AWS EC2 Setup 2 – install some servers

Once the core Linux server is up, we can install more packages. The AMI I use in this case is for Ubuntu 10.10. It has a nice command
sudo tasksel –section server
to help to install some predefined servers, but I still prefer to install them by myself.

My plan is to install below servers first – Apache, Subversion so I can use this server as SVN source code control. Also, I want to install the load-balancer Haproxy.

First, do update of the Linux package
sudo apt-get -y update
sudo apt-get upgrade -y

Now install Apache
sudo apt-get -y install apache2 libapache2-mod-jk
(I install mod-jk because I want to use Tomcat later)
sudo a2enmod jk proxy proxy_http ssl
(to enable some modules)
sudo /etc/init.d/apache2 restart
(restart Apache server)

Now let’s test the Apache installation – wait, we don’t have the port 80 open. So, install curl
sudo apt-get install curl
then do a test
curl http://localhost to verify that Apache server is running fine.

Now we will add two “A” records through the GoDaddy’s DNS Management Tool to point the domain name to this particular IP address.
Here is the address https://dns.godaddy.com/default.aspx?sa=
Click “Edit Zone” to get to the zone file. I created two A records, one for “@” host, one for “*” wildcard, both pointing to the same IP address.
It might take a while for the DNS record to be effective.

Back to the EC2
Next, I want to change the Apache server port from 80/443 to other ports like 6080/6443, the reason is later I want to install the load-balancer Haproxy, which will occupy 80/443.
We will change two files: /etc/apache2/ports.conf and /etc/apache2/sites-enabled/000-default, replace “80”, “443” with “6080” and “6443”.
Save the changes, and restart Apache2 “sudo /etc/init.d/apache2 restart”
Then verify with “curl http://localhost”, and “curl http://localhost:6080”

Now install Subversion and create repository
sudo apt-get -y install subversion libapache2-svn
svnadmin create ~/svn-repository
sudo chown -R www-data:www-data ~/svn-repository
(to give access to Apache)
Add couple of user account/password
sudo htpasswd -c /etc/subversion/passwd user-name-1
(because this is the first time we set Subversion user name/password, above command must have -c option)
sudo htpasswd /etc/subversion/passwd user-name-2

Now we need to integrate SVN to Apache – we will create a virtual host like http://svn.mydomain.com
We will add a “site” file “SVN” to the /etc/apache2/sites-available directory. It has content


serverName svn.mydomain.com

DAV svn
SVNParentPath /home/ubuntu
AuthType Basic
AuthName svn-repository
AuthUserFile /etc/subversion/passwd
Require valid-user

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
#ServerSignature On

Enable it with command
sudo a2ensite svn
sudo /etc/init.d/apache2 reload

Now we are done with the basic setting up of Apache-Subversion, but we can not use it yet because the port 6080 is protected by the firewall – we want to install the load-balancer Haproxy as the front-end of our server.
Install haproxy with command
sudo apt-get -y install haproxy
sudo /etc/init.d/haproxy restart

Then go back to the AWS Management Console to add port 80 to allowed connections.

Now if we start browser and visit http://www.mydomain.com or http://svn.mydomain.com, the requests will reach the load-balancer but will not go to Apache because Haproxy is not configured yet to forward requests to Apache at port 6080

make sure to edit /etc/default/haproxy
change enabled=1

cd /etc/haproxy
sudo cp haproxy.cfg haproxy.cfg.original
(for backup purpose only)

The haproxy.cfg file already has some nice example settings, but we will use a different way to configure our virtual hosts – we will add “ACL” rules

listen host 0.0.0.0:80
option httpchk
balance roundrobin
# cookie SERVERID insert indirect nocache
acl acl_www hdr_dom(host) -i http://www.mydomain.com
acl acl_svn hdr_dom(host) -i demo.mydomain.com
use_backend www_server if acl_www
use_backend svn_server if acl_svn
default_backend default_server
# server inst1 127.0.0.1:8080 cookie server01 check inter 2000 fall 3
# server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
capture cookie vgnvisitor= len 32

option httpclose # disable keep-alive
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address

listen ssl 0.0.0.0:443
mode tcp
option ssl-hello-chk
balance source
server inst1 127.0.0.1:6443 check inter 2000 fall 3
# server inst2 192.168.110.57:443 check inter 2000 fall 3
# server back1 192.168.120.58:443 backup
backend www_server
mode http
balance roundrobin
server server2 127.0.0.1:6080 check
backend svn_server
mode http
server server1 127.0.0.1:6080 check
backend default_server
mode http
server server1 127.0.0.1:80 cookie check

This basically tells Haproxy to forward any “www” and “svn” requests to 127.0.0.1 port 6080.
Now start haproxy
sudo /etc/init.d/haproxy start
ps -ef|grep haproxy
However it shows nothing, and no error logged either. What happening here is haproxy by default log to syslog server with UDP port 514, while Ubuntu by default uses “rsyslogd”. So we need to configure rsyslogd to accept haproxy log requests. To do so, put below content into a file /etc/rsyslog.d/haproxy.conf
#put below content to a file /etc/rsyslog.d/haproxy.conf
# .. otherwise consider putting these two in /etc/rsyslog.conf instead:
$ModLoad imudp
$UDPServerRun 514

# ..and in any case, put these two in /etc/rsyslog.d/haproxy.conf:
local0.* -/var/log/haproxy_0.log
local1.* -/var/log/haproxy_1.log

Now start Haproxy and check the process is running, also verify the log at
tail -f /var/log/haproxy*.log

Once haproxy is running correctly, we can verify it through browsing http://www.mydomain.com and http://svn.mydomain.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s