Linux -

Creating User for a Webserver

It's pretty much common knowledge that you shouldn't run your servers as root. Here are small snippets that help creating webserver user.

groupadd webservers
useradd -m -g webservers webserver-main

# add user to other groups that it needs to function
usermod -a -G docker webserver-main
usermod -a -G crontab webserver-main

passwd webserver-main
# <LONG_AND_SECURE_PASSWORD>

# lock the account so it cannot be accessed with the password
usermod -L webserver-main

su webserver-main   # now you can switch to that user
whoami              # => webserver-main
groups              # => webservers docker crontab

Most likely you want to setup some SSH keys for git repos etc. :

cd ~
mkfile .ssh
cd .ssh

ssh-keygen
# id_source_destination
# Enter, Enter, Enter

touch config
vim config
# Host bitbucket.org
#     IdentityFile ~/.ssh/id_source_destination

Now you are ready to install git and clone your server to the server! Keep all files inside ~/ and never sudo anything inside the user and everything is good.

If you need files that multiple webserver users need to access, you can change the files group and group access permissions.

To setup environment variables premantently:

cd ~
touch .bashrc # for non-login shell
vim .bashrc
# export ENV=production
touch .bash_profile # for login shell
vim .bash_profile
# if [ -f ~/.bashrc ]; then
#     source ~/.bashrc
# fi

Now start your server, e.g. with Docker:

docker run \
    --name my-webserver \
    -p 8080:2368 \
    --restart=always \
    -d -v /home/webserver-main/my-webserver:/var/lib/webserver \
    -e NODE_ENV=production \
    <OWNER>/<IMAGE>:<TAG>

And configure nginx:

sudo apt-get install nginx

# /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

error_log  /var/log/nginx/error.log;

events {
   worker_connections  1024;
}

http {
   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;
   access_log    /var/log/nginx/access.log;
   include       /etc/nginx/conf.d/*.conf;
   include       /etc/nginx/sites-enabled/*;
}

# /etc/nginx/conf.d/nginx-my-webserver-docker-upstream.conf

upstream docker {
    server 127.0.0.1:8080;
    keepalive 256;
}

# /etc/nginx/sites-available/my-webserver.conf

# cd /etc/nginx/sites-enabled
# ln -s ../sites-available/my-webserver.conf .

map $http_upgrade $connection_upgrade {
    default       "upgrade";
    ""            "";
}

server {
    listen 80;

    gzip on;
        gzip_comp_level 4;
        gzip_types text/html text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    access_log    /var/log/nginx/access.log;

    location / {
        proxy_pass          http://docker;
        proxy_http_version  1.1;
        proxy_set_header    Connection       $connection_upgrade;
        proxy_set_header    Upgrade          $http_upgrade;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}