DEV Community: Sanmi

Deploying a secured Node.js Application on AWS EC2 Instance from scratch (Detailed Guide)

Sanmi — Tue, 31 Oct 2023 11:27:09 +0000

Every website or web application you have ever come across on the internet contains code deployed there by someone like you (or by aliens; I can't tell the extent of their involvement at this time) and for you as a web/software developer, knowing how to deploy your code to the streets of the internet via a remote server such as cloud servers is an invaluable skill to have today. There are several decent hosting services around that enable you to properly and securely host your website or web app such as Digital Ocean, Heroku, Vercel (mostly for front-end apps) and chief amongst them, Amazon Web Services (AWS).

Today, you will learn how to deploy your node.js project to the internet via an Amazon Web Services EC2 Instance at little or no cost. You will learn how to create an AWS EC2 Instance and work in Amazon Linux 2, create and manage services with SYSTEMD, use NGINX as a reverse proxy and obtain an SSL certificate from Let's Encrypt to ensure your website is secure via HTTPS protocol. So let’s get to it and deploy your project to your EC2 Instance.

Create an AWS EC2 Instance

As I said in my last post, Amazon Elastic Compute Cloud (AWS EC2) is an Infrastructure as a service (IAAS) cloud service provided by Amazon.com that enables you to rent a virtual machine where you can host and run your computer applications. Amazon EC2 provides you with what is called an Instance, which is a web service you can use to initialize an Amazon Machine Image (AMI) to configure your virtual machine that contains your software. AWS also offers services like AWS CLI, AWS S3, AWS CodeDeploy, AWS Lambda and AWS Elastic Beanstalk to further streamline deployment and management.

In my previous post, I gave a detailed description of how to create and set up an AWS EC2 in just a few minutes.

Connect to your Instance

There are numerous ways to connect to your AWS EC2 (Elastic Compute Cloud) instance, providing flexibility and accessibility tailored to your needs. One of the most common methods is through SSH (Secure Shell), which allows you remote and secure access to your Instance through the command line. Another option is using AWS Systems Manager Session Manager, a browser-based SSH-like interface that doesn't require you to open incoming ports on your instance. Additionally, you can connect via Remote Desktop Protocol (RDP) for Windows instances which enables graphical desktop access, or utilize AWS SSM Run Command for executing commands remotely. For web applications, you can access your EC2 instance through a web browser by configuring security groups and setting up a web server. AWS also offers the EC2 Instance Connect feature, enabling one-click browser-based SSH access as I have illustrated in the gif below.

These diverse connection methods enable you to interact with your EC2 instance efficiently and securely, catering to various use cases and preferences.

In this post, I will use SSH to access the Instance on Amazon Linux via the command line. To connect to your Instance via SSH you have to first navigate to the directory/path where your key pair (.pem file) is located and then run a command following this pattern in the command line



 ssh -I”/path/key-pair-name.pem” instance-user-name@instance-public-dns-name

path/key-pair-name.pem refers to the path to your .pem file but you can simply enter the name of the file without the path if you’re connecting to your Instance from a directory that contains the file, instance is often ec2 and username is often user although you may want to read your Amazon Machine Image usage instructions to check if the AMI owner has changed the default AMI user name, finally your public-dns-name refers to an IPv4 address assigned to your Instance that allows you to access your Instance on the Internet. To find the public-dns-name of your instance, go to your Instance details and check for Public IPv4 DNS. I have indicated in the image below, just copy it and add it to your command.

So following that pattern, this is the command I will execute in the command line to connect to MY Instance



ssh -i "my-key-pair.pem" ec2-user@ec2-16-171-152-245.eu-north-1.compute.amazonaws.com

On your first attempt to connect to your Instance you will be prompted with a response requiring you to grant permission to add your Public DNS name to the list of known authentic hosts allowed to access your Instance.

I will simply reply with yes. You can do that or enter the fingerprint (indicated above). Once you have chosen your preferred response for establishing the authenticity of your host (public DNS name), you will get a response similar to the image below signifying that your host has been permanently added to the list of known hosts.

If your connection closes like mine, connect to your Instance once again and this time you get a response similar to the image below

If you get this response, then congratulations! You have successfully connected to your EC2 Instance in Amazon Linux via SSH.

Install NPM/&Node

Since you intend to deploy a Node.js application to this Instance, you have to install Node and package manager (NPM or Yarn) in your Amazon Linux Instance using Yum to set up your node.js development environment. To do this, you can either directly install node package manager (npm) by simply running the command in your terminal



$ sudo yum install npm

This should allow you to easily run your node.js application in this instance and manage and install JavaScript packages and libraries for your application OR you can run the following command in your terminal



curl -o- https://raw.Githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash

This will install node version manager (nvm), you will use nvm to install Node.js as nvm can install multiple versions of Node.js and allow you to switch between them. I will not go deep into this method now but you can get a more detailed explanation of this method on AWS documentation. For this post, I shall install npm directly.

Import your Source code

There are multiple ways to import your code to your Instance. You can import your code files from your Windows computer by using WinSCP or use a utility like rsync to efficiently transfer your code files from your local storage (your computer) to remote servers (your Instance) or you can be like me and use the most straight forward method which is to use git to download your code from your source code management platform which is Github in my case (and hopefully yours).

To import your source code to your instance from Github, you should first install Git by executing the command.



$ sudo yum install git

You will then use git clone to download the source from your Github repository to your Instance via the command



git clone https://Github.com/Dukesanmi/my_nodejs_project.git

This may prompt you to authenticate your Github account (If it's a private repo). To do this, enter your Github username in response to the first prompt that requests your username, When you enter your correct username you will be prompted to enter your password. Here’s where it gets a bit tricky, the password you are to provide here is not going to be the password to your Github account. Github has revoked the support for password authentication since Aug 2021, so you will have to enter your Github Personal Access Token as the password. Check out Github Personal Access Tokens to learn more about them and how to generate them.

NPM install your dependencies

Once your code has been downloaded to your instance from Github, run



npm install

in the directory that contains your code (specifically the package.json file) to install your project’s dependencies and ensure your code runs locally on localhost without any errors.

Run your code locally

Once you have confirmed that your code runs fine in your Amazon Linux terminal (i.e. you ran the code in your Instance on localhost:portnumber and it ran smoothly with no errors), you can then test it in your browser and your URL will be the port number your project runs on locally appended to your public IP address in case of the Instance in this post my URL will be something like



http://16.171.152.245:8000/

Ensure you run via HTTP and not HTTPS (you don’t have HTTPS privileges yet lol). Also, make sure you switch out 16.171.152.245 for your public IP address.

Note: For this to work, you must have an Inbound security group rule that allows inbound traffic to your server on your localhost port number. If you don’t have such a rule, navigate to your instance details, You will see a tab beside the details tab named security, click on it and then you will see the security group your Instance is using. Click on the security and scroll down in the security group view to see and click the Edit inbound rules button, you will be taken to a view that enables you to manage your inbound rules. So you can now add a new inbound rule setting Type to Custom TCP and Port range to your local port number. You can check out my previous post to see how to create inbound security group rules.

Create and manage a node service with systemd

At this point, your application only works on the internet when you manually run it in your Amazon Linux Instance locally from your computer, this is not ideal as it’s no different from running your application using localhost.

You want your application to be available on the internet whenever it is accessed on any authorized device, from any authorized location. To achieve this, you can create a service to manage your node app. This service will be managed in Systemd to reliably ensure that your application is always running smoothly (i.e. starting, stopping, restarting, monitoring and occasionally fixing issues to keep the application running). This means that Systemd will ensure that the application is available to users at all times even when your Linux terminal or/and your local computer is off as long your Instance is running remotely on your AWS account, your application should be running smoothly on the internet.

So let’s create the node service to manage your node application. First, we will create a service file (I will name mine node-api.service) in the system subdirectory of the systemd directory that contains configuration files for system-wide services and units. These files define how systemd should manage various system services, like network services, daemons, or custom applications. The contents of this directory are owned by the root user so we will be making use of the [sudo](https://www.sudo.ws/) prefix to execute commands in this phase of the process.

Let’s get to it! To create your service file, you can use Vim (if you enjoy a challenge) or Nano as your editor, and I will be using Nano. Thank you and God bless 🙏🏿. So to create your service file in the appropriate directory, you will execute the command



$ sudo nano /etc/systemd/system/node-api.service

This should open up a new file inside which you should input the following content



[Unit]
Description=Uber Elephants #Brief description of your service and maybe what it does
Documentation=https://example.com #Link to application’s docs
After=network.target

[Service]
Type=simple
User=ec2-user #User account under which a service should run.
EnvironmentFile=/home/ec2-user/mycode/myapp.env #Path to your environmental variables file   
ExecStart=/usr/bin/node /home/ec2-user/mycode/my_nodejs_project /index.js 
Restart=on-failure

[Install]
WantedBy=multi-user.target

Let me quickly give a brief explanation for the parts of the file’s content that are not self-explanatory

[Unit]

After=network.target: This tells systemd to wait until the point in the boot process when the network services are up and running before starting up your application.

[Service]

Type=simple: This tells systemd that your service is a simple, straightforward program that runs as a single process i.e., it just starts and runs, it doesn't involve complex forking or management. This means that systemd will start your service and consider it running as long as the main process (which in this case is your index.js script) is active.

ExecStart=/usr/bin/node /home/ec2-user/mycode/my_nodejs_project /index.js: This specifies to systemd the command that should be executed to start a service. In this case, the command tells systemd to run your entry point file.

/usr/bin/node: This is the path to the Node.js interpreter executable (node). It tells systemd to use node.js to run your application. This path will be a little different if you installed node.js using nvm, you will have to use the path to your node.js interpreter executable which is likely to be something like



  /home/ec2-user/.nvm/versions/node/v18.15.0/bin/node

/home/ec2-user/mycode/my_nodejs_project/index.js: This is the full path to the JavaScript file that serves as the entry point for your node.js project. When the service starts, systemd will execute this file using the node.js interpreter specified in /usr/bin/node.

Restart=on-failure: This specifies to systemd the condition under which the service should be automatically restarted if it dies.

[Install]

WantedBy=multi-user.target: This ensures that your service starts as part of the normal system startup process when the system is ready to serve multiple users and services.

You can now save the file and exit the nano editor.

Once your node service file has been saved you can now use [systemctl](https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units) to control and manage your service. First, check the current state of your service, To do that execute the command



$ sudo systemctl status node-api.service

(Remember to replace node-api.service with your service file name.) You should see a response like this:

You can see that your service is currently disabled and inactive so you have to change that. To enable your service run the command



$ sudo systemctl enable node-api.service

You should get a response like this to confirm that your service has been successfully enabled.



Created symlink /etc/systemd/system/multi-user.target.wants/node-api.service → /etc/systemd/system/node-api.service.

This means that a symbolic link has been created for your service to help systemd efficiently manage your service. The next thing you do now and whenever you make changes to your service file is to run the command.



$ sudo systemctl daemon-reload

This will reload all unit files, rerun all generators, and recreate the entire dependency tree with your updated service files.

Now you can start your service by running the command



$ sudo systemctl start node-api.service

(Again, do not forget to switch out node-api.service for the name of your service file). Run the status check command again and if your service has started successfully, you should get a response similar to this.

To test that this works fine, exit your terminal and close it even or try the previous URL http://16.171.152.245:8000/ in your browser and on another device. You will see that your application will keep running fine without having to manually run it locally.

Install and setup NGINX as a reverse proxy server

Now your application runs automatically from anywhere, on any device as long the correct URL is requested but you still have to add your port number to your IP address to be able to access your web application on the internet. This is because your application only listens on your custom port number and not the standard HTTP/HTTPS port number.

To change that and be able to access your website without your localhost's port number i.e. in my case http://16.171.152.245/, your application will have to listen on port 80 to use HTTP protocol to load your webpages (still don’t have HTTPS privileges yet).

To make all of this possible, you need a reverse proxy server that will act as a middleman between a user’s device and your web application, ensuring your web requests get to the right place and return the web pages or data that is requested.

You can and should use NGINX as your reverse proxy server. Start by installing Nginx on your Linux Instance. Execute the command



$ sudo yum install nginx –y

Once your installation is complete, run to enable your nginx service



$ sudo systemctl enable nginx

And then start your nginx service by running this command



$ sudo systemctl start nginx

Once it has started successfully, you can check nginx service status by executing the command



$ sudo systemctl status nginx

Your response should look something like this

Now when you run your website in the browser without adding our custom port number, the server returns the nginx default “Welcome” page.

The next thing to do now is to configure nginx to direct requests to your node.js project so it will serve your webpages and data when requests are made to our server through HTTP. We would create an nginx configuration file for our application by executing this command



$ sudo nano /etc/nginx/conf.d/node-app.conf

and then add the following configuration to the file



server {
    listen 80;
    server_name 16.171.152.245; #Your domain name or ip

    location / {
        proxy_pass http://16.171.152.245:8000; #your_nodejs_port
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Your server_name at this point is your public IP address and you should replace the port number on your proxy_pass with the port number your node.js application is running on locally. Save and exit your editor, then run the command



$ sudo nginx –t

This is to test the configuration for syntax errors, if there are no errors you should get the response below

If you get the above response, run the following commands

To reload all the systemd units and generators



$ sudo systemctl daemon-reload

And then restart the nginx service by running.



$ sudo systemctl restart nginx

You can now check the status of your nginx service to ensure it's still running fine and then go to your browser and refresh your URL which I believe is currently just your public IP address over HTTP, it should return your application's webpage.

Create name servers for your domain in Route 53

At this point, I assume you already have a domain name you intend to host your website with but if you are not sure how or where to purchase a domain name, you may want to check out one of the many domain name providers available today like Namecheap, Whogohost or AWS Route53. Once you have purchased a domain name, go to AWS Route 53 (a DNS management service) dashboard and under DNS Management, click on “Create Hosted Zone”

Once you have created your hosted zone, update the name servers assigned to your domain name by your domain name provider with the new ones assigned to your hosted zone by AWS (This will be done with your domain name provider).

Check that your newly updated name servers have been propagated by checking your domain name on a DNS propagation check service like dnschecker.org (Propagation often takes some time so be a little patient).

Once you have confirmed that your name servers have been propagated, go back to Route53 where you created a hosted zone and create a new record inside your hosted zone. In the new record enter your public IP address in the value field so whenever your domain name URL is entered in a browser it re-routes to your public IP which then via nginx serves your webpage.

Now, enter your domain name as your URL in the browser using HTTP (still don’t have HTTPS privileges yet. Remain small lol) for example yourdomainname.com. Access to your web application on the internet is now really straightforward for your users with your custom domain name instead of the more complicated IP address numbers.

Get SSL certificates and enable HTTPS

So far, any connection to your website has been unprotected and any data transferred over HTTP will have been transmitted in plain text without any encryption. If packets of data to or from your website were intercepted, it would be easy for the interceptor (lol) to read and alter that data. This lack of encryption makes HTTP unsuitable for transmitting sensitive or confidential information, as it can make your web application vulnerable to eavesdropping, data breaches, and man-in-the-middle attacks.

To prevent these kinds of vulnerabilities in your website, you have to enable HTTPS, a secure version of the HTTP that uses SSL (Secure Sockets Layer)/TLS (Transport Layer Security) for encrypting data transferred between your application’s server and client by concealing data in layers of encryption so that in the case of interception, it will be nearly impossible to decipher without the correct decryption key. It is essential for every website especially if your website sends or receives sensitive data such as passwords, security keys, credit card information, bank information etc.

To enable HTTPS on your website, you need an SSL/TLS certificate which is a digital certificate that authenticates a website's identity and enables encrypted connection. I will show you how to obtain an SSL certificate from Let’s Encrypt and enable your website to run on port 443 which is the standard port number for HTTPS protocol.

For Let’s Encrypt, you need to install Certbot. Installing Cerbot on Amazon Linux 2023 may present itself to be a struggle as EPEL 8 version of Certbot is built for a version of Python (v3.6) that is not available in Amazon Linux 2023. So you have to manually install it using Python by the following process I have highlighted below:

First, run these commands to set up the Python3 virtual environment



$ sudo python3 -m venv /opt/certbot/



$ sudo /opt/certbot/bin/pip install --upgrade pip

Then to install Certbot for Nginx, run the command



$ sudo /opt/certbot/bin/pip install certbot cerbot-nginx

You can now obtain your SSL certificate by running



$ sudo certbot –nginx

This will also allow Certbot to automatically modify your Nginx configuration to enable HTTPS. When you execute that command, you will be prompted to provide an email address so you can be contacted in case of urgent renewal and security notices.

Respond appropriately to the other prompts (just type in y) and when your account is registered, you will see the view below asking you to select the domain you want to enable HTTPS from a list.

You will likely see your domain there, this is as a result of the record you previously created in your Hosted Zone in Route 53 which points to your server’s IP address and Certbot detecting it as an available domain because it can potentially match subdomains under that wildcard domain.

You have finally earned HTTPS privileges 👏🏿, you can now access your website using HTTPS in your URL like https://yourdomainname.com

There is one more tiny detail you should take care of. Your newly obtained SSL certificate will expire after some time (typically 90 days I think) and you may not always remember to manually renew it. So execute the following command to automatically renew your certificate days before it expires using a cron job.



$ echo "0 0,12   root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random()  3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Thanks, oxFedev!

To check your auto-renewal configuration, view your domain config file at



$ sudo cat /etc/letsencrypt/renewal/yourdomainname.conf

You should see the number of days before expiry Certbot will auto renew your certificate.

Conclusion

Congratulations! You are now capable of using AWS EC2 Instance to deploy your Node.js project as a secured web application to the streets of the internet for the entire world to interact with, proud of you 🙌🏿. See you on the next one! Cheers ✌🏿

How to create and set up your first AWS EC2 Instance

Sanmi — Thu, 17 Aug 2023 21:24:21 +0000

What exactly is an AWS EC2 Instance?

Amazon Elastic Compute Cloud (AWS EC2) is an Infrastructure as a service (IAAS) cloud service provided by Amazon.com that enables users rent a virtual machine where they host and run their computer applications. Amazon EC2 provides users with what is called an Instance, a web service through which a user can boot an Amazon Machine Image (AMI) to configure a virtual machine that contains your software. Users can create, launch or terminate EC2 instances as desired. Websites such as Netflix (As at 2022, they were the biggest EC2 user by monthly spend), Facebook, LinkedIn and Twitch are some of the most popular websites that use AWS EC2 for their cloud services.

Get ready to get your steps in as i walk you through how to create and configure your first EC2 Instance.

Create an AWS EC2 Instance

To be able to create an EC2 Instance, you need to have an AWS account, if you need guidance creating one you can check out how to create an AWS account. Once you have an AWS account, you can go ahead and begin creating your EC2 Instance.

First, when you are logged into your AWS account, you go to EC2 instances view, this can be done by using the search bar to navigate to EC2 instances by clicking on EC2 and then navigating to the Instances view

Where you can create (launch) and manage your EC2 Instances. To begin creating your new Instance, click on the Launch Instance button.

This should take you to a view with a form that allows you configure your EC2 Instance. I will walk you through basic configuration in 6 steps:

Step 1: Choose a name for your EC2 Instance. You can choose whatever name you want for your Instance. E.g. myinstance-1

Step 2: Select the Amazon Machine Image (operating system) you will prefer to use to launch your Instance.

As a beginner or a non-enterprise user, it is advisable to select an Amazon Machine Image (AMI) that is free tier eligible to keep cost at a minimum.

Step 3: Select the Instance type that’s most suitable for your use case. Amazon EC2 provides a wide array of Instance types that suit different use cases. These Instance types have various combinations of storage, CPU, memory and networking capacity. To learn more about how different Instance types can meet your computing needs, check out AWS EC2 Instance types. Again, it is advisable to select an Instance type that is low cost or free tier eligible if you are not an enterprise user.

Step 4: Create a key pair or select one if you have previously created one. Your key pair consists of a public key and private key. They serve as your security credentials that allow you access to your EC2 Instance. Go to Amazon EC2 key pairs to learn more about key pairs.

Step 5: Configure your network settings. The default network settings are fine the way they are but you can edit them to configure them as you’d want especially to select a particular availability zone.

Availability zones are isolated and independent data centers spread across a region that offers protection from failures or catastrophic events in data centers at other zones. Although the default no preference setting (which is preferred setting) allows access to any availability zone but you can select a specific availability zone of your choice.

Step 5.5: The second half of the network settings require you to select or create a security group. A security group basically acts as a virtual firewall that controls inbound and outbound traffic to your Instance and by extension your website or web app. You can instantly create and configure a security group from the edit network settings view.

First, you choose a security group name, note that you will not be able edit this name once you have created the security group and your security group name cannot start with sg-. A security group name must also be unique for the VPC. After entering your security group name, you can enter a brief description of your security group (between you and me that could be anything). Now it gets interesting, you will configure your Inbound security group rules. The default security group rule listens on port 22 which allows SSH access for Linux Instances or RDP access for windows Instances from command line on your computer.

I will now walk you through how to create a new Inbound security group rule if your instance is going to function as a web server. First, you click on the “Add security group rule” located after the default security group rule then you get another security group rule that looks like the second image below.

We are going to be creating two new security group rules that allow all IP addresses access your instance via HTTP and HTTPS so your users can browse content on your web server.
For the first security group rule, select HTTP as Type which refers to network traffic type, this will automatically set Protocol to TCP and Port range to 80 as that is the port number assigned to HTTP server. You will then select Source type which refers to where your instance can be accessed from. You can either allow your instance to be accessed from anywhere or only from predefined known sources i.e. setting Source type to My IP which specifies your current IP address as the only source that can access your Instance or to Custom where you can specify the IP Address or security group that will be allowed access to your Instance. So for the purpose of this post, you will set our Source type to Anywhere which will set the Source to 0.0.0.0/0 this allows your Instance to be accessed from anywhere in the world via HTTP.

Configuring the second security group rule should be straightforward, you will set the Type to HTTPS, this will also automatically set Protocol to TCP and Port range to ‘443’ this is because similarly, ‘443’ is the port number assigned to HTTPS which is a secure version of HTTP. Just like the HTTP rule, we will also set Source type to Anywhere. When you are done, your Inbound security group rules should look something like this;

You can learn more about security groups by checking out Security groups.

Step 6: Configure storage. When it comes to configuring storage options for your EC2 Instance, it is okay to go with the default option which is quite sufficient if your software does not require enormous storage space. AWS offers free tier eligible customers up to 30GB of storage space (EBS General Purpose (SSD) or Magnetic Storage)

And that seems like a sufficient amount of storage space so I will stick with the default storage options.
At this point, we do not need to change any of the advanced details so we will leave them and then proceed to launch our EC2 instance by clicking the orange button highlighted in the image below

Once you click the button, the Instance launch process will be initiated and in a few seconds your EC2 Instance will be created. This will then take you to a view that shows that the launch of your instance is successful.

Then click the ‘View all Instances’ button at the end of the page to view and manage all the Instances you have created.

Ensure that your Instance state shows as running and that it passes 2/2 status checks, if this isn’t the case, you may need to refresh this web page for the changes to reflect.

At last, your AWS EC2 Instance is up and running, you can now proceed to deploy your software to your virtual server and put your website or web app on the streets of the internet. In another post, I will talk about how to deploy your code to your EC2 Instance, till then stay tuned! Cheers guys.