific conflict in there. So if we look at Moscow one it's mostly just telling it where the conflict is. So lastly, we have the pool dot de directory, and this is where your website PHP configuration is going to live. The www one is the default one. You can use that for every single one of your websites. The trouble is, it's running with generic permissions, which would mean if one website got hacked, they have the potential to attack all your websites, and that's something we don't want. We're gonna run PHP as the website user, and that means that user is almost locked into that directory. Anything it will be out to sea outside is anything that's been given everybody or world permissions to read. So that's going to the W W one. In Here is a list of all the parameters, most of the parameters that you can change with explanations, and we are gonna be typing a lot of these in, but I'll explain what they are. But if we were more explanation, you can look at this file and we had to help you. But when you're ready, I would recommend removing that file. You can copy and paste it somewhere else for reference, but we we don't need it and it's gonna be taking a resource is on your server in terms of memory, mostly memory, but potentially CPU. The website we want to configure is often underscore example. It's the most type that in on. Hopefully you've noticed. I'm keeping the user name consistent with this page for you and that's a few you I'm gonna be using again. And this is what will be listed under pool if you were to do that list of processes. So the first thing we need to do is we need to tell it to run. As he often user, we need to give it a group. If users which was the defoe, which is the default group we gave it when we created that user. We need to tell it where the sock fall is. Well, the socket on this is how we're gonna communicate with engine X. So we're going to say Vaal, run PHP and we're going to give it a version number. F p M dog An example. Dr. Song, we're gonna need to remember that path for when we set up engine X on. Also by including the version number of PHP. In that file, we can run multiple versions of PHP. So in the future, when PHP 7.3 comes out and by Defoe, we will have no websites running for it. No pools. And what we could do is we can copy across this file, but changing that version number on, we could have both running. And then we could test Internet with engine X to see that that website works or no, in the new version, and when we're happy, we can then remove the old conflict file, restart PHP and then you can slowly move your websites from the old version of PHP to the new version of PHP. Or maybe you want PHP 5.6, which is still supported at the moment because it doesn't work in PHP seven. With this, you have a lot of flexibility, and we need to say who can listen or who can answer. We also need to say who is allowed to use this socket for So what would say is only W W data. Can I'm not send you next and again with the group on will confirm that with the permissions and we'll say the mode is 06 except zero. So only the owner and the group allowed to read and write to this, and we'll also say allowed clients 127001 So they have to be on the server. We have to make this connection. That may only apply if it's, ah, a port number. From my example, I'm going to use the dynamic. In my example, the process mode is gonna be dynamic. Dynamic allows it to shrink and grow based on traffic or number of requests. You've got static, which whatever you define, coming in the next few lines, it won't change regardless of how little or how much traffic and you also have on demand. Which means if you have no traffic at all, they'll get killed off and you'll have no PHP running until the first request. So let's define some limits. Max Children, Max Children is the total number off PHP processes that will be allowed to run Onda. We want to say, let's start to, but we only want one spare, so if one stops being used, then it will stay. If if one gets killed off it will then restart another one just toe, maintain the stupid ones bear. And then you got Max Baer servers. No Mr Ness off there, so maybe won't want to. You also have Max requests, and this is how many requests that each process deals with before it then gets killed off. It's to stop things like memory leak. So if you've got a process that leaks memory, the memory could be freed up by killing off the actual PHP process. I will also link you to the documentation in PHP That explains a lot more about this. And you've got websites that tell you how you should calculate these numbers. But I can't read help you with how to calculate these numbers because it depends on how little or how much traffic you're gonna get, how heavy your application is. Maybe you only need a few requests, but they need hundreds of megabytes each, in which case of you'll kick of ram. You could only run five because they'd be using 200 magazine each or maybe only use 10 makes, which means you could run 100 of them before it maxes out. Well, you also have. The problem is if you've got loads of websites, then you're going to running these as well. It's kind of a juggling act, which is why I've got dynamic. But on demand could work because if you've got a website that only gets traffic once an hour or only for one hour a day on most of time, it's idle. Then you could free up that memory, and we use it somewhere else. So I'll leave you to some resource. Is that help you try to understand what numbers you should be using, but as a starting point, this will get you going. 19. Add database user: So you created a user for the website. Does your website need a database? If it does, then you'll need to do this step which is creating user on the database for this website. So in these Cantwell Stavros route on, what will need to type is my SQL dash. You for user, which is root dash p to prompt us for the password. Now, hopefully remember the password from earlier when you set up, Maestro. So enter it. Now they go. This is my screw up on. What you need to do is type create database, great database on What we need is these back ticks, symbols you can do it without, but it's safer to do it with, just in case you come across some characters that Michael is not entirely happy with that isn't escaped, and we're gonna keep the consistency on. We're gonna call it off down, underscore example. And don't forget the semi colon. We now need Sasae create user on this time using quotes off. Then example close quote at. And this time we're gonna say local host I then defied by and this will be the password Now again, this past what does need to be reasonably secure because you don't want to be brute force by another user. So I've personally created a website that generates passwords. Passwords too often don't come. So we use one of these. I'm paste in here again, not forgetting the semi column. We have a database, we have a user. But we need to tell Mask UL that this user has access to this day space. We do that by saying Grant Paul on drop down. Example Don't start. So this is the date of AIDS and the stars for every table to, and this is the same as the user. And then we got If any point you want to change the password, you can log in again and you can just say set password for off time. Example. Local host equals and then password and then paste your password in there. And then that will reset the password. What have you provide? If you make changes to the users, the permissions or the password, you also need to type flush privileges. Otherwise, my school is still using the old settings just like you did when If you change the conflict for Engine X or PHP. So that's your user on your database. Make a note of those and your password because you'll need them for when we install wordpress later on. I'll see you in the next lecture. 20. Introduction to Deploying: in this section. I'm going to talk about how to deploy your website. Now, I can't talk about every possible way of deploying it every possible framework. So I'm gonna pick a few. If I've missed something that you're struggling with, then feel free to drop something in the questions and answers. Drop me a message and ask if I can do a lecture on your particular framework or your method of deployment. If I get enough people that want the same thing, then I will record a lecture on it. But I'm hopeful because I'm doing the basics that will cover most of the bases. And you won't need to do every single one of these lectures from each website. You need to just pick one just like you did in the previous section with the engine X. Come pick. So choose your adventure. I'll see you in the next lecture. 21. Deploy using WGET: you've got were come pick your web server set up. Have you deploy a website? Previously? We've been ssh ing in using route. But why suggest is log in as the actual user. This time they were straight into the websites user. So this is one way we can do it. So I'm going to remove the hasty docks. But this is only necessary. If you've installed something before Andi, let's assume that we had ah, zip file or in this case, a Jesus file of WordPress and we're trying to install it. What we could type is w get https WordPress dog or slash latest, The tar Don't Jesus about download the latest version and then you could unzip it my latest and never Look, we've got a WordPress folder. So if we remove, install file and will move wordpress to the Hasty docks photo, that's how you install WordPress using w get. But I wouldn't be very good if I only showed you how to install WordPress. So next, I'll show you a different way to, uh, get the file on your server 22. Deploy using SCP: in this lecture. I want to talk about how you can upload your your web files from your computer. So you created a web site on your computer. It was great. And now you want to upload it? I'm gonna tell you how to use SCP or secure copy, and I'll show you both ways to do it because you can use the command line, which is a doddle, or you can use an SCP client. Well, you can use an SCP application on the market. Cyber Dark on Windows. It's called Win Win SCP or File Zilla. In a previous lecture, we talked about the default page and I modified it just to show you where it waas. But that's not something I want to leave running. So on my computer, I've created a basic index. Hate she male on logo like here. So how do we go about getting that online? What I can do is I can type SCP, and then I give it the location of the files which are on my desktop default on everything in that folder on we just tell it where you want to put them, says type in my several I p address. So that's the user name the server I P address colon and then the photo where they're going . So in this case, it was far www html. If you're doing this for natural website, you put the use name, for example, off Dan Underscore example at I P address or domain name, and then it would be colon vaal ford slash www ford slash domain name forward slash HD docks so is very similar. But in this case, we're doing the holding page and then you just to enter on. Then your files will get uploaded. As you can see, it was a very small file, and if we reload, they get That's my holding page. If you want to do it with a gooey, then it would just be a simple. There are many connection options, but what you're looking for is ssh file transfer protocol, or sftp or SCP. Anything that's using the SS age because that's where the secure bit comes from. So it again it would be type in the I P address in this case typing route. We're not using the password because because we're going to use keys so we just tell it. Which key we're going to use and you can hit, connect, and then you just choose the photo you want. Or better yet, you can set up a bookmark to get you into the right folder each and every time. But there you can see the photos I know. In a previous lecture, we edited the index engine next dbn file, but the index dot html overrides this so it's irrelevant so we can remove this fall. No problem. And you could just drag your files in and you just tell it to have right. That's That's the alternative way you can actually upload these files. It might be tempting to upload your Web files directly to hear using the root user, because you go access to every single Web site. Please don't do that, because what you'll do is you'll upload the files and it'll look like it works. But those files will be owned by route, so the next time you try and do it with the correct user, you'll get permission denied problems. So stick with one user one website just to keep it simple. And with other frameworks, it gets even more complicated because you've got cash, and they like to store it inside the Hasty Docks folder. And if you've uploaded that folder with route, they will no longer be able to write their cash. So one user, one website. 23. Deploy using GIT: we've seen how to deploy using w get Andi SCP. One way I like to use is using something called get. It's a version control system, so I'm gonna show you how to deploy using that. And what we're gonna do is we're gonna deploy and application I wrote a couple of years ago called the password generator says this application and this is the repository for it. Well, the get repaid. So if we scroll down to the bottom, keep going. Keep going. We've got some installation steps we cannot these composer get or we can download the repository yourself. There's a zip file. Well, we've already done this step. I'm gonna show you the get one. Now, under the next lecture, I'll show you how to do the composer one. So what we need to do is copy this line, get clone, and then the repository euro. Well, how do you know what the euro is if they don't tell you? Well, if you're on get hub or any other repository that uses get, then you've got a clone or download option, he'll be around somewhere. You can either use necessary chore. Hey, https, if you're doing it a lot I would recommend using Ssh. But you will have to set up potentially some tokens. It depends on how many requests you make. If you use hate T V. P s. It's a lot easier to get started, but for our purposes, either will work on. We can use the one that is at the bottom here, so we load up terminal and obviously we want to go in tow. User double check. There's no HT docks in there for us. Great. And that is get downloading the repository for us. So let's have a look. Well, it's downloaded it in a directory. This I didn't want that directory when we did the gate clone. I could have typed a director at the end, and that would be in the directory created for us. However, I didn't. So let's just move that directory into the right directory. So let's clear the screen. I need to change into the Project directory once we do that with CD Hasty Docks and once we're in there, begin type composer install. Now that's done or we need to do is run this clear cash. I don't think stricter. You need to do on first install. But if you're doing an update, then you do need to care it because it's has some old bits and pieces in the and that's how you install using Get in. The next lecture will talk about how to do it directly with composer. 24. Deploy using composer: In the last lecture, we installed this project My password generator Using git in this lecture, I'm gonna show you the same thing. But with composer. So this copy and paste that command on what we need to do is we need to connect to the server as the website. And as always, I'm gonna be removing 80 Docks directory. If you ever get that and you probably will, will get you can use Dash F in there as well to force it. Okay. And we could just run that just like the gate clone command. But also like the git Clone command, we can put directory at the end. That's just put Haiti docks. It'll save us, renaming it later on. What this is going to do is it's gonna look up the project, it's gonna download it, and it's also going to do the composer installed at the same time. There you go. There's all the dependencies going, so it's hard to combining two steps in one. We just had inter for these Defoe's so whichever way you want to install it, it doesn't matter. But you now know the fourth way that I can install a nap. I'll see you in the next lecture 25. Introduction to Nginx Configuration: in this section, we are going to talk about engine. It's conflict. I'm gonna break it down into various lectures. So a lecture for static content electric for PHP content. So just like the other sections, you will be able to pick which one applies to, or cherry pick bits of conflict from various ones. But it's no organ to apply to each and every website. There's no point, including the ability to process PHP. If it's a static website, and if there's a framework that I've missed, then drop it in the comments and if there's enough demand, I will do one for that as well. 26. Static Nginx Config: So you've gone to the trouble and you've made a static website that's connect to the server . And what we need to do is we need to go to our engine X folder. Okay, so at the moment we have no convict except for default page. And if we have a look in that because there was a lot of your interesting bits, but we really were interested in is this last bit of the end this server block? So I want to do is I want to copy that, and we're going to create a new phone. We're going to name it the same as our domain name following the user name Patton. Well, pace that in now. Anything that has a hash is a comment. So we need to remove all those we need to give it the correct name. So I was going with example toe off down dot com, and this is your server name. Whatever domain name that you've got pointing at the I P address of your server. If you don't have a domain name, then you can specify the i P address or you can head edit your host files on point. Anything that Europe Several p address. I'm gonna assume you have a domain name. Um and this would be the the directory, and that's what it should be. And then you just need a location block that matches everything. And if something doesn't exist, just returns a 44 So if we say that control X, why enter now? We've created this site. We haven't linked it up yet. So what we need to do is when he's going to your sites enabled and in that we still need cracked Semling. So what we need to do is we need to type the path to that far we've just created on and like that drinking enter, it's gonna use exactly the same name. And now if we look in there, we can see that the file is pointing to in Windows terms. It's just a short cut or an alias on the Mac. But in terms of Lennox is called a symbolic link on. Once we've done that, we just need to do engine X, reload, and then you get four full, and then you get a 43 Okay, But we were trying to set something right. Okay. What? We need to do is if we log into that user most. I'm here. I'm just going to remove the hasty docks because there's nothing in there. Make directory, hasty dogs. So we got a clean slate. It's I recreate that index file like so and then we reload the page. It's working. Why did we get a 43? Well, I suspect that's because if we look back at the actual file, we weren't looking for a file. We were just doing slash on this Index tells the engine. Next to sort of say, if you don't get a file substituted with this and because it didn't exist, I suspect is gonna be that the default file causes of 43. But any other missing file will be a 404 and you could see that when I typed in index dot html. That then changed her for four. So that's how you serve static files. You want to be careful with this because I'm sure if we were to then create a file called, I Mean Less Crais A. For example, in ssh folder and inside. When we type in that far, we just created okay, it's just downloaded it, but it's worked. So you've got be careful with the static one because it just shows you everything. There is no security. There's no filter. We will sort this out later with snippets, but just bear this in mind. And this is another reason why use a hasty docks rather than dumping you straight into the user folder because there's so many folders and files you can see in this photo. Here you've got caches, convicts, all sorts that even your bash history would be a terrible one to somebody. Get hold off. So just know that this engine ex convict will let somebody download absolutely everything in that photo. I'll see you next lecture. 27. Wordpress Nginx Config: first thing we'll do is we'll look back into route and then weaken set up the come pick. It's a lot easier to solve the conflict once you deploy your website. And what we want to do is doesn't matter at this point where they were doing our sites enabled available because we've already set up the sim link. If we were setting up a new site, then yes, you'd have to go in far available and then sibling that once you done so our index follies Page P. So if there is no nothing on the euro, then we need to enter. You need to default. Window stopped. PHP. There's no harm in leaving the index dot html because if you wanted to turn off the website for some reason, then you could. But there's also no harm and just having index, stop and then index dot PHP. I'm gonna paste in here. And this is just saying that if a file, his page pain or the file extension is PHP, then include this file. It just does a bit of setting up of PHP Andi how to connect to PHP. And this is something we set up when We set up the PHP conficker earlier and this will be one per website. So the pass and we were using was this was your website and that's it. I mean, you could do without this location block, but this also helps us. So our static assets and even though you got PP website, you still need some images, some CSS on. That's what's going to be serving those files. So we quits and save. And because we've changed convict, we still need to relate the engine s. And now if we go to the actual website, you re directors toe work prices set up. So we click Continue. It just tells us we need toe set up the come pick. So our details from earlier was off down underscore example for the database name and also the user name on the password was the one we specified as well. Table prefix is an interesting one. If you want to run multiple WordPress is in the same database. Then you need to use a different prefects. You go a simpler WordPress one word breast to etcetera. However, it's also a good idea to use different prefixes because if you're being attacks, then a lot off assumptions going to be made on. People are going to assume you're using the same table prefix. It's not going to stop everything, but it's It's more of a speed bump. So is worth changing it probably something a bit more complex than that, but and then we just run the installation. There you go. It's a very simple system. In a later section will talk about how to customize this, to make it a bit more secure and a bit more rich with like reader Rex. 28. Nginx config wordpress mu: I was also recently. How do you set up WordPress? Multi user. So in this lecture, we're gonna cover that. So we're gonna assume nothing. We're gonna remove the hasty darks and re download WordPress just like we did in the last lecture. Using tar to extract the files a little bit, Housekeeping removed the download and renamed the WordPress directory into the Hasty Docks directory. So now when we look in the Hasty Docks directory, you can see all the WordPress files. So just like before, let's run through the WordPress installation. I'm going to use the same details that I did before. So the same database name, same user name, the same password. I'm using a different table prefix here. So it doesn't conflict with an earlier installation attempt. So let's run the installation. So I set up the site first by giving it a name. Then I'm copying the password for later use. Specify your email address because this is the test site. I'm discouraging the search engines from crawling this website. I've forgotten to enter my user name, so let's fix that now. Let's not forget to copy the new password that's been generated again. Take the box that disables search engine visibility. It is version of Mac OS. When you choose your user, auto submits the form, which is handy unless you've got to update your password on the previous page. So we're now at the stage where we were in the previous lecture. We've got WordPress install. So let's update the conflict file on the file system To say that we want to allow the multi user set up. First thing you need to do is scroll down to the bit. That says, that's all you stop editing and we just need to define another constant. So I need to write. Define open brackets. Single quote WP underscore. Allow underscore multi site close quote comma True Close brackets Semi column. Need to save the file and just reload the Web page. So let's get the browser back here on day. We're gonna make it a little bit bigger. So the menus on the left hand side as well, and now we need to go into network set up, which is in tools. Now we need to decide whether we're going to do it is ah, sub domain or a subdirectory. Like the examples given I'm going to select sub domains, and then all we need to do is click install, just like we did with the constant Allow Multi site. We now need to copy and paste these into our WP conflict. Foul. Let's do that now scroll down to the bottom on. Let's just put in after the allow and then save again. That's done. We're going to skip the Haiti access bit because we're using Engine X, and it doesn't support aged access files. We made all these changes. We're gonna have to log in again. So it's click on the link and do that now. The first changes you can see is there's now in my sights. Option. Let's go to the network admin click on sites, and then we can see all the sights that been defined. As expected, there's only one the one we defined earlier. So let's create a new site you need to enter a sub domain off your main your primary domain name. This doesn't have to be the final domain name, because we can change that later. For the moment, I'm going to assume we want to use test off dan dot com, regardless of what we're entering here, whether it's the sub domain or the A new domain name, we need Engine X to respond on that domain name. You will also need to make sure that the DNS is pointing at your server. But that's beyond the scope of this lecture. So we need to disconnect from the server on Reconnect again as route because we're going to be changing the engine. It's come pick, and you need to edit the engine ex convict for this particular site. So in our case, off Dan Underscore example. Now the several listens on example too often dot com. However, we just need to put in our test our example toe off dan dot com here. Alternatively, if you're using a completely custom domain name, you put my awesome blawg dot com there instead that you can have as many domain names listed there as you want. If you're happy by using sub domains, then what we can do is actually change test to a star on assume you got wild card. Don't DNS set up, then all possible domain names. Several sub domain names will work as we've made an engine exchange. Don't forget to reload the Internet's conflict. If you're happy with sub domains, put the correct sub domain name in here. If you're trying to use a custom domain name, just put something in is a place holder. But fill out the rest of information correctly and then click Add site. Now we can open up a new tab pace in our domain name or sub domain name, and you can see it working. We can also enter in an invalid domain name. And because the DNS and the Engine X is set up correctly, it will still go to WordPress. However, it won't work because WordPress isn't aware of that. SEPTA Maine and it hasn't been set up. If you did want to enable registrations, then click on options and then choose the correct option here. Have. That's not something I want to cover in this lecture. Okay, so maybe you want the custom domain name. Let's go back to our site. Andi, In here. You can now actually change the Ural to anything you want. So in my case, off dan dot co dot UK. Any domain name in there you like, As long as the DNS is pointed at your server on the Engine X has been set up. Nothing I noticed with my testing was that I couldn't actually create any new posts or update any posts because there's something wrong with the engine. It's conflict that been using. So when I click publish, I just get publishing failed. And if you look at the the Council and if you go into the eras, you can see that I think around version 5.0 WordPress. They started using parameters on the Urals. So things after the question mark. And that's what's going on here because my engine, it's convict wasn't expecting that. So let's fix it. I need to go back into our engine. It's come pick for often underscore example, and we need to go down to the try files. And instead of returning a for a four, we need to pass it through to index dot PHP and also give it the arguments. Here is our eggs is actually either a question mark or not. So if there's any dogs, the is dogs will actually be a question mark, and then August will be the actual values. Otherwise you'll end up with everything being empty and you'll just have index dot PHP. As always, we need to save that file on, then reload the engine ex service. Now when we hit publish again, they can see has worked. The only downside to this is if you go toe an image that doesn't exist, you'll end up serving the error page of the WordPress site. That's it for deploying WordPress two Engine X using multi site. I'll see you in the next lecture. 29. Symfony Nginx Config: Let's get injects working with symphony so we log in. We'll just double check the websites all set up. And what will do? Just do that. Okay, so we have a symphony project and now let's log in as root and let's check to see what happens when we try to use it now, so we're getting forbidden. First thing we need to remember with Symphony is that it uses Public folder. So whilst the project lives in Haiti, Docks is entry point for the website. There is actually in the public folder, so we reload that and next reload. Now the difference with Engine X and PHP is that WordPress doesn't try to manipulate the oral every bit. The you access in WordPress is a discrete PHP file with symphony and other frameworks. They will run everything through an index dot PHP. So in the earl you got slash Ian that needs to be run through the page pay. So let's go into the Kontic and sort that out. If I actually let's go to symphonies documentation on Symphony's website, there's lots of great documentation on what I'll do is I'll link you to the right section so you don't have to type in manually. But when you're doing this, you need to myself a question Which version of symphony using? If you're using two or three or if you have a a Web directory, then you want version three point for this document. If you have a public folder or version for, then you want version for are linked to both, it will be simple. Now I know that I need this version for my project on what you need to do is go down to the engine X section and what I'm gonna do is we're gonna copy and paste this file and we'll make the modifications ourselves because a lot of it we've already done go down the bottom . I haven't covered this before, but your area log in your access log. It's always a good idea to give it a name. So my case I like to stick with the actual website name because what? There's nothing worse than trying to track down a bug with the era log and is almost into one file. So we scroll up. Oh yes, you do have parameters, but in my particular application, we don't have any so what I'm gonna dio is I'm gonna cut that line Control, OK? And I want to put it their control, you and we'll get rid of that line. That's just our suck it. And what we'll do is we'll also get rid of all these lines. So what you end up with is an amalgamation of the two that we had. It's the symphony one, but with all your out, I will also put this in. The resource is for you. Okay, so we'll save that or reload Engine X, and hopefully will be somewhere better off on. There you go. And that was pretty simple. One thing I will go back to is is actually that come pick because we need to run that app In product, you can tell it's in depth mode because you've got the debug toolbar and you should never be running a symphony app in depth mode in production. So that's a big no no. So back in a come pick we want to do is find the parameter hap, underscore the envy, and that just means the environment, and we'll delete that hash symbol and it would just tell it to be in Prada mode will save on relayed Come pick and hopefully we reload now. This was unexpected. I've just tags. Andi is because I haven't specified ALS. The parameters in the engine, it's come pick. So let's specify the mall. I mean, how do we know what the conflict the parameters are? Well, I mean, this is only a simply four thing. So if you're using Symphony three or less, then you're not gonna have this problem because there will specified within the project. Inside the symphony projects, there's a doggy envy file. The dissed one is the thing that gets distributed on the envy. One is the one that's been, I think, generated when composer installed it. So let's check the envy one so we can see it wants app, envy, app secret and another one called G a tracking. So let's make sure that their specified well app secret is already defined. But commented out, Andi, we specify at a tracking that I don't know if that's gonna work. So let's try that instead. And now every guy every time mostly works. Oh, let's quickly check. I can show you how I checked the logs. So the app itself has got logs. They are in far log product on. That's within the page to docks. Okay, It's just a bug in my my code. So far not found. So but is how you install symphony once you get the hang of it. It's straightforward, and personally, I felt the old way was a bit easier. But I'm showing you the NuWave is going forward. That's what it's going to be. But drop a line in comments. If you've got any problems, I'll see you in the next lecture. 30. Introduction to Nginx Snippets: By now you've seen all the different engine. It's convicts to get you started with, whichever your PHP project is, whether it's a static site, WordPress or symphony. But maybe you want to take it a little bit further, and this is what this section is all about. Is adding a few snippets of code toe allay to do a bit more, whether it's toe, restrict a directory to a particular user or have redirects, whether it's for a domain name or just to you are all, and then you can manage that all within engine X on your application doesn't need to worry about it and a lot of time. I find this a lot more convenient trying to find a plug in the doesn't redirect for WordPress or add some code to symphony to lock down a particular directory. This section can't be exhaustive because there are so many different types of code. There's so many different types of engine ex convict the exists. So I'm trying to give you a taste, and if the second else you want me to add, then drop me a line, drop me a message in the Q and A and I should be allowed something in here. I'll see you in the next lecture 31. Snippets: User Authorisation: suppose you're launching a new site. Oh, your site is not quite ready, but you need somebody to look it over. Maybe it's 1/3 party. Want to check your website, but you don't want the world to be able to access your new website. What you can do is you put a password on it, or multiple passwords or multiple users with passwords, and that's called user orthe on. What we can do is do this for the whole site, so every request to a particular domain name will be prompted with a password or prompted for a user name and password. Or you can use it on a specific folder less jumping. So let's say for some reason, I wanted to school this computer password generator and leave the other ones accessible. Well, we can do that. But first, let's make the whole site password protected. Actually, the first thing we need to do is we need a user and they use a file, and why tend to do is I put them outside of the engine extract tree because of permissions . So I created a folder called Hasty Password. Okay, so we've already got something in so that I know what's going on, because otherwise you'll end up with Trust me. You'll end up with loads of users in files. You don't know what therefore we need to create user file and the formats going to bay. User name, Colon encoded password. But last bit tricky, and I don't really like managing it that way. So the script that helps us on its called Hedge T password It comes from the Apache side of things. But Engine X and Apache share the same password file, so nine times out of 10 they're gonna be compatible. So what we need to do is install the actual utilities. It's called Apache two. You tell you tails and will install that and use it like this. You type a hasty password. Andi Dash C is for Crate. If the file already exists, then you don't need the dash seat and then just the name of file and I personally would stick with the format. But it's entirely up to you and then the user name. So we're saying create a password file and at this user, and it'll prompt us for the password on that last confirm it. And there you go, it's written it. So let's just have a quick look. And that's just the format. You know, this I if you if you want to drive a different user than you can do that Okay, we've got this. We've got the password file. What can we do with it? Let's just copy and paste that your own will that file so we don't have to worry about it. And let's go into the engine ex convict. So this is our conflict on How do we do it? Well, depends what we want to do. Do you want to make the entire server protected? If we did, then we can just type off basic and then give you, uh, it's kind of a title. This would be what the password prompt, hasn't it? So and then we just need to tell it the file with all the passwords in it. Because if we don't, then we're never going to be out of succeed at this and you'll always get blocked on. And then just paste that in not forgetting the semi colon you save on would do a quick reload of engine X. And there you go. That's every request will be blocked. But maybe we just want one area to be blocked. They let's try the computer section so we can sigh. Officers would only block the the English version, but Andi, that would work. But it's no. The trouble with this is going to sort of it's gonna block it perfect. If you pass this, it's then still not gonna work because we've kind of bypassed this section, so you need to add the try files back in. And if we reload that we're still prompted for a password on that section. But it's literally only the computer section. We now ask for the password. 32. Snippets: Domain Redirects: what are they Set up? A new website, One of the first few things I ask after What's its domain name is? Is it gonna be with or without W's? And what I mean by that? Do you want the website to be domain name dot com, or do you want it to be www dot domain name dot com, with or without the W's? It's an important question for ASIO, but I'll tell you how you can solve it from a technical point. For the purposes is I've created a new domain name and it's called www dot example Don't often dot com, so I'm going to tell you how to redirect one to the other. But the fact that we've been using example off down dot com suggest that that's the economical domain name, so we'll redirect the W's to the non W domain name. Let's go straight in there. Andi, this is gonna be one of the simplest ones I've ever done because all you need to do is tell engine next to listen. So we all we need is another server block because we're not gonna Pfaff around by saying if the host name equals this then read right inside the the existing seven block because then it has to do on every single request. Why not say if you see this server name, then redirect? That's exactly what we're going to do. So what we need is those lines so reminds will save time. But obviously we need the W version and then all we need to do it is time rewrite. We want to match everything on. We want to send it over to example the whole time dot com. Now, do you want to send it with the request euro? So if somebody went to www dot example too often dot com forward slash Hello. Do you want that hello portion to be redirected along with it? If it's a new domain name, the chances are no. If you're moving or your content from one domain name, toe another domain name, then the chance. Ah, yes. So I'm gonna show you how to do it. If you didn't, then you can ignore this particular variable because you're literally could just stop her example toe off dan dot com and not include the dollar request Your I question Mark and then we just tell it. What type of redirect we want. In this case, we want a permanent redirect, and then that's it redirects you. You can use this as a regular expression where that the hat symbol is, or you can use a slight, different version, which I believe is slightly more efficient. Andi. It's just the return. So you tell Engine X. What state is code to return on in this case, your old to go along with it so you can use either one of those. Save that and drinks reload, and I can show you in the Web browser. But chances are it's going to be quite difficult to see. So let's just try on the terminal examples often and a comb forward slash actually about. And there you go. You can see the hasty to be recode three or one has been returned on the location. It's there, and that is the request. Your I you could also in here have more than one so and you can have as many domain names as you like or being captured and then redirecting onto your main one. So that's it for domain name redirects. We'll go a little bit more in depth into actual redirects for the your eye one. Later on 33. Snippets: Uri Redirects: previously we covered redirecting domain names. But what about if it's just a euro you want you could easily use location blocks to set up your redirects says, have a quick look. So this is what we did in the last picture. But we scroll down. So what I've got here is I've got two tabs. One is Theis, editor for my off Dan. Example. The Internet's come pick and the other is just on the shelf, and the second time is gonna be used for just reloading Engine X. And I've got 1/3 tab that I can use. Teoh, see the results of the redirects Say, if you had a your l old location like this, what you could do is you could have location equals old vacation and then we could return a 31 I'm going to use scheme, Tom, a host new location so safe that really like that and we'll see what happens. And then you can see it's redirected to the new location. Well, maybe everything from one directory or maybe the directory itself is being moved. Obviously, this equal sign means an exact match. But maybe if the old directory is moving in which case where you could say request your I on that would put the old directory and everything in it within the new directory. So I give that a try. Okay, we've messed up Thea slashes, but still, the thing is the request. Your I has the slash in it. So So we wouldn't need to put the slash there, but hopefully getting a little bit. The idea The trouble is what happens if you want to rename old to new, but keep everything else the same. It's a little difficult to do it with the location blocks. What we need is a little bit more control. Engine X support something called rewrites, and they use regular expressions. If you've never come across regular expressions before, then you're in luck. I'm gonna give you a a brief overview with, um they can look very intimidating by a promise You give them a chance. You can cherry pick the bits you need on their amazing. So why don't we give this a go? So what we need to do is type rewrite instead of return is rewrite. And we used carats symbol to say the start and we won't Ford slash old and anything in these brackets is a match, and we can use that later dot matches Absolutely anything. It's a special character and along with the plus on the plus means one or more. And we used the dollar symbol to say that that's the end. So hopefully you get that. Everything between the beginning and end is either going to be the old or it's gonna be stuck in this match. And what we're gonna do is gonna do the same your Ella's before like this. But this time we're going to use the match on the matches accounted. So the first bracket is one the second brackets or two. In this case, we only have one. So that's all we can use. Let's just put Parliament there. We don't need that animal as we make quite up ever change. Let's just double check that with a convict test. I say we keep rewriting it. Always do it exactly the same time and every guy I've done a The Earl of Old Location on this time is redirected us to new location. It's pretty cool, but looking at this did we need the location block? No, but it's a good way to group things up. If we would have multiple rewrite rolls in there or doing the old Ural and I will give you a couple examples later, then you could group them up that way. It also only do the rewrite when you're in the location. Old on regular expressions can be a bit expensive in computing terms. Where's the location blocks or a lot simpler. So it's gonna help with performance where possible. Use location blocks to try and simplify to try and group up your rewrite rules. It's not always gonna be possible, but give it a guy. They'll help with performance the permanent in this rewrite. Do you know what it means? Permanent tells engine X to return http code 301 which just says it's been moved permanently. We could say redirect, and that tells engine X to return. Hey, http. Code 302 Found Use redirect when testing it won't be cashed by a browser and later on it it won't be cashed by search engines use permanent if you want the search engine toe, update their records. So if they found old location, they would then updated to nuke location and they would stop checking old location. It's no guarantee that will happen, but is a good start. In the past, I've had newsletters on my server, something along lines of news letter 1018 0105 and I wanted to reorganize Andi in this example. Maybe I wanted to ah, group everything up into folders like this. I mean, a reason for this could be that you've got far too many newsletters or is possible images. And if you get more than a few 100 images or files in a folder, the performance of searching that folder becomes astronomical for the Web browser for you. If your FTP clan exacta this is not far stretched. Example. So how would you do that? There's obviously the manual effort of moving all the newsletters, But once you do that, how do you redirect all the URLs? You're probably thinking a rewrite rule, and you'd be right. But because this is a little expensive, I'm gonna wrap it in a location block. So we want rewrite carrot to say the start forward slash newsletter because everything's got a match newsletter and we won't match. How do we say numbers. Well, the square brackets is a matching group. You. What you can do is inside that you can say zero through to nine. And that matched all the numbers in between as well. That's a single digit on. We can use the plus to say one or more, and then we can use the dash. And if we do that three times, that matches our format pretty closely. I'm not worried about it matching exactly if we really wanted to, we could say it has 44 digits, followed by two digits, followed by two digits. But this is close enough. And that's the end of the euro on what we need to do is we need to give it a destination. So the destination would look something like this. Remember how to get the matches? Well, that was just dollar one dollar to and dollar three on. In this case, let's just make it a redirect. So save that. Let's take our example here. Reload Engine X, and we give it the news out of your l just like that, the euro has been updated. It's cool, huh? Another example of a rewrite I had with something like this on this might look different. So this is a matching group from here to here. But this little pipe symbol means all so if it sees the star of the Earl about or contact or private policy and then the absolute end, it's gonna redirect it to the same euro. But with the trailing slash, This one was a lot harder. Teoh putting a location block. So I haven't. So if we reload and for this one, she was about Later you've got it with the slash. Another example I had was I had site maps and for some reason, people accessing my site using sleight mount with a capital s or lower case s. I don't know if it's a standard or something, or maybe it's just convention that some browsers do this or website crawlers. So I've re written site map within S, which is upper case or lower case. And that's what this this grouping is doing. So where Before we did 0 to 9, you can actually specify actual individual characters or Tages and I just redirected that to site map dot XML. It's pretty simple. I do recommend that you check your air a log, you'll find lots of weird and wonderful Urals that people are trying to access and some of its legitimate. Some of it's a broken client, and I like to help them out sometimes and point them in the actual direction of content. One of the weird things I found was somebody accessing my cookie policy, but it looked like the title off the link tag. So they had cookie space policy. So I redirected them. And this is I don't have come across this before. This is called your Ellen coding. On that percent, 20 is just the equivalent of space. I was also moving a website, a WordPress. So you had Urals bit like this. Save hyphen money forward slash at home or save money at home selling brothers The at home was, ah, category on the selling for others Was the page slug? No, I could have done this one at a time with location box, but regular expression just made this so much easier. So I ended up with something like this. Now is my look weird, but my category waas categories ford slash save money forward slash at home. But when it came to the page slug. I only needed this part to double check things. This question mark here, which I don't think I've used before, means 01 So it means that slash their that forward slash is optional. That is regular expressions. You can do them. You can use them. It's all good, but with regular expressions, there is so much more to learn also. Sometimes maybe you're not getting the regular expression just right. Maybe you're struggling a little bit. So how is it you can debunk them? Well, there's a website I like to use, and it's called Reggae X 101 Oh yes, The in regular expressions outside of Engine X have got delimit er's on by default is the forward slash. So you need to change it to something else. Anything else to be fair. And that way the regular expression can come work. So if we crab off, you're well, this one. We paste in there so you can see it fully matches, which is the blue. It's the whole thing. But the match the dollar one is this big and green. So here that question mark wasn't there, the earl wouldn't match. You can also see here how long and how many steps This regular expression took two pars. So you can imagine if you had, like, 100 of these, they would solve. Add up like half a second. You do have a little reference down here. So there you go. Single character, excluding character. No, all of these are going to be compatible with Engine X, but it's a good place to get started. I'll put a link to this this website in the notes, and I'll also link you. Teoh. You're allowing coding. If you go any problems, then put them in the Q and A I'll see you next lecture. 34. Snippets: HTTPS: There's a huge movement on the Internet to make it all. The websites have https by default. Andi, there's an organization called Let's encrypt. The is pushing for everybody to do this, but if certificates cost money, then no one's gonna rush to do it. However, what they've done are issued short certificates that are very easy to renew for free, and I'm gonna tell you how to do it. And it is time I'm using all my websites. And because it's so easy, it takes less time than if I was to buy, certificate and install it. Now there's a website I'm using, cool set pop that tells me how to install Cerbak properly on. There's a lot of information here, but it's mostly just plugging away. So I'm gonna copy and paste some of that information in, so let's connect to the server not really connected. What we need to do is type at Apt Repository and it's pp a certain bought forward slash certain bought and then a quick, apt update. Not like, and I'm pretty sure I don't want their engine explosion. I just want the actual execute execute herbal myself. So I'm gonna type apt install Cerbak, and I'll show you how to use it. I'm no particularly interested in getting certain bought to modify engine X for me. So let's just all that excellent. Now we could use sir boat directly on. And what it would be is you do it something like this. And then you would basically say the directory is in this case. Yeah, yeah, no need cert only. And then we'd say domain name. I would choose the primary domain name first and then followed by any secondary ones you want. I think you are limited to, like, 50 domain names and once difficult. So and that would work perfectly well. But I don't tend to like that because it will create a dot well known folder inside this inside your Hasty Docks Public folder. Andi. For me, that interferes a little bit with git. I like to have a catchall system that puts all your certificate requests or your challenges in its own folder inside your Bala W w directory. I'm not gonna worry about that. What I'm going to do is I'm gonna make this track tree. I call it certain ball. Andi, if we go into our engine ex directory on inside snippets. I'm gonna create a file called Sir Paul. And what we're gonna put in here is something is to match all requests. This is gonna match all requests that come along to the dot well known folder on Dak Me Challenge. And it's going toe. Allow everybody, because maybe we've got authorization turned on a lower level, but we need this to always work. We also need to tell it that regardless of what's in here, the default type is plain text, and we're going to override the route to tell it that everything is in inside this, sir, but folder. And then we're going to say try files. It needs to be the request, your eye or just for I fall. And finally, if the location is exactly equal to this well known folder me challenge, then we want to just return for four because it needs to be looking for a specific file for it to actually be a proper authentication. And then all we need do is include this file everywhere we want to. So let's go. We're gonna put it everywhere because it's gonna keep easy. Uh, so we're just saying inside the default file, the if it sees this request, then great and again in here because the thing is in the previous example, before using this, you'd have to set up the Web server, and then the Webroot needed be set up a swell for it to work with this because we're also doing it to the default one, the default page. We can do this authorization request before setting up the website as long as the assault was. The DNS is pointed to this server. It work on and we reload, and now we can use the same command again. But But instead of knowing exactly where the directory is, we can just put sap. And it doesn't matter that we then set it up again or we've set it up and move the folder because it's always gonna be this folder. We need to give an email address so that when we so that let's encrypt can get in touch with you, they send it just in case it of it when it's depicts running out, or if they're going to do something that's gonna cause a problem. Mostly, it's about certificates that I've abandoned. They're gonna expire in the next day or two. So I wouldn't worry too much about it being spammed. And then you have to read that times of conditions. And once you have and you're happy with them that you can agree and you want them to share your email address, it's up to you, ***. You can see that I've seen granted a new certificate and the private key is there on the actual certificate. Is there so safe those Urals? Because we need them in a minute. We've got it. Let's turn it on. How did you enable hated if yes, in in genetics. Well, it's pretty simple, but it also comes down to How do you want to set up now? We can very easily just put more. Listen blocks in here, just like that, and it will start working. But do you want to? Because you will then have a website that works on Hasty VP and hate to ups. Well, I'm advocating it is. Have your website Listen on the main website. Listen Onhe http https but redirect any non ones back. So what we can do could change that when you when you're enabling https you need to specify your this is all certificate like so And you'll also need to specify your SSL certificate. Hey, and that was prevaricate. Don't pem and that's it for that. Let's go back up to these two. So if we had these Ah, yes, we're also missing a Let's have a name. So what have I done? Whatever done it well, I've created to are creating additional block, which is the 2nd 1 Engine s gets very confused. If you try to listen on the same server name on multiple server blocks, it's always best to be a specific as possible. And by that I'm saying server name example too often dot com It would get very confused if you start listening on the same port on multiple blocks. So I've split them out and I've got one on hasty DPS and one on Port 80 page TVP. That way I can clearly say if it comes in on huge TDP redirected to https. So why is this Block got both in it? Because I don't care. Because regardless of whether they come in on http or https, I want them redirected to example too often dot com matter. Hopefully, I make sense. And if we say if that it's always best to do a convict test of your 100 sent shore. Okay, something's failed. No. Show what? There are more efficient ways to find out, but this is the quickest way. Okay, so I have missed. Basically, I mis typed it. It's reload. Okay, apologies. I, uh I imagine a few of you sold that and again. Probably the easiest way to show this is if I use Curl. Because I imagine everybody knows what a Web browser looks like. But trying to see a reader act is pretty annoying. We're gonna go to The Hague. Http version and it's gonna be with W's. So I expected to redirect too hasty ps example too often dot com. And there you guys So the redirects working fine. And there you go. The actual certificate with a padlock is there with this system, a Cron job should have been installed on. It will automatically tried to renew this certificate. Andi, don't worry too much. Rather certificate getting of it out day. Because when you first register, you get 90 days. It's only until about day, 27 day 28 that the Civic will start to renew. It's the Civic. It has less time than that. Then something's gone, gone, and you can manually do it yourself by doing certain what renew. And then you can say, That's the date is gonna expire and it's been skipped on. That is the reason why I personally use a website to monitor my SSL certificate. Andi. Okay, I call it Track SSL. It doesn't cost a lot on you. Get two free domain name, so that's why I personally use I'm not affiliated with them. But it's up to you. You don't need to. Heck, you could write your own, but I just personally like getting an email when this Vegas have been renewed or there close to expiring. Hopefully that will help you get you your your websites, and they would with https. I'll see you in the next lecture 35. Security firewall: Even with the best will in the world, you can make mistakes. You could expose something you shouldn't have exposed in configuration in your bun to set up so we can install something called a firewall. In this case, set up something called a firewall. You can have the foul installed on your actual server using second I p tables or you FW. But I'm gonna talk about Detrol Oceans fireable because it's free when you've got server, and it's a lot easier to use on def. You get it wrong, then it's a lot easier to fix. It's hard to fix a follower when you've locked yourself out the server. So let's log into Digital Ocean and it's going to the server that's going to networking. Manage fouls on. What we need to do is create a follow I'm gonna call it. Example. Often got to come. You could also call it Web Server because this will be a farm or you can apply to more than one server. Now if I will come do two things, they can filter the traffic inbound, or you can filter it going outbound or both. I'm not too worried about outbound. It's if you knew your server was only ever gonna connect up Web servers, then you could put a port 80 on these. But when you outbound. But it's no from my one of your I have no worried too much about it. It's your inbound rules on what services do you want to allow? So by devote, we obviously need Ssh, because otherwise we're not going to get in. If you had a fixed I p address, then you could remove these and then type in your fixed i p address and then remove all these on. Then only you could get ssh into your server. But as you're unlike to have a fixed I p address or let's assume that you don't and I don't , we'll have to leave it open. But with secure keys, we should be okay. And as we're doing a web server, we're gonna need http Andi, you may need page two TBS And if you want to be a ping server, you want icy MP and that's what you need. If you've installed a mail server by accident on, you've left it world accessible. The world is not going to have to get to it because this far will. And then we just need to say which server we're going to apply it to. You can either do it by tag or by host name, so it doesn't really matter for us because they're both the same server, and then you create fouled. And now you have a fireball that is sorted out and it's managed by digital ocean. And if for some reason you accidentally removed the ssh access, you can add it back in. If you did that using I P tables, then you're gonna tow go through a lot more steps to agree at it. So I highly recommend use a firewall. I'll see you in the next lecture. 36. Security expose as little as possible: If you want to make an insecure server, the quickest way to do it is to install is many things as possible. Turn on as many things as possible because at least one of those things is going to end up with security hole that allows an attacker. And so the reverse is true. The less you install, the harder it is for an attacker to attack you. But for a Web server, you you kind of need a website on you need ph pay. What you need to do is exposed as little as possible on. What we're gonna do is we're gonna log in to the server as the user and see what we can see . So the idea is, we're locked into this directory, but we're not fully locked in because we can see what's below us. We can also see the engine ex convict, which is no idea, because there was an attacker breaks into your website. Then they're gonna be at a non issue break out of your user. But they can get a good idea of what's on here. Waltz what they need. They could see which sites are available, what the conflict is and then have a better understanding of how to attack you. So let's try to solve these problems and let's try to expose as little as possible. So all the permissions on follow www so we can see the world has read access on execute access. So how can we fix this? Well, in linen, all files and folders have permissions, and the directory ones are slightly different to the fire ones. Fire ones you've got, read, write and execute Read is being out is being out to look at the contents of the file. Right is obviously changing. The contents on execute is allow the contents of the file to be runners a program with the directory. You still the same permissions. But Reid is list the contents of a directory. Right? Is, I think, just changing. Ah, the file name of the directory name and execute is being able to change into that directory . So let's long out and go back into the root user because we can't change the permissions from a lower user. So what we need to do is the user group is fine, But for the other user, we need to remove the read permissions from far Www. You also need to change the group to W W data. Other ways Engine X will not be able to get into that folder, so you just type C h g r p space W W hyphen data space and then forward slash far fourth slash www ford slash html. Unfortunately, can't remove the execute permissions because all the users need to go through the Vaal www directory. But we can do that for Engine X. Let's go up a directory. So every time ch more other user minus read and execute, in fact, that you I'll show you just read friends and ex on PHP. And now if we log in, is that user? If we look at the valve www directory, we have no commission. I mean, it's still a little bit insecure because it will tell us we have no permission to do something rather than tell us it doesn't exist. And also, at the moment we can log into Hey Jim O directory, which is our default page so we can fix that. So other read and execute on bar W you hate she male Andi. Then if we try to change into that directory. Permission denied. But if we tried toe log into a directory that didn't exist, so that could give an attacker on advantage, however, it'll take them a while. And it depends on what level you want to go. If you really want to make it harder than you would choose directory names, that made no sense. But it's trade offs between ease of use and security. So I'm just trying toe give you the best security, but without making too many trade offs because we still need to go to use the server. So back to Engine X. Obviously, we've removed the re information so we can't list the contents of that folder. But we can still access the files in it, even if we have no idea what's in there. So we need to remove the execute permission as well and other dash axe, Engine X, and now we try to change into their we get permission denied again if we try to do in genetics in genetic stock called again, permission denied. That's gonna make it incredibly hard for somebody to figure out what websites you're running on. How easy is to attack you and out of all these things. The PHP and the engine X ones are the best wants to do so. The best thing to do is log in as your user and see what you can access and figure out. Does it matter? How could you attack the system with this knowledge? 37. Conclusion: I'd like to thank you for joining me on this journey of creating a Web server running. PHP. You can do a lot with this. Andi. This is something I use on a daily basis for my company's needs. We have a few servers running this con thick, and it's pretty much the same conflict as it has been for last couple of years. There've been a few tweaks, and you'll have benefitted from the extra tweaks in this course, and it's what stood for many an attack. As I've said at the beginning, the only thing that's ever got through is WordPress. That's because there's been a bug in the application, which, if you're careful and you keep it updated, you're not gonna have a problem with. If you need anything else in the course, ask in the Q and A. And if there's a particular framework you want me to cover, then I can add that in as well. Thank you again and I look forward to hearing from you