Nginx on EC2

Best practices for setting up nginx webserver on EC2 instance. This involves securing the EC2 instance and ensuring client requests are routed correctly to webserver. We need to setup a VPC which allows public inbound requests, a corresponding public Subnet and Internet Gateway, and routing table entries to ensure incoming requests are not dropped. Next step is to setup a Security Group that allows inbound traffic for HTTP and HTTPS. This is a simplistic single server setup so we will enable SSH for easy administration. For more robust setup, should use Security Manager (SSM) instead of SSH. Since it is a webserver we will allocate elastic IP address that provides static IP address for webserver. We will create user account and install nginx service on the EC2 instance to complete the setup.

Outline of steps:

  1. Create key pair
  2. Create VPC
  3. Create public subnet
  4. Create public internet gateway
  5. Edit routing table
  6. Create security group
  7. Launch EC2 instance
  8. Allocate elastic IP address
  9. Understanding elastic IP pricing
  10. Create user account and RSA private key
  11. Install nginx

Create key pair

  • Open Amazon EC2 console
  • In navigation pane, select Network & Security > Key Pairs
  • Choose Create key pair
  • For Name, enter descriptive name
  • For Key pair type, choose RSA
  • For Private key file format, choose pem
  • Choose Add tag, enter key and value for the tag
  • Click Create key pair button
  • Save the key-pair-name.pem file on local computer in .ssh folder
  • chmod 400 key-pair-name.pem

Create VPC

  • Open Amazon EC2 console
  • In navigation pane, select virtual private cloud > Your VPCs
  • Click Create VPC button
  • Enter name tag as public-vpc
  • Enter IPv4 CIDR value as 172.31.0.0/16
  • For IPv6 CIDR, choose Amazon-provided IPv6 CIDR block
  • Click Create VPC button

Create public subnet

  • Open Amazon EC2 console
  • In navigation pane, select virtual private cloud > Subnets
  • Click Create subnet button
  • For VPC ID, choose public-vpc
  • For Subnet name, enter public-subnet
  • For Availability Zone, choose No preference
  • For IPv4 CIDR block, enter 172.31.0.0/20 (20 is more restrictive than 16)
  • For IPv6 CIDR, choose CIDR block from VPC
  • Click Create subnet button

Create public internet gateway

  • Open Amazon EC2 console
  • In navigation pane, select virtual private cloud > Internet gateways
  • Click Create internet gateway button
  • For Name tag, enter public-igw
  • Click Create internet gateway button
  • Click on newly created internet gateway, to edit
  • Click on Actions button, choose Attach to VPC
  • For Available VPCs, choose public-vpc
  • Click Attach internet gateway button

Edit routing table

  • Open Amazon EC2 console
  • In navigation pane, select virtual private cloud > Routing tables
  • Select routing table associated with public-vpc
  • Under Routes tab, click on Edit routes button
  • Click Add route, enter 0.0.0.0/0 as Destination, enter public-igw as Target
  • Click Add route, enter ::/0 as Destination, enter public-igw as Target
  • Click Save changes button
  • Goto Subnet associations tab, click on Edit subnet associations button
  • Choose public-subnet from list, click Save associations button

Create security group

  • Open Amazon EC2 console
  • In navigation pane, select Network & Security > Security Groups
  • Click Create security group button
  • Enter Security group name WebServerWithSSH
  • Enter Description value
  • For VPC value, choose public-vpc
  • Goto Inbound rules section
  • Click Add rule, choose HTTP for Type, Anywhere-IPv4 for Source
  • Click Add rule, choose HTTP for Type, Anywhere-IPv6 for Source
  • Click Add rule, choose HTTPS for Type, Anywhere-IPv4 for Source
  • Click Add rule, choose HTTPS for Type, Anywhere-IPv6 for Source
  • Click Add rule, choose SSH for Type, client IP or Anywhere-IPv4 for Source
  • Click Add rule, choose All traffic for Type, Custom - WebServerWithSSH for Source
  • Click Create security group button

Launch EC2 instance

  • Open Amazon EC2 console
  • In navigation pane, select Instances > Instances
  • Click Launch instances button
  • For Name, enter webServer
  • For Application and OS Images, select Amazon Linux
  • For Architecture, choose 64-bit (Arm)
  • For Instance type, choose t4g.small
  • For Key pair, select from existing value
  • For Network settings, click Edit button
  • For VPC, choose public-vpc
  • For Subnet, choose public-subnet
  • For Auto-assign public IP, choose Disable
  • For Firewall, choose Select existing security group
  • For Common security groups, choose WebServerWithSSH
  • For Configure storage, choose 8 GiB gp3
  • Click Launch instance button

Allocate elastic IP address

  • Open Amazon EC2 console
  • In navigation pane, select Network & Security > Elastic IPs
  • Click Allocate Elastic IP address button
  • For Public IPv4 address pool, choose Amazon’s pool of IPv4 addresses
  • Click Add new tag button, enter Name as Key, webServerIP as Value
  • Click Allocate button
  • Select newly created Elastic IP, webServerIP
  • Click Associate Elastic IP address button
  • For Resource type, choose Instance
  • For Instance, choose webServer
  • For Private IP address, choose value from dropdown
  • Click Associate button

Understanding elastic IP pricing

  • Elastic IP addresses are static and remain assigned to the instance regardless of instance state (running, stopped, terminated)
  • Elastic IP address are free as long as the instance they are associated to is running
  • If the associated EC2 instance is stopped or terminated then AWS starts charging for Elastic IP address
  • Disassociate Elastic IP address from EC2 instance to stop charges
  • Public IP addresses are dynamic and automatically released when an ec2 instance is stopped or terminated. The instance will get a new IP address upon restart.

Create user account and RSA private key

  • Use public IP address of instance
  • Use default user name for AMI (ec2-user)
  • Use the private key (.pem) that you specified during instance launch
  • Make sure .pem, config and other files in .ssh have 400 file permissions
  • ssh command will ignore .pem/config files, if permissions are not 400
chmod 400 key-pair-name.pem
ssh -i key-pair-name.pem ec2-user@instance-public-ip-addr
sudo adduser newuser
sudo su newuser
mkdir ~/.ssh
chmod 700 .ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
vi ~/.ssh/authorized_keys

# paste your public rsa key
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuSevGj3e...'

Install nginx

amazon-linux-extras list
sudo amazon-linux-extras install nginx1
sudo systemctl status nginx
sudo systemctl enable nginx
sudo mv ~/my_nginx.con /etc/nginx/nginx.conf
sudo systemctl start nginx