This tutorial will guide you on how to setup your VPS:
*OS will be based on Ubuntu and WebServer will be Nginx
Create UserGenerate SSH KeyTest SSH LoginSet FirewallInstall NginxAdd File NginxInstall CertificateSetup Available SiteWebsite Traffic
Welcome to the guide for setup your VPS.
In case you haven't realize, VPS is pretty much an empty server with the default OS.
So if you feel that what you're doing is 90% of what you thought it should have already, that's because it is.
Ubuntu is a Linux-based operating system (OS) providing the base infrastructure. It manages hardware resources
Nginx is high-performance software that runs on an OS to serve web content, act as a reverse proxy, and balance load. It manages web traffic.
If you want a video tutorial, you can watch the Hostinger VPS Set Up Commands Guide (by Caleb)
https://www.youtube.com/watch?v=oDzkmotLgks
Tips: Right-Click to paste in Powershell, exit to quit ssh and go back to powershell
______________________
Tutorial Step starts here:
Open the Bash Ubuntu Terminal (you can access it from the provider's website, you will access it as root)
Paste the command below:
apt update && apt upgrade -y
Paste the command below:
adduser username
*"username" is just an example name and can change, no sudo needed since you're root
It will prompt you for password after that
Enter it and hit enter (it will not show anything when you typed so be very careful, for safety it will aks you to type again)
After confirmed you'll be asked to enter the biodata like name but you can skip all by typing Enter and hit Y for confirm.
Next, give new user the sudo permission (this means the said user can execute command with root privilege):
usermod -aG sudo username
*Verify the New User’s Groups
id username
*Switch to New User Account, enter the password as usual
su - username
This Powershell command will generate SSH Key Pair (Windows: Use Powershell / Mac: Use Terminal), E.g location: C:\Users\username/.ssh/id_ed25519.pub
ssh-keygen -t ed25519 -C "My Personal SSH Key"
-when asked for file location put blank for now, same goes for the passphrase as well
*This is important because if you use ssh by default it will ask password everytime, if you're okay with that you can skip this step
Login as the new user again..
su - username
Create a folder named ".ssh"
mkdir -p ~/.sshnano ~/.ssh/authorized_keys
After you're in the Nano Text Editor, paste the key , CTRL + O and Enter
To get the key, go to your PC "User\.ssh\id_ed25519.pub" open the .pub file as txt, copy the texts (DO NOT SHARE THIS WITH ANYONE)
*The command and action above opens authorized_keys file in Nano, paste the .pub keys and hit CTRL + O and Enter (this will save the text in 1st line with your laptop's key)
Set permission
chmod 700 ~/.ssh
Set authorized_keys Permissions
chmod 600 ~/.ssh/authorized_keys
Login to your user with ssh
ssh username@[Your_IP]
Restart SSH Service on VPS Browser Terminal
sudo systemctl restart ssh
Creating Firewall:
Check UFW Firewall Status
sudo ufw status
Allow SSH Through Firewall
sudo ufw allow OpenSSH
Allow HTTP Traffic (Port 80)
sudo ufw allow 80/tcp
Allow HTTPS Traffic (Port 443)
sudo ufw allow 443/tcp
Enable Firewall
sudo ufw enable
Confirm Firewall Rules (optional)
sudo ufw status
Your table should looked like this:
To Action From
---- --------- --------
OpenSSH ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Next, reboot VPS
sudo reboot
You're good to go after this
________________
To make the website able to retrieve the file in your VPS, you need a web server, its a proxy that get the file from your VPS and display it
Note: Paste by Right-Click
sudo apt install nginx -y && sudo systemctl start nginx && sudo systemctl enable nginx
Open Firewall for Nginx
sudo ufw allow 'Nginx Full' && sudo ufw reload
To check your VPS server website worked or not, you can go to the link:
https://[your IPv4 address]
*If its shows 404 Not Found Nginx, it means Nginx is successfully installed and the website can run
This is the Nginx default directory
cd /var/www/html/
And this is where your html will be at:
/var/www/html/index.html
There's 2 options to create the file:
[Option 1] Use Powershell's scp command to copy from your PC and paste to the Nginx server, only recommended if you are pasting a Folder or Image
Note: This is Powershell, NOT SSH (use the ssh exit command if you login):
scp "C:\Users\You\Desktop\index.html" root@203.0.113.10:/tmp/
This command is SSH, NOT POWERSHELL
sudo mv /tmp/index.html /var/www/html/index.html && sudo chmod 644 /var/www/html/index.html
[Option 2] Direct insert the html contents to the file in the Nano Text Editor, highly recommended because you don't need to go back and forth with scp
sudo nano /var/www/html/index.html OR sudo nano index.html if your current directory is in the /var/www/html/ already
Set ownership (this is important because Nginx might be unable to display it on the website if no permission)
sudo chown -R www-data:www-data /var/www/html
Reload the https://[YourIP] and it should be there!
*It doesn't have to be index.html
Certificate is important for user's assurance. Without it, they will see the unsafe to enter warning when tried to access your website.
The easiest way is to install the certbot
sudo certbot certificates
To renew:
sudo certbot renew
Test renewal system
sudo certbot renew --dry-run
For better security, it is recommended to add a few rule about site that is available to access or not
They are stored in a file, you can access via this command:
sudo nano /etc/nginx/sites-available/default
This will redirect user from http:// to https://, put this in a new server { }
server {
#when user accessed http, Nginx will refer to this server { }
listen 80;
server_name websitename.com www.websitename.com;
# redirect user from http:// to https://
return 301 https://$host$request_uri;
}
#Enable php backend to execute, put this inside your original server { }
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
}
Deny Access
#block anyone from accessing URL path that contains files starting with .ht (like .htaccess, .htpasswd, etc.).
#Its generally OK since Nginx don't use those file. But better to put in case you change to Apache (Web server) later
location ~ /\.ht {
deny all;
}
#Deny access to specific file, the snippet below means block all from accessing filename password.php (\. is to tell Regex treat it as dot, because . is wildcard)
location ~* /folder1/(password\.php) {
deny all;
}
Make user sees the 404 if they try to access a directory that didn't exist
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
Put this in your server { }, the original, not the port 80 from above
#Tells Nginx to listen on port 443 (the standard port for HTTPS)
listen 443 ssl;
#Defines which domain names this config applies to and also handles both the root domain and the www version
server_name example.com www.example.com;
#Points to your SSL certificate file; fullchain.pem includes: your domain certificate / intermediate certificates (needed for browser trust)
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#Points to the private key for the certificate, this must match the certificate above and stay secret
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Add the default file list that user will see when accesing the "folder"
E.g: Your URL stated example.com, but what you see is actually from example.com/index.html
# Add index.php to the list if you are using PHP, each variant is separated by a space
index index.php index.html index.htm index.nginx-debian.html;
If you aimed to make your website as a business platform, you should consider analyzing website traffic.
There are a few way to do so:
Hardest Way is by reading through access.log file directly
sudo nano /var/log/nginx/access.log
Easy way, GoAccess (this actually just take data from your access.log file, so its better than above method and user friendly since it doesn't have cookies)
1) Install Goaccess
sudo apt update && sudo apt install goaccess -y
2) Go to goaccess's config file to add the format
sudo nano /etc/goaccess/goaccess.conf
3) Put these 3 lines in the file
log-format COMBINED
date-format %d/%b/%Y
time-format %T
4) Activate goaccess and analyze the log
sudo goaccess /var/log/nginx/access.log*How to read GoAccess statistics:
hits = number of url request by users (including when user refresh)
vis = true unique visitors
h% = percentage of hits for a particular url (stated in data)
v% = percentage of unique visitor for a specific url (stated in data)
mtd = method
Tx. Amount = Total bandwidth served for this URL
data = The actual requested path → your root URL (homepage) /
*For weird binary / HTTP2 / TLS junk, they are not request, more like tls handshake.
Ways to identifying threat (bot)
1) Check the data they are accessing, they mostly target the backend stuff
-info.php (do not make it accessible to public if possible)
-wordpress files (somethimes wp and so on)
2) Check the user-agent, this is the log's last array where there is like: Mozilla,
curl,
python-requests,
Googlebot
Beware: curl, wget, python-requests are the suspicious one
*Remember, bots are not targeting you specifically, they scan the whole internet. So don't feel scared if you see this everyday
Verify "good bots" (important)
The harmless bot here are .googlebot.com
To find an IP origin, use this CMD Command
nslookup [IPv4 address]
If something like this appear: crawl-66-249-66-1.googlebot.com < This means its a harmless bot
And finally, the Google Way
You can register the Google Analytic by...
Create an account at google.com/analytics
Set up a property for your website/app
And install the tracking code to begin collecting data.
*Key actions include monitoring traffic sources in reports, tracking user engagement, and using the "Explore" tab to build custom reports.
Note: Google Analytic uses cookies (lesser privacy), in which bolstered the accuracy for analyzing the users
Which one should you choose?
If your website is just for education, use GoAccess
If your website is a business platform, use Google Analytics