Tuesday, 7 June 2016

Creating a Web Drive on AWS

I don't trust cloud storage services, and you should either. So here is a guide to create your own online drive.

I should note, there are a couple services out there like ownCloud and soon to be NextCloud which will likely fulfill your cloud storage needs, but I found them to be cumbersome for my small use case. Plus doing it myself was a great way to learn some new things.

I choose AWS as a hosting solution because I already use them for my website and other random projects.

1. Create an EC2 Instance

In the AWS console, navigate to EC2 then click Launch Instance.

Note: Make sure you have selected the region you want the instance to be created in.

Select an Ubuntu Server AMI instance.
Select an Instance Type. I'm choosing t2.micro because it should fit my needs. This size is also in the free tier for those that are new to AWS.
Click Next
Click Next
Add some tags to your instance for identification. e.g. Name=CloudDrive
Configure Security Group. Add HTTP to your security group.
Launch the instance and generate a new key pair. It is always good practice to generate a new keypair for each instance.
Write down the created instances public IP address for future reference.

2. (Optional) Update your DNS Records

This will allow a friendly name for your site. e.g. webdrive.standen.link

In Route 53, or your favourite domain registrar, add a CNAME with a value of the public DNS of the instance you just created.

3. Install Apache with SSL

SSH into your instance, using the public IP address obtained earlier.

3.1 SSH using PuTTY on Windows (Skip this step if you are not using PuTTY on Windows)

Access PuTTY Key Generator and load your keypair downloaded earlier. (xxx.pem)
Click Save private Key to store a xxx.pek file that is accessible for PuTTY
When accessing your instance via PuTTY you will need to add this file under Connection > SSH > Auth in the "private key file for authentication" box.

3. Cont. 

Login as user ubuntu

Obtain root permissions
sudo -s

Update apt-get cache
apt-get update

Install Apache with SSL
apt-get install apache2 libapache2-mod-auth-mysql apache2-utils

4. Get a Certificate for SSL

There are a couple options for this. Each is outlined or linked below. I recommend option 3.

4.1 Generate and Self Sign your own Certificate. 

Browsers will not trust your certificate by default.
This will still enable secure communication.

Execute the following commands and fill in information as requested.

sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Copy the certificate into the correct folder
cp server.crt /etc/ssl/certs
cp server.key /etc/ssl/private

4.2 Use your a Certificate provided by your Favourite Certificate Authority

Costs money. Why would you pay for something that is (and should be) free? Look below.

4.3 Use Lets Encrypt

Install git on your instance
apt-get install git

Clone the certbot repository
git clone https://github.com/certbot/certbot

Update certbot and install your certificate
cd certbot
./certbot-auto --apache

During this you will have to supply the URL you will be accessing your instance from. This will either be your instance public IP address, or the address you specified in optional step 2.

Provide a valid email address! Just in case something goes wrong.

Agree to the terms and conditions, select Secure connection only.

4. Cont. 

Confirm your SSL configuration is adequate at https://www.ssllabs.com/ssltest/analyze.html?d=<your_website_here>

5. Set up WebDav

a2enmod dav
a2enmod dav_fs

Create a directory to share, and apply the appropritate permissions
mkdir /home/ubuntu/share
chown www-data:ubuntu /home/ubuntu/share

Set up a password
a2enmod auth_digest
mkdir /etc/password

Create a password for each user
htdigest -c /etc/password/digest-password CloudShare user1

Note: Additional users do not use the -c flag, as this overwrites the file.

Apply appropriate permissions to the password file
chown www-data:ubuntu /etc/password/digest-password

Edit the default-ssl config file (your config file may be default-ssl.conf)
nano /etc/apache2/sites-enabled/000-le-default-ssl.conf

Find the line CustomLog /var/log/apache2/ssl_access.log combined and under that place the following:

Alias /share /home/ubuntu/share

<Directory /home/ubuntu/share/>
  Options Indexes MultiViews
  AllowOverride None
  Order allow,deny
  allow from all

<Location /share>
  DAV On
  AuthType Digest
  AuthName "CloudShare"
  AuthUserFile /etc/password/digest-password
  Require valid-user

Now restart Apache
/etc/init.d/apache2 restart

That's it!!

Well, kind of.

For information on how to map your cloud drive to your instance, check here http://www.webdavsystem.com/server/access/

You can also remove the default apache configuration for a cleaner look. You might also want to replace the instance storage with S3 or EBS storage.
I'm investigating the latter and will hopefully provide an update here when that's done.

Let me know if you have any problems in the comments below.