Setting up a new droplet on Digitalocean with Webmin, LAMP and SSL

The current article contains resources and ideas on how to setup an Ubuntu 16.04 droplet on Digitalocean, together with Webmin, LAMP – where M might 🙂 stand for MariaDB – and SSL from letsencrypt.

First of all, for the domain name you could use a free domain name provided by freenom.com (.tk, .ga, .ml, .gq or .cf extensions). Also, you have a choice between using the Freenom provided DNS or the Digitalocean DNS, which are both free of charge. I am now going for the Digitalocean DNS, as they have a nicer interface.

Important notes:

  • our server’s address is example.com;
  • the dns needs to solve webmin.example.com the same as example.com;
  • our main example user is sudouser. So, please do replace that with your user wherever you have it in the commands;
  • to enable monitoring – which is free of charge, at least at the moment – via SSH in a droplet, use the following command:
    curl -sSL https://agent.digitalocean.com/install.sh | sh
  • for some operations in the server, you could use Midnight Commander: sudo apt-get install mcto install and mcto open the interface.

Initial setup

To begin, we need a fresh and clean droplet. Except for the OS, we do not need anything else.

Security aspects

Using the root account directly is not recommended, as it has way too extended privileges in the system. Therefore, we will create a new user with sudo access and disable the root account:

  • adduser sudouser
  • usermod -aG sudo sudouser
  • sudo passwd -l root
  • su - sudouser

For enhanced security, we could use Public Key Authentication with disabled password authentication.

Also, it is important to setup the firewall rules and enable the firewall:

  • sudo ufw app list
  • sudo ufw allow OpenSSH
  • sudo ufw enable
  • sudo ufw status
  • sudo ufw disable

Please remember to add a specific rule for each of the programs you install and also to enable the firewall at the end of this tutorial.

Set up locale settings

Use the following commands to fix your locale environment:

  • locale
  • apt-get install language-pack-en-base
  • sudo dpkg-reconfigure locales
    To change the locale settings with an interface
  • exit and log back in

Enable a swap file

  • sudo swapon --show
  • sudo fallocate -l 4G /swapfile
  • ls -lh /swapfile
  • sudo chmod 600 /swapfile
  • ls -lh /swapfile
  • sudo mkswap /swapfile
  • sudo swapon /swapfile
  • sudo swapon --show

SQLite

  • sudo apt-get install sqlite3 libsqlite3-dev

A Webmin-only setup

LAMP

Apache

  • sudo apt-get update &&sudo apt-get install apache2 -y
  • sudo apache2ctl configtest
  • sudo systemctl restart apache2
  • sudo ufw app info "Apache Full"
  • sudo ufw allow in "Apache Full"

MariaDB

  • sudo apt update
  • sudo apt install software-properties-common -y
  • sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
  • sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://lon1.mirrors.digitalocean.com/mariadb/repo/10.1/ubuntu xenial main'
  • sudo apt update
  • sudo apt install mariadb-server -y

PHP

We will use the latest version of PHP.

  • sudo apt-get install php libapache2-mod-php php-mcrypt php-mysql
  • sudo systemctl restart apache2
  • sudo systemctl status apache2

Add some necessary packages

  • sudo apt-get install php7.0-zip

Other necessary software

Postfix

  • sudo apt-get update
  • sudo DEBIAN_PRIORITY=low apt-get install postfix
  • sudo ufw allow Postfix

Composer

  • sudo apt-get update
  • sudo apt-get install curl php-cli php-mbstring git unzip
  • cd ~
  • curl -sS https://getcomposer.org/installer -o composer-setup.php
  • sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer

NVM

  • sudo apt-get update
  • sudo apt-get install build-essential libssl-dev
  • curl -sL https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh -o install_nvm.sh
  • bash install_nvm.sh
Node.js and NPM
  • nvm install 8.9.4
  • nvm use 8.9.4

Webmin

  • sudo nano /etc/apt/sources.list
  • append the following line to sources.list:
    deb http://download.webmin.com/download/repository sarge contrib
  • press Ctrl+x and then confirm saving with y
  • wget http://www.webmin.com/jcameron-key.asc
  • sudo apt-key add jcameron-key.asc
  • sudo apt-get update
  • sudo apt-get install webmin

Change default access settings

For changing these settings, we will use the webmin interface. Login to your webmin interface via http://example.com:1000 with sudouser and the established password;

Webmin

We will asume that the new host is webmin.example.com and the port is 30000

  • In the sidemenu select “Webmin > Webmin configuration”;
  • Click “Ports and Addresses”;
  • Change “Listen for broadcasts on UDP port” to 30000;
  • Change “Web server hostname” to webmin.example.com and save the form;
  • Click “Restart Webmin”.

Mysql

  • In the sidemenu select “Servers > Mysql Database Server”
  • Select “MySQL Server Configuration”
  • Change the value for “MySQL server port”;
  • Click “Save and Restart MySQL”.

SSH

  • In the sidemenu select “Servers > SSH Server”;
  • Go to “Networking”;
  • Change the value for “Listen on port” to a different number and save the form;
  • Click “Apply changes”

SSL

Webmin

  • In the sidemenu select “Webmin > Webmin configuration”;
  • Select “SSL Encryption”;
  • Complete the “Hostnames for  certificate” with the domains you want in the certificate;
  • For “Website root directory for validation file”, select the “Other Directory” button and enter /var/www/html
  • For “Months between automatic renewal section”, deselect the “Only renew manually” option by typing 1 into the input box, and selecting the radio button to the left of the input box;
  • Click the “Request Certificate” button. After a few seconds, you will see a confirmation screen and then you will need to restart webmin.
  • Wait for about 30 seconds, reload the page and login again.

Apache

All hosted websites will have a specific configuration file structure, which will enforce the usage of https://

E.g.:

<VirtualHost *>
  <Directory "/var/www/sites/subdomain.example.com">
    Allow from all
    Options +Indexes

    <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteBase /
      AllowOverride All

      <IfModule mod_ssl.c>
        RewriteCond %{SERVER_NAME} =subdomain.example.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
      <IfModule>
    </IfModule>

    <IfModule mod_ssl.c> 
      SSLCertificateFile /etc/webmin/letsencrypt-cert.pem 
      SSLCertificateKeyFile /etc/webmin/letsencrypt-key.pem 
      SSLCACertificateFile /etc/webmin/letsencrypt-ca.pem 
    </IfModule>
  </Directory>

  DocumentRoot /var/www/sites/subdomain.example.com
  ServerName subdomain.example.com
</VirtualHost>

The configuration files for Apache are usually in /etc/apache2/sites-enabled . Also, do remember to add your domains to the certificate.

If you have made changes to the configuration files, use service apache2 restart to apply them.

About the directory structure

  • All the websites will be stored in /var/www/sites;
  • All the websites will be stored in the root of the public file, without parent directories.
    E.g. /var/www/sites/example2/ or /var/www/sites/firstsubdomain.example.com

phpMyAdmin

  • sudo apt-get update
  • sudo apt-get install bzip2 zip unzip
  • sudo apt-get install php7.0-bz2
  • sudo apt-get install phpmyadmin php-mbstring php-gettex
    Use the defaults provided by the installation, spacebar to select.
  • sudo phpenmod mcrypt
  • sudo phpenmod mbstring
  • sudo systemctl restart apache2

phpMyAdmin should be available at: http://example.com/phpmyadmin

If the result is an not found page, the following might help you:

  • sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
  • sudo a2enconf phpmyadmin.conf
  • sudo systemctl restart apache2

Further configuration can be done with:

  • sudo htpasswd -c /etc/phpmyadmin/htpasswd.setup admin
  • sudo pma-configure
    Then go to http://example.com/phpmyadmin/setup (here the browsers ask for auth, the user is admin and the password is what you write in first command), with that wizard you configure your servers
  • sudo pma-secure

A Virtualmin setup

For our server, we do not the full power of Virtualmin: the main thing we will use is the security it provides though easy to use and good looking interfaces. Another thing is that it can easily be extended, though it would be better to have the options figured out before actually using the server.

Resources inside this article

  • setup locale;
  • setup the sudo user;

Virtualmin

  • sudo apt-get update
  • sudo apt-get dist-upgrade -y
  • wget https://software.virtualmin.com/gpl/scripts/install.sh
  • sudo /bin/sh ./install.sh --minimal --force

Complete the post install by accessing https://example.com:10000 .

Edit apache landing page

  • sudo nano /var/www/html/index.html
  • delete all the content and something basic and new (e.g. “Hello world!”);
  • press Ctrl+xand confirm with Y

Remember to

  • add SSL from letencrypt;
  • change default ports and addresses;
  • activate automatic updates, wherever you think it’s useful.

Sources