#31 Production Deployment on Ubuntu

Summary

A guide to configure your Ubuntu installation and deploy a Ruby on Rails application. Lock down the settings to prevent unwanted access.
rails production security deployment 16:15

Resources

Summary

# updates and add user
sudo apt-get update && sudo apt-get upgrade -y
adduser deploy
sudo usermod -aG sudo deploy
sudo apt-get install curl nano git libmysqlclient-dev coffeescript gawk g++ gcc make libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgmp-dev libgdbm-dev libncurses5-dev automake libtool bison pkg-config libffi-dev -y

# login as deploy user, install application
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash -s stable
source /home/deploy/.rvm/scripts/rvm
rvm install 2.3.1
echo 'gem: --no-document' >> ~/.gemrc
gem update --system
gem install bundler
git config --global user.email 'YOUR_EMAIL'
git config --global user.name 'YOUR_NAME'
ssh-keygen -t rsa -C "YOUR_EMAIL"
cat ~/.ssh/id_rsa.pub
git clone [email protected]:driftingruby/sample_application.git
cd sample_application
bundle
echo 'export RAILS_ENV=production' >> ~/.bashrc
source ~/.bashrc
gem install passenger

# install passenger dependencies
sudo apt-get install apache2 libcurl4-openssl-dev apache2-dev libapr1-dev libaprutil1-dev

# install mysql server
sudo apt-get install mysql-server

# configure application settings
nano config/database.yml
nano config/secrets.yml

# install passenger apache module
sudo a2enmod headers
passenger-install-apache2-module

# /etc/apache2/apache2.conf
LoadModule passenger_module /home/deploy/.rvm/gems/ruby-2.3.1/gems/passenger-5.0.28/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /home/deploy/.rvm/gems/ruby-2.3.1/gems/passenger-5.0.28 PassengerDefaultRuby /home/deploy/.rvm/gems/ruby-2.3.1/wrappers/ruby </IfModule>
# /etc/apache2/sites-enabled/000-default.conf
PassengerMaxPoolSize 4 <VirtualHost *:80> Header add Strict-Transport-Security max-age=31536000 DocumentRoot /home/deploy/sample_application/public <Directory /home/deploy/sample_application/public> Header unset ETag AllowOverride all Options -MultiViews Order allow,deny Allow from all Require all granted </Directory> PassengerMinInstances 2 </VirtualHost>

If you need to create and configure self-signed certificates

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout apache.key -out apache.crt
sudo a2enmod ssl

# enable apache module rewrite
sudo a2enmod rewrite

# /etc/apache2/sites-enabled/000-default.conf
# Redirects 80 traffic to 443 <VirtualHost *:80> Redirect permanent "/" "https://107.170.118.82/" </VirtualHost> <VirtualHost *:443> Header add Strict-Transport-Security max-age=31536000 DocumentRoot /home/deploy/sample_application/public <Directory /home/deploy/sample_application/public> Header unset ETag AllowOverride all Options -MultiViews Order allow,deny Allow from all Require all granted </Directory> SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key PassengerMinInstances 2 </VirtualHost>

# restart apache
sudo service apache2 restart

# locking down ssh
sudo nano /etc/ssh/sshd_config
sudo su
sudo mv /root/.ssh/authorized_keys ~/.ssh/
sudo chown -R deploy ~/.ssh/authorized_keys
sudo service ssh restart

# installing and configuring ufw
sudo apt-get install ufw
sudo ufw status
sudo ufw allow 22222/tcp
sudo ufw allow www/tcp
sudo uff allow 443/tcp
sudo ufw enable