ubuntu server – Ryan and Debi & Toren

I have a VPS server with Linode that I use to host about a dozen different websites. All but one of them run on WordPress. Occasionally, I get a request to add another domain and website to the server. It’s not terribly time consuming to do, but it does require a number of specific steps and I never remember all of them. To help me remember them (and perhaps to help someone else), I’m putting together this tutorial.

Step 1: Purchase the new domain. For this tutorial, I’m going to be adding a domain my brother-in-law requested: flyingyoga.us. He’s a pilot but is getting certified as a yoga instructor and wanted to set up a simple website. I use Google Domains to purchase and manage all my domains. So, step 1, decide on what company you want to use to purchase your domains and purchase your domain.

Step 2: Change the DNS settings on the new domain to point to Linode’s nameservers. If using Google domains, click on the domain then click on DNS:

Under Name servers, select “Use custom name servers” and enter “ns1.linode.com” for the first Name server then add a second and enter “ns2.linode.com.” Hit Save.

Here are the custom name servers in Google Domains.

Step 3: You now need to add the domain and then add domain records to your Linode account. Login to your account and select Domains.

Click on “Create Domain”:

Enter the domain and the admin email address. Unless you need to do something special with the Records, select “Insert default records from one of my Linodes.” then select your Linode:

Assuming you don’t need anything special, the defaults should take care of this step and you’re done.

Step 4: Since I already have about a dozen websites running on the server, I’m not going to go into detail on how to install a LAMP stack – Apache, MySQL, and PHP. There are a number of tutorials for doing so. Instead, my next step is to SSH into my server (obviously replace “user” and the IP address with your own) and create the directories where the files for the new website will be hosted.

ssh user@192.168.0.1

Whenever I log into my server, I use that as an opportunity to run updates.

sudo apt-get update
sudo apt-get upgrade

Next, navigate to the directory where you store your public-facing web files. On my server, it’s /var/www/

cd /var/www/

In that directory, I’m going to create a new folder for the domain:

mkdir flyingyoga.us

I’m then going to navigate inside that folder and create two additional folders: (1) a “public” folder where the actual files go and (2) a “logs” folder for access and error logs.

cd flyingyoga.us
mkdir logs public

Now, navigate back to the main directory where you store all your website files and change the ownership of the directories:

cd ..
sudo chown -R www-data:www-data flyingyoga.us/

This allows Apache to access the information in the folders and since Apache is effectively the web server, that’s important. Don’t skip this step.

Step 5: Download the latest version of WordPress and untar it into the public folder. Where you download it and untar isn’t actually all that important as we’re going to move it to the public folder shortly.

sudo wget http://wordpress.org/latest.tar.gz
tar -xvf latest.tar.gz
mv wordpress/* /var/www/flyingyoga.us/public/
rmdir wordpress/
rm latest.tar.gz

Just to clarify the above commands. The first line downloads the latest version of wordpress. The second one unpacks wordpress into a folder called “wordpress.” The third line moves all of the files that were just unpacked into the newly created public folder for the domain. The fourth line deletes the now empty “wordpress” folder and the fifth line deletes the wordpress tar.gz download (nice and clean server).

Step 6: It would be nice if we were done, but we’ve got a ways to go yet. Next up, let’s create a MySQL user and database with a corresponding user. This can be done from the command line as well, but I prefer using phpmyadmin.

You’ll need to look up where to find phpMyAdmin on your server.

Navigate to “User accounts” and scroll down to “Add user account.” Click on that and you’ll get this screen:

Click “add user account” to set up a new database and user.

Obviously, choose an appropriate user name. I typically let phpMyAdmin generate a nice strong password. Just below the “Login Information” box is a box that says “Database for user account.” Check “Create database with same name and grant all privileges.” Don’t check below that where it says “Global privileges – Check all.” That would give this user access to all databases you have on the server. Not a good security choice. Write down or copy the username and password to a text file as you’ll need it later. When you’ve got all that done, scroll down to the bottom and select “Go.” That will create your database, the user, with the password you wrote down (you wrote it down or copied it to a text file, right?). You now have the database WordPress is going to use for your website.

Here’s where you can create a new user and database in PHPMyAdmin

Step 7: Next up is creating the website information for Apache. Back to the SSH shell. Navigate to where the Apache websites are stored on your server:

cd /etc/apache2/sites-available

In there, you should see the configuration files for all the websites on your server. Since I already have sites configured, I typically just copy one of the existing configuration files and then edit it according to the new domain:

cp otherdomain.com.conf flyingyoga.us.conf
cp otherdomain.com-le-ssl-conf flyingyoga.us-le-ssl-conf

Since I’m using SSL on all my domains, I have two configuration files per domain. The above commands copy existing configuration files and create new ones for my new domain. Here’s the contents for the first one: flyingyoga.us.conf:

<Directory /var/www/flyingyoga.us/public>
    Require all granted
</Directory>
<VirtualHost *:80>
        ServerName flyingyoga.us
        ServerAlias www.flyingyoga.us
        ServerAdmin ryantcragun@gmail.com
        DocumentRoot /var/www/flyingyoga.us/public

        ErrorLog /var/www/flyingyoga.us/logs/error.log
        CustomLog /var/www/flyingyoga.us/logs/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.flyingyoga.us [OR]
RewriteCond %{SERVER_NAME} =flyingyoga.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

And the contents for the second one – flyingyoga.us-le-ssl-conf

<IfModule mod_ssl.c>
<Directory /var/www/flyingyoga.us/public>
    Require all granted
</Directory>
<VirtualHost *:443>
        ServerName flyingyoga.us
        ServerAlias www.flyingyoga.us
        ServerAdmin ryantcragun@gmail.com
        DocumentRoot /var/www/flyingyoga.us/public

        ErrorLog /var/www/flyingyoga.us/logs/error.log
        CustomLog /var/www/flyingyoga.us/logs/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/ryantcragun.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ryantcragun.com/privkey.pem
</VirtualHost>
</IfModule>

Once you have these updated, you can then tell Apache to load the site:

sudo a2ensite flyingyoga.us.conf
systemctl reload apache2

The first line tells Apache to enable the site. The second line restarts Apache. NOTE: You don’t have to load the ssl configuration file (i.e., flyingyoga.us-le-ssl-conf).

Step 8: Since I have SSL encryption on all of my websites using LetsEncrypt, there is an extra step. This is always the one I forget. Since I’m adding a domain, I have to use the following commands to add a domain to my existing domains on the single SSL certificate that I use for all of my domains. First, let me find the name of my current certificate:

certbot certificates

That provides me the name of my current certificate as well as a list of all of my other domains. Next, I copy all of the existing domains so I can update the certificate and add the two new ones I need to add. The command to then get a new certificate with the added domains is:

certbot --expand -d existing.com,www.existing.com,flyingyoga.us,www.flyingyoga.com

Assuming everything works, this will expand the existing certificate with the new domain and issue a new SSL certificate with all the domains. (NOTE: no spaces between the domains.)

Step 9: Now you can test your server. I always do this by creating a simple html file with the classic “Hello World” in it and putting that into the public directory for the new website:

<!DOCTYPE html>
<html>
    <head>
        <title>Test Page</title>
    </head>
    <body>
        <p>Hello World!</p>
    </body>
</html>

Save that as “index.html” and put it in the public folder. Now, navigate to the new domain in your browser and, hopefully, you’ll see “Hello World!”

If you saw “Hello World!” in your browser, everything is working. It’s always a good idea to check that the https redirect is working as well – so you know that your SSL certificate is good and working. The easiest way to do that is to click on the lock icon in your browser and then check the certificate information.

Step 10: Now, the final step to install WordPress – change the name of the index.html file to something else (e.g. “index.html-test”) then reload the page. You should now see the installation guide for WordPress that will ask for your database name, username, and password:

This is the last step to install WordPress on a new domain.

Enter the database information from Step 6 above. Assuming everything goes according to plan, WordPress will populate the database with the relevant fields and your site will be ready:

Here’s the backend of my new wordpress installation.

1,923 total views, 12 views today

I run a server (Ubuntu 18.04) that hosts about a dozen websites using Linode. Most of the sites are run using WordPress and are my own or sites I manage for friends or family. I do, however, host one for a colleague who actively develops online content for that site.

As WordPress has developed, the ability to upload various file types has slowly been removed for security reasons. As a result, for certain types of files, it is now required to upload them using a different approach. I can do so using SSH, but GUI FTP/SFTP software was going to be easier in this situation as the person responsible for managing that site doesn’t have a lot of knowledge managing a website. I explained to this person, we’ll call her Sharon, that it would be possible for her to upload these files herself using FTP/SFTP. She was worried as she doesn’t know what that is or how to use it. But I explained it and, hopefully, she’ll grow more comfortable with it.

However, I don’t want a novice to gain access to all the files on my server. So, I was faced with the question of how to set up an FTP/SFTP account for someone that is restricted to just one folder – a folder where she can upload stuff and delete files, but with no access to anything else.

Here’s how I did it.

First, you should create a new user group on your server. This can be done with the following command:

sudo addgroup --system GROUPNAME

This will add a new user group called GROUPNAME (I called mine “ftpusers”). If this individual isn’t currently a user on your server, add them as a user as well:

sudo adduser --shell /bin/false USER

Replace “USER” with whatever name you’re using for this individual, for me it was “sharon.” You’ll need to create a password for your USER and fill in some additional information. Then add your USER to your GROUPNAME with the following command:

sudo usermod -a -G GROUPNAME USER

Or my command:

sudo usermod -a -G ftpusers sharon

So, you have now created a new group and a new user and added the new user to the new group. Of course, the next step is to restrict what your new USER can do. In particular, we want the user to have access to just a single directory. Here’s how that is done.

You can create a directory the user can use:

sudo mkdir -p /var/sftp/NEWFOLDER

This folder can be anywhere on your server. I put mine in a subfolder on their wordpress installation:

sudo mkdir -p /var/web/DOMAIN/public/wp-content/uploads/NEWFOLDER

Now, we need to tell the server to restrict USER to this NEWFOLDER when they login. First, let’s give ownership of that folder to the user with the chown command:

sudo chown USER:GROUPNAME /var/sftp/NEWFOLDER

We should also make sure the permissions for the new folder are what we want them to be – read/write for the user and group:

sudo chmod 755 /var/sftp/NEWFOLDER

If you navigate to that folder and check the settings, you should see that the owner is now the USER and the GROUPNAME (you can check with “ls -l”). It’s not a bad idea to also check to make sure that the folder above it is owned by “root” or your primary user, which will prevent your new USER from being able to make changes to that folder.

So far, we have a new USER and GROUPNAME and the user has a folder they can access. However, we need to tell the server that the user needs SFTP access and then need to force them to go to just that one folder when they login with SFTP.

To grant them SFTP access, you need to change the SSH settings:

sudo nano /etc/ssh/sshd_config

This will open the file “sshd_config” with a text editor (nano) so you can make changes. At the end of the file, you want to add the following text:

Match User GROUPNAME ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp/NEWFOLDER PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no

This allows users in the group GROUPNAME SFTP access to the folder you created for them.

Before you close the nano session with “sshd_config”, you may have to change one other setting. Look for a line that says:

Subsystem sftp /usr/lib/openssh/sftp-server

Mine was not commented out, so that setting was active. However, given the settings we just added to the file, we need to change that. Comment out that line:

#Subsystem sftp /usr/lib/openssh/sftp-server

Below that line, add the following line:

Subsystem sftp internal-sftp

I’m guessing that the original line specified a location for the sftp-server to be used by the server but we want the server to determine the best location for the sftp-server it is going to use and that’s what the second line does. (Alternatively, in the text added to “sshd_config” the line “ForceCommand internal-sftp” could probably be left off, meaning you wouldn’t have to do the step I just described. I haven’t tried that, but it may work.)

Anyway, when you’re done editing the “sshd_config” file, save it and exit from nano.

Finally, to make sure that the new USER is forced into the specified folder when they login, you have to make one more change. This changes the home directory for the user so they are forced into that directory when they login. Here’s the command.

usermod -d /var/sftp/NEWFOLDER USER

This makes the folder you created (NEWFOLDER) the home directory for the USER so, when they log in using SFTP, they will be forced directly into that folder.

There you have it. You have a new user in a group with restricted SFTP access and the user will be forced directly into the folder you created where they can upload, modify, and delete content. They will not have access to anything else on the server, so the rest of your content will be safe.

Acknowledgments: I figured all of the above out with help from these sites: here, here, here, and here.

3,217 total views, 1 views today

tech, travel, and talk

Tag: ubuntu server

Linux Server – Adding a New Domain and WordPress Site – Linode VPS – Ubuntu 18.04

Linux – Setting Up FTP/SFTP Restricted Access for User