[Laravel] 在 EC2 建立 Laravel Echo Server @ danielhuang030 的研究日誌

- 安裝 node

# 可以先到 git 確認一下 node 最新版本
curl -sL https://deb.nodesource.com/setup_13.x | sudo -E bash -
sudo apt-get install -y nodejs

- 安裝 laravel-echo-server

sudo mkdir -p /usr/src/app
sudo chown ubuntu:ubuntu  /usr/src/app -R
sudo npm install -g laravel-echo-server
laravel-echo-server init
laravel-echo-server start

- 安裝 Redis

sudo apt update
sudo apt install redis-server

- 配置 Redis

sudo vi /etc/redis/redis.conf

# 開啟 supervised，把原本的 no 設定成 systemd(ubuntu)
supervised systemd

# 開放外部連線，修改原本的 bind 127.0.0.1 ::1
bind 0.0.0.0

# 設定 Redis 密碼，修改原本的 requirepass foobared 為指定的 password 字串
requirepass password

# 重新啟動 Redis 服務
sudo service redis restart

- 安裝 Supervisor

sudo apt-get install supervisor

- 配置 Supervisor

# 新增 log 檔案
mkdir /usr/src/app/logs
touch /usr/src/app/logs/laravel-echo-server.log

# 新增設定檔
sudo vi /etc/supervisor/conf.d/laravel-echo-server.conf

[program:laravel-echo-server]
process_name=%(program_name)s_%(process_num)02d
directory=/usr/src/app
command=laravel-echo-server start
autostart=true
autorestart=true
user=root
numprocs=1
redirect_stderr=true
stdout_logfile=/usr/src/app/logs/laravel-echo-server.log
stdout_logfile_maxbytes = 20MB
stdout_logfile_backups = 20

# 重啟 Supervisor 並觀察狀態
sudo service supervisor restart
sudo service supervisor status

- 安裝 nginx

sudo apt-get update
sudo apt-get install nginx

- 安裝 certbot

sudo apt-get update
sudo apt-get install software-properties-common
# 載入 certbot 的 ppa
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
# 安裝 python 的 certbot for nginx
sudo apt-get install python-certbot-nginx

# 只要產生憑證檔
sudo certbot certonly --nginx -d www.test.com

- 配置 laravel-echo-server

laravel-echo-server init
vi /usr/src/app/laravel-echo-server.json

{
        "authHost": "https://www.test.com", // 修改成專案的 domain
        "authEndpoint": "/broadcasting/auth",
        "clients": [
                {
                        "appId": "myAddId", // init 時自動產生
                        "key": "myKey" // init 時自動產生
                }
        ],
        "database": "redis",
        "databaseConfig": {
                "redis": {
                        "port": "6379",
                        "password": "password", // 修改成 redis 的 password
                        "host": "localhost",
                        "db": 9 // 指定 redis 使用的 db index
                },
                "publishPresence": true,
                "sqlite": {
                        "databasePath": "/database/laravel-echo-server.sqlite"
                }
        },
        "devMode": true,
        "host": null,
        "port": "6001",
        "protocol": "https",
        "socketio": {},
        "secureOptions": 67108864,
        "sslCertPath": "/etc/letsencrypt/live/www.test.com/fullchain.pem", // 設定剛剛 certbot 產生的檔案路徑
        "sslKeyPath": "/etc/letsencrypt/live/www.test.com/privkey.pem", // 設定剛剛 certbot 產生的檔案路徑
        "sslCertChainPath": "",
        "sslPassphrase": "",
        "subscribers": {
                "http": true,
                "redis": true
        },
        "apiOriginAllow": {
                "allowCors": false,
                "allowOrigin": "",
                "allowMethods": "",
                "allowHeaders": ""
        }
}

# 重啟 laravel-echo-server 並觀察狀態
sudo laravel-echo-server stop
sudo laravel-echo-server start

- 設定 certbot 自動更新

sudo crontab -l

# certbot renew at 00:00 on day-of-month 20 in every 2nd month
0 0 20 */2 * /usr/bin/certbot renew --quiet --no-self-upgrade

# 確認目前憑證期限
sudo certbot certificates

- certbot 更新憑證後需要重啟服務

# 新增 restart_services.sh 在更新後執行
sudo vi /etc/letsencrypt/renewal-hooks/post/restart_services.sh

#!/bin/sh
service nginx restart
cd /usr/src/app
laravel-echo-server restart

touch ~/last_run_certbot_renew_date_time.log

# 透過測試更新驗證 restart_services.sh 是不是真的被正確執行
sudo /usr/bin/certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.test.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.test.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.test.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/restart_services.sh

- 設定 nginx 反向代理

sudo vi /etc/nginx/sites-enabled/default

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    root /var/www/html;
    
    index index.html index.htm index.nginx-debian.html
    
    server_name _;
    
    location /ws/ {
        # 反向代理到同一台主機的 6001 Port
        proxy_pass http://localhost:6001/;
        
        # 解決 wss 400 的問題
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        # 把 IP、Protocol 等 header 都一起送給反向代理的 server
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    }
}