Summary
A guide to configure your Ubuntu installation and deploy a Ruby on Rails application. Lock down the settings to prevent unwanted access.rails production security deployment 16:15
Resources
Ubuntu Server - http://www.ubuntu.com/download/server
Digital Ocean - https://www.digitalocean.com/
Securing your Server - https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Setting up a firewall - https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
Digital Ocean - https://www.digitalocean.com/
Securing your Server - https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Setting up a firewall - https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
Summary
# updates and add user sudo apt-get update && sudo apt-get upgrade -y adduser deploy sudo usermod -aG sudo deploy sudo apt-get install curl nano git libmysqlclient-dev coffeescript gawk g++ gcc make libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgmp-dev libgdbm-dev libncurses5-dev automake libtool bison pkg-config libffi-dev -y
# login as deploy user, install application gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 \curl -sSL https://get.rvm.io | bash -s stable source /home/deploy/.rvm/scripts/rvm rvm install 2.3.1 echo 'gem: --no-document' >> ~/.gemrc gem update --system gem install bundler git config --global user.email 'YOUR_EMAIL' git config --global user.name 'YOUR_NAME' ssh-keygen -t rsa -C "YOUR_EMAIL" cat ~/.ssh/id_rsa.pub git clone [email protected]:driftingruby/sample_application.git cd sample_application bundle echo 'export RAILS_ENV=production' >> ~/.bashrc source ~/.bashrc gem install passenger
# install passenger dependencies sudo apt-get install apache2 libcurl4-openssl-dev apache2-dev libapr1-dev libaprutil1-dev
# install mysql server sudo apt-get install mysql-server
# configure application settings nano config/database.yml nano config/secrets.yml
# install passenger apache module
sudo a2enmod headers
passenger-install-apache2-module
# /etc/apache2/apache2.conf
LoadModule passenger_module /home/deploy/.rvm/gems/ruby-2.3.1/gems/passenger-5.0.28/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /home/deploy/.rvm/gems/ruby-2.3.1/gems/passenger-5.0.28
PassengerDefaultRuby /home/deploy/.rvm/gems/ruby-2.3.1/wrappers/ruby
</IfModule>
# /etc/apache2/sites-enabled/000-default.conf
PassengerMaxPoolSize 4
<VirtualHost *:80>
Header add Strict-Transport-Security max-age=31536000
DocumentRoot /home/deploy/sample_application/public
<Directory /home/deploy/sample_application/public>
Header unset ETag
AllowOverride all
Options -MultiViews
Order allow,deny
Allow from all
Require all granted
</Directory>
PassengerMinInstances 2
</VirtualHost>If you need to create and configure self-signed certificates
sudo mkdir /etc/apache2/ssl cd /etc/apache2/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache.key -out apache.crt sudo a2enmod ssl
# enable apache module rewrite
sudo a2enmod rewrite
# /etc/apache2/sites-enabled/000-default.conf
# Redirects 80 traffic to 443
<VirtualHost *:80>
Redirect permanent "/" "https://107.170.118.82/"
</VirtualHost>
<VirtualHost *:443>
Header add Strict-Transport-Security max-age=31536000
DocumentRoot /home/deploy/sample_application/public
<Directory /home/deploy/sample_application/public>
Header unset ETag
AllowOverride all
Options -MultiViews
Order allow,deny
Allow from all
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
PassengerMinInstances 2
</VirtualHost># restart apache sudo service apache2 restart
# locking down ssh sudo nano /etc/ssh/sshd_config sudo su sudo mv /root/.ssh/authorized_keys ~/.ssh/ sudo chown -R deploy ~/.ssh/authorized_keys sudo service ssh restart
# installing and configuring ufw sudo apt-get install ufw sudo ufw status sudo ufw allow 22222/tcp sudo ufw allow www/tcp sudo uff allow 443/tcp sudo ufw enable