Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Overview

This page documents the steps and tools needed to build the Voices in Biotech Project. Many of these will be broadly applicable to other Voices projects.

Software:

The Voices project uses the following software components

  1. Strapi (a headless CMS)

  2. Postgres (database holding site data)

  3. Gatsby (static site generator)

  4. Apache (Webserver for admin site)

Strapi and Gatsby are both handled in repositories. Science-history-web is the public facing Gatsby code and science-history-api is the private Strapi code.

Currently the git repos are locked and only accessible via an ssh key.

All of these components are used on the server and are automatically set up with the ansible command creates_voices.yml see the Ansible README for command details.

AWS Services:

The Voices project uses the following AWS services to manage and run the site

  1. EC2 (server to run the above software)

  2. S3 (Image hosting and static website component hosting)

  3. Cloudfront (used to support https access to S3 sites)

  4. Amazon Certificate Manager (for SSL certificates)

A key issue is that the Voices project is managed separately. See the AWS page for details on switching accounts to the Community History Project account. You must be in the correct account for all of the steps.

Setup:

Create S3 Bucket for Website

This follows instructions from (https://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration.html) which detail steps from the console.

  1. Create an S3 bucket with the name of the site (i.e. voices.sciencehistory.org)

  2. Under properties to Static Website Hosting to “Use this Bucket to Host a Website”

    1. The index document should be index.html

    2. The error document should be 404.html

  3. Under Permissions make sure Block Public Access (and all subsections) are set to Off

  4. In Bucket Policy under Permissions follow the example under Step 2 (https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html) using our bucket name instead of Example

Import SSL Cert

This should only need to be done when we renew our SSL certs or if we change them. We are not using Amazon’s certificate creation service so we will need to import ours after making some changes to the format to work with AWS.

Editing Certificates

Amazon’s certificate manager requires PEM formatted keys. You will need the ssl key, intermediate certificate, and wildcard certificate.

For the wildcart certificate run

openssl x509 -in CERTFILE -out CERTFILE.pem

For the key run

openssl rsa -in KEYFILE -out KEYFILE.pem

The intermediate certificate is a bit trickier. OpenSSL’s default command doesn’t handle the three certificate chain well. So make 3 copies of the CA cert labeled 1-3 and in each one remove the other two certs. Then run

openssl x509 -in CERTFILE-CA1.cert -outform PEM -out CERTFILE
-CA1.pem
openssl x509 -in CERTFILE-CA2.cert -outform PEM -out CERTFILE
-CA2.pem
openssl x509 -in CERTFILE-CA3.cert -outform PEM -out CERTFILE
-CA3.pem
cat CERTFILE-CA1.pem CERTFILE-CA2.pem CERTFILE-CA3.pem > CERTFILE-CA.pem

Importing Certificates

  1. Log onto AWS, and go to the Certificate Manager.

  2. Select the Import a certificate button

  3. Past the certificate in the certificate body, key in the key, and newly combined CA chain in the chain section.

  4. Name and save the certificate

Create Cloudfront CDN

This is required since S3 website endpoints do not support SSL.

  1. Open AWS Console and go to Cloudfront

  2. Select the Create Distribution button

  3. Choose the Web delivery method button

  4. For Origin domain name DO NOT USE THE AUTOFILL S3 bucket name! You must enter the website endpoint, which you can find in S3 by looking in properties → Static Website Hosting. It should look like: http://BUCKETNAME.s3-website-REGION.amazonaws.com

  5. Leave Origin Path blank, give a descriptive name for origin ID (Voices-Production)

  6. Viewer Protocol Policy should be changed to redirect HTTP to HTTPS

  7. Leave other settings standard until you see Compress Objects Automatically and set it to yes.

  8. In Distribution Settings change Price Class to only use US, Canada, and Europe (the cheapest option)

  9. For Alternate Domain Names, set the intended URL.

  10. For SSL Certificate set it to Custom SSL Certificate click the text box, the imported certificate should be there. Select it.

  11. Leave Custom SSL Client support at Clients that support Server Name Indication (SNI)

  12. Set logging to on

  13. For Bucket for Logs set Voices-Log

  14. For prefix uses cloudfront-staging/production.

  15. Set state to enabled, and select create distribution.

  16. The now created distribution has a domain name (XXXYYYZZ.cloudfront.net)

  17. Copy that and make a ticket for IT, and ask them to set a cname record that points the intended URL (step 9) to forward to the cloudfront domain name.

  18. When IT has completed this you are done.

  • No labels