Setting up WordPress in Azure with SSL for ~$8 a Month

  • Basic plan (allowing for Always on and SSL): ~$50/month
  • MySQL for Azure: ~$25
  • With this solution, you will create everything on one virtual machine, allowing for dynamic scaling as needed for the machine. This does of course come with some downside:

    • You will need to handle backing up of both the files on the server and the data in the database.

    Creating the VM

    First, create the VM and Resource Group:

    • RG name: <app>-<env>-<location>-rg
    • VM name: <app>-<env>-<location>-vm
    • Image: Ubuntu 18.04 LTS
    • VM size: B1s
    • VNet name: <app>-<env>-<location>-vnet
    • Diagnostics Storage Account: <app><env><location>vmdiag
    • Allow Inbound Port Access for HTTP, HTTPS, SSH
    • Login access through Azure Active Directory

    Once the VM is created, access the NSG and add a restriction to IP to only allow your local IP to access:

    Access VM and Install LAMP Server

    Retrieve the public IP address and SSH into the server:

    ssh <user>@<public_ip>

    Install LAMP Server:

    sudo apt update && sudo apt install lamp-server^

    To ensure the installation happened successfully, run the following commands:

    apache2 -v
    mysql -V
    php -v

    Once LAMP server is installed, verify that you can connect to HTTP using the public IP address – you should see the Apache2 Ubuntu Default Page:

     

    Set up MySQL

    Once the web server is running, the next step is configuring MySQL. Run the following command, installing the Validate Password Plugin and using “Medium” policy:

    sudo mysql_secure_installation

    When installing, use medium strength, and default yes to all options except “Disallow root login remotely?” Generate a password.
    The next step is configuring access to MySQL through external servers (such as from a VPN). This assumes you’ll be using the NSG from Azure to restrict access based on desired IP addresses.
    Run a query to allow access:

    sudo mysql -u root -p
    GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES;

    Edit MySQL configuration:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    Comment out the line that says ‘bind-address’.
    After making that change, restart MySQL:

    sudo service mysql restart

    Finally, create an NSG rule that allows for external access to port 3306:

    Once the installation is done, let’s verify that the MySQL server can be accessed. I usually use MySQL Workbench and connect to the server using the following information:

    • Hostname: public IP

    After MySQL is set up, set up any database that may be needed.
    Here, you’ll want to set up the WordPress database server, whether you are starting fresh or migrating from an old instance.
    If running into an issue with packet size, run the following command in MySQL and restart:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    The final step is creating a DB user specifically for the WordPress installation – this use would only have access to the specific database that WordPress uses. Create a user with the following:

    • Allow access to the DB used for the WordPress installation.

    Installing WordPress

    After finishing setting up the LAMP server, next is installing WordPress. Assuming you’ve downloaded the source, you can use the following:

    scp -r .\wordpress-download\ vmadmin@YOUR_SERVER_IP:~

    Now you’ll need to SSH into the server and move the files into /var/www/html:

    sudo mv -v ~/wordpress-download/* /var/www/html/

    Before doing the 5-minute install, run the following to allow for Apache to have write permissions:
    Check the group that Apache is running under:

    cat /etc/apache2/apache2.conf | grep ^Group -B 2
    cat /etc/apache2/envvars | grep GROUP
    # Give that group access
    sudo chown -R www-data:www-data /var/www/html
    sudo find /var/www/html -type d -exec chmod 755 {} \;
    sudo find /var/www/html -type f -exec chmod 644 {} \;
    

    Now perform the 5-minute install to ensure everything is working, you can access the site using the IP address to ensure everything in place.
    While doing this, make sure you can do the following:

    • Configure Apache to use .htaccess files. Change the following in apache2.conf to change AllowOverride to All:
      • <Directory /var/www/>
          Options Indexes FollowSymLinks
          AllowOverride None
          Require all granted
        </Directory>
    • Access a page outside of the home page (sudo a2enmod rewrite && sudo systemctl restart apache2)
    • Upload a media file to test uploads

    Enabling Mail (using G Suite)

    First, set up DNS to use email. For this example, we are using Google Suite for email. Add the following 5 MX records:

    • Host: @
    • Records (priority-URL)
      • 1-ASPMX.L.GOOGLE.COM.
      • 5-ALT1.ASPMX.L.GOOGLE.COM.
      • 5-ALT2.ASPMX.L.GOOGLE.COM.
      • 10-ALT3.ASPMX.L.GOOGLE.COM.
      • 10-ALT4.ASPMX.L.GOOGLE.COM.

    Then, do the following:
    https://wpforms.com/how-to-securely-send-wordpress-emails-using-gmail-smtp/

    Setting up SSL

    Once the web server can be reached and LAMP is installed, the next step is securing the site using SSL. Run the following to enable SSL, enable the SSL site, and restart Apache:

    sudo a2enmod ssl
    sudo a2ensite default-ssl
    sudo systemctl reload apache2

    Once that’s done, access the public IP using HTTPS – you should get an insecure cert warning.
    Now that we’ve determined the port is listening, let’s set up Let’s Encrypt. Using CertBot usually makes this much easier. Since in this case, we’re using Apache and Ubuntu 18.04, we just need to populate those values and run the commands provided by CertBot:

    With these commands, you’ll also need to set up DNS for the domain to use. With the public IP address, create the following:

    • create an A record with the host as @ and the IP address as the web server IP address.

    After this finishes, run the CertBot job to create the certificate. After that finishes, allow for the ability to redirect to HTTPS using the CertBot plugin.
    Reference:

    ]]>

    Leave a Reply

    Your email address will not be published. Required fields are marked *