I. Overview

This side project presents my procedure for migrating my WordPress blog from a web hosting provider running cPanel to an Amazon EC2 instance.

This project builds on the environment created in my previous blog post, "The Mobile Cloud Project, Part 1.1: Basic AWS", where I presented an overview of Amazon Web Services and a procedure for creating virtual servers (Reserved and On-Demand instances) on Amazon EC2.

II. Consulting

I do my best to explain the concepts and techniques behind my projects. If you like my work and can use my expertise in your projects, I am available for consulting at a competitive rate.

III. Procedure

Once the Amazon EC2 instance was created and configured in my previous blog post, this migration procedure is actually fairly straightforward. From the point of view of a terminal console, an Amazon EC2 instance running Ubuntu Linux is very similar to any other Ubuntu server. The only difference is that certain tasks that were simplified behind a web hosting provider’s cPanel now need to be done explicitly on an EC2 instance.

This procedure assumes an existing WordPress blog at http://www.RayAcayan.com (i.e. this blog), an existing EC2 instance running Ubuntu 9.10 (Karmic), an Elastic IP address associated with that instance, and a local Windows client with Putty and FileZilla configured to connect to both the old blog’s web hosting provider and the new blog’s EC2 instance. These were all configured in my previous blog post “The Mobile Cloud Project, Part 1.1: Basic AWS”.

1. Install packages on EC2 instance

1. Connect to the EC2 instance using Putty.
2. Install Apache2, MySQL, PHP, Ruby on Rails, Python, and Django packages with the following commands.
$ sudo apt-get update
$ sudo apt-get install apache2 mysql-server libapache2-mod-auth-mysql
$ sudo apt-get install php5-mysql phpmyadmin
$ sudo apt-get install build-essential libssl-dev libreadline5-dev zlib1g-dev
$ sudo apt-get install libmysqlclient15-dev

$ sudo apt-get install ruby-full rubygems1.9.1 rails libmysql-ruby

$ sudo apt-get install python2.6 python3 python-django
$ sudo apt-get install libapache2-mod-python python-mysqldb

2. Enable mod_rewrite on Apache

1. The mod_rewrite module allows WordPress to use pretty permalinks on your blog, such as /category/postname/
$ sudo a2enmod rewrite
$ sudo nano /etc/apache2/sites-enabled/000-default
2. Modify this file to show the following changes (i.e. change “None” to “All” to allow pretty permalinks, and add # comments to disable directory listing) then save this file.
DocumentRoot /var/www/
[...]
Options FollowSymLinks
AllowOverride All
[...]
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# allow from all
3. Restart Apache:
$ sudo /etc/init.d/apache2 restart

3. Install WordPress on the EC2 instance

1. Connect to the EC2 instance using Putty.
2. Create the WordPress username and database on MySQL by entering the following commands:
$ sudo mysql -u root -p <password>
mysql> create database wordpress;
mysql> create user <wp_username>;
mysql> set password for <wp_username> = password(“<password>”);
mysql> grant all on wordpress.* to <wp_username>@localhost identified by `<password>’;
mysql> quit
3. Enter the following commands at the Linux prompt to download and install WordPress:
$ cd /var/www
$ sudo wget http://wordpress.org/latest.tar.gz
$ sudo tar -xzvf latest.tar.gz
$ sudo mv wordpress blog
4. Go to http://<elastic ip>/blog/wp-admin/install.php to execute the WordPress install script.
5. Download and install the WordPress themes and plugins that were in the previous blog (cPanel).

4. Copy WordPress files and database from the old blog to the new blog

1. Open FileZilla client and connect to the web hosting provider’s server that is hosting the old blog. (See the provider’s instructions on how to do this.)
2. Download all files in the old blog: ~/public_html or /var/www
3. Open a second FileZilla client to connect to the new blog (EC2).
4. Upload your custom files and directories to the /var/www directory of the new blog.
5. Open the WordPress Dashboard on the old blog (cPanel), click "Export" in the “Tools” menu on the left, and save the .xml file.
6. Open the WordPress Dashboard on the new blog (EC2), click "Import" in the “Tools” menu on the left, and upload the .xml file from the previous step.
7. Install the “WP-DB-Backup” plugin on both the old and new blogs.
8. On the old blog’s WordPress admin, click “Backup” on the “Tools” menu on the left and save the file as “oldwordpress.sql”.
9. Connect to the EC2 instance via FileZilla and upload the “oldwordpress.sql” file.
10. Connect to the EC2 instance via Putty.
11. At the Linux prompt, enter “mysql wordpress < oldwordpress.sql –u root -p” to import the old WordPress database to the new one.
12. Verify that the new blog is working at http://<elastic ip>/blog including links and styles.

5. Remap DNS to the new blog IP address on EC2

• DNS needs to be configured to remap the blog’s domain name to the Elastic IP address of the new blog on EC2.

1. Before proceeding, add an entry “<elastic ip> www.RayAcayan.com” to the local hosts file at C:\windows\system32\drivers\etc
2. Verify that the blog is working properly using the normal URL http://www.RayAcayan.com

At this point, only the local computer can access the new blog via URL because of the hosts file entry. The new IP address will need to be propagated to the rest of the Internet via an external DNS provider so that everyone else can access it.

3. Select an external DNS provider such as http://www.easyDNS.com and purchase a DNS-only service for about $20/year.
4. Add a DNS entry to map the hostname to the Elastic IP address of the new blog.
5. Go to the domain registrar’s website where the old blog domain is currently registered.
6. Change the name servers of the domain to point to the name servers of the external DNS provider.
7. Wait several hours for the new DNS settings to propagate on the Internet. Enter “nslookup” at the command prompt. If the response is the elastic IP address of the EC2 instance, then the DNS propagation has completed.
8. Remove the hosts file entry created in step 5.i. and run “ipconfig /dnsflush” at the command prompt. Verify that the blog is still reachable via the normal URL: http://www.RayAcayan.com

6. Install Additional Applications

1. Install Webalizer


Webalizer is a web stats application offered by your web hosting provider’s cPanel. You will need to install it manually on your EC2 instance if you want to continue using it.

1. Connect to the EC2 instance using Putty.
2. Enter the following command to install Webalizer on the EC2 instance:
# apt-get install webalizer

7. Configure Security

1. Secure the Apache web server with mod_security and Core Rule Set

The “mod_security” Apache module is an open source intrusion detection and prevention engine for web applications. It protects the Apache web server from common attacks such as SQL injection, cross-site scripting, etc.

1. Connect to the EC2 instance using Putty.
2. Enter the following commands at the Linux prompt:
#mkdir ~/install
#cd ~/install
#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10.tar.gz
# tar -xzvf modsecurity-apache_2.5.10.tar.gz
# cd modsecurity-apache_2.5.10/rules
# cp *.conf /etc/apache2/conf.d
# cp base_rules /etc/apache2/conf.d/modsecurity
# cp optional_rules /etc/apache2/conf.d
# mkdir /etc/apache2/logs
# apt-get install libapache-mod-security
# a2enmod mod-security
3. Restart Apache:
# /etc/init.d/apache2 restart
2. Configure password-protection on the PHPMyAdmin directory
1. Connect to the EC2 instance using Putty.
2. Enter the following commands at the Linux prompt:
# mkdir /usr/local/apache2
# htdigest -c /usr/local/apache2/.htpasswd_phpmyadmin “PHPMyAdmin” phpmyadmin
(Enter password)
# cp /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled
# nano /etc/apache2/apache2.conf
3. Add the following text to the end of the apache2.conf file:
<Directory /usr/share/phpmyadmin/>
  Authtype digest
  AuthName “PHPMyAdmin”
  AuthUserFile /usr/local/apache2/.htpasswd_phpmyadmin
  require user phpmyadmin
</Directory>
4. For added security, insert the following lines inside the <Directory> tag above to only allow connections from certain IP addresses:
  Order deny,allow
  Deny from all
  Allow from <static IP address>
5. Restart Apache:
# /etc/init.d/apache2 restart
3. Configure password-protection on the WordPress Admin directory
1. Connect to the EC2 instance using Putty.
2. Enter the following commands at the Linux prompt:
# mkdir /usr/local/apache2
# htdigest -c /usr/local/apache2/.htpasswd_wp-admin “WordPress Admin” wp-admin
(Enter password)
# cp /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled
# nano /etc/apache2/apache2.conf
3. Add the following text to the end of the apache2.conf file:
<Directory /var/www/blog/wp-admin/>
  Authtype digest
  AuthName “WordPress Admin”
  AuthUserFile /usr/local/apache2/.htpasswd_wp-admin
  require user wp-admin
</Directory>
4. For added security, insert the following lines inside the <Directory> tag above to only allow connections from certain IP addresses:
  Order deny,allow
  Deny from all
  Allow from <static IP address>
5. Restart Apache:
# /etc/init.d/apache2 restart
4. Configure password-protection on the Webalizer directory
1. Connect to the EC2 instance using Putty.
2. Enter the following commands at the Linux prompt:
# mkdir /usr/local/apache2
# htdigest -c /usr/local/apache2/.htpasswd_webalizer “Webalizer Stats” webalizer
(Enter password)
# cp /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled
# nano /etc/apache2/apache2.conf
3. Add the following text to the end of the apache2.conf file:
<Directory /var/www/webalizer/>
  Authtype digest
  AuthName “Webalizer Stats”
  AuthUserFile /usr/local/apache2/.htpasswd_webalizer
  require user webalizer
</Directory>
4. For added security, insert the following lines inside the <Directory> tag above to only allow connections from certain IP addresses:
  Order deny,allow
  Deny from all
  Allow from <static IP address>
5. Restart Apache:
# /etc/init.d/apache2 restart

IV. References

1. Amazon Web Services Technical Documentation
http://aws.amazon.com/documentation

2. Official Ubuntu Documentation
https://help.ubuntu.com

3. RubyOnRails.org
http://rubyonrails.org/download/

4. Python Programming Language — Official Website
http://www.python.org

5. The Django Project
http://www.djangoproject.com/

6. Moving WordPress
http://codex.wordpress.org/Moving_WordPress

7. easyDNS
http://www.easydns.com

8. OWASP ModSecurity Core Rule Set Project
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

The Mobile Cloud Project is my proof-of-concept for developing and hosting a scalable mobile application platform on the Amazon Web Services cloud.

Part 1: Amazon Web Services

• Part 1.1: Basic AWS provides a basic overview of Amazon Web Services and describes my procedure for building Ubuntu Linux virtual servers (Reserved and On-Demand instances) on Amazon EC2.
• Part 1.2 AWS Data explores the use of Amazon S3 and EBS for cloud-based storage and Amazon SimpleDB and RDS for database applications.
• Part 1.3: AWS Fault Tolerance explores the AutoScaling and Elastic Load Balancing features of Amazon Web Services.

Part 2: Back-End Platform

• Part 2.1: Ruby on Rails Platform describes my development of a simplified Ruby on Rails platform for processing a JSON or RSS/XML input data stream and storing the contents in Amazon SimpleDB.
• Part 2.2: Python-Django Platform explores the development of the same simplified platform using Python and the Django web framework.

Part 3: Mobile Apps

• Part 3.1: iPhone Mobile App describes my development of a simple iPhone 3.0 mobile app for retrieving and displaying the JSON or RSS/XML data stream using push notification.
• Part 3.2: Android Mobile App explores the development of the same mobile app for the Android open source platform.
• Part 3.3: BlackBerry Mobile App explores the development of the same mobile app for the BlackBerry platform.
• Part 3.4 Windows Mobile App explores the development of the same mobile app for the Windows Mobile platform.

I. Overview

This project presents a procedure for migrating my email from a local Microsoft Outlook PST/POP3 configuration to a web-based IMAP solution using Mozilla Thunderbird and Enigmail for PGP encryption. Although this is my personal project, it can be extended to companies interested in reducing their IT costs by outsourcing their enterprise email administration and spam / malware protection to a cloud-based provider like Google Gmail.
I hope that you will benefit from this resource in your own projects.

Security

Email security has always been an important concern of mine. Over the past several years, I have stored my email locally in password-protected Outlook PST files, which are then encrypted within a PGPdisk on top of an encrypting file system in a portable USB key. I found this to be a reasonable precaution short of stopping all email use altogether (“Knuth versus Email” – Don Knuth).

Like most web mail providers, Gmail provides security in terms of TLS/SSL, which encrypts network communication between my computer and Gmail’s servers. However, the email messages themselves are not encrypted, so anyone who can crack my password can simply log into gmail.com and view all my mail. To prevent this, I configured Gmail to allow POP3 access so that my local Outlook could retrieve my email, store it in a local password-protected PST file, and delete Gmail’s copy from the server. This approach is far from foolproof, since my computer itself can be hacked by malware, botnets, and GhostNet crackers recently discovered by UofT’s Citizen Lab (“Vast Spy System Loots Computers in 103 Countries” – The New York Times).

Security is also a top concern for businesses and individuals considering cloud-based services such as Amazon EC2 or web-based storage like Microsoft SkyDrive. The network traffic may be encrypted, but the data itself is usually not, or is easily accessible after getting past a single username and password. It is often a good idea to encrypt all private data using PGP before storing it anywhere on the web. PGP adds another layer of security so that a cracker who obtains your username and password will not be able to read your encrypted data without your private key, or other employees’ encrypted data without their private keys, even when they are stored together in a common WebDAV disk. In my case, I am comfortable storing my PGP-encrypted email on Google’s Gmail servers.

Multi-Access Capability

The proliferation of netbooks and wireless devices also complicates access to locally secure email. My three servers (Vista x64, Mac OS X, Ubuntu Linux), laptop (XP), Blackberry, and iPhone cannot all access my local PST file at the same time. Even worse, each device had its own email storage containing unsecure copies of my email. A recent USB-related data corruption event also highlighted the vulnerability of my PST file itself as a single point of failure. Therefore, the Outlook PST/POP3 solution was no longer viable with regard to security and multi-access capability.

Several technologies are ideal replacements for Microsoft Outlook and POP3. Internet Message Access Protocol, or IMAP, allows synchronized access to a web mailbox from multiple devices simultaneously. Mozilla Thunderbird and Lightning are excellent open-source email and calendars clients for Windows, Mac OS X, and Linux. GnuPG is a free implementation of the OpenPGP encryption standard, and Enigmail is an OpenPGP extension for Thunderbird.

II. Consulting

I do my best to explain the concepts and techniques behind my projects. If you like my work and can use my expertise in your projects, I am available for consulting at a competitive rate.

III. Procedure

< Click here to view the detailed procedure for this project >

IV. Future Enhancements

1. PGP Encryption in Social Networks

Social networking sites are increasingly used as alternatives to traditional email, but are notorious for lax or non-existent security measures. If a cracker gets into your Facebook or LinkedIn account, they will have full access to all of your private messages. With PGP encryption, the messages in those Inbox and InMail accounts will appear as gibberish to crackers since only you possess the private key/s to decrypt them.

2. PGP Encryption in the Enterprise

Some firms have corporate policies against the use of email encryption, with the rationale that managers and executives need access to their employees’ email in certain situations. However, this policy also leaves employees’ email vulnerable to malicious administrators or crackers with the ability to intercept these messages. A better approach would be to enforce encryption on all intercompany email, with the employees’ private keys accessible to managers and executives who are authorized to decrypt and read their email under strict corporate guidelines.

3. Gmail in the Enterprise

Due to Google’s high-performance cloud network, Gmail can provide a more robust and reliable email service than many in-house corporate environments. However, Gmail still lacks some features required by enterprise users, such as LDAP authentication, private global address lists, auto-encryption via GPG/PGP keys, DNS redirection, and cloud-based antivirus. Google can consider providing its own LDAP servers or integrate into a firm’s existing LDAP servers in order to securely process email authentication for corporate users. Gmail could also partition corporate email from general-public email to create global address lists that are private to each company. Auto-encryption is a highly desirable feature because it ensures email encryption not only between intercompany users within Gmail, but also between all Gmail users. DNS redirection will enable Gmail to process incoming and outgoing messages transparently as if they were from/to user@mycompany.com instead of user@gmail.com. Finally, Google can consider bundling a cloud-based antivirus solution such as Symantec to provide enhanced virus and malware protection for email attachments at all endpoints of the Gmail cloud network.

V. References

1. PGP – Pretty Good Privacy
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

2. TLS/SSL – Transport Layer Security / Secure Sockets Layer
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

3. POP3 – Post Office Protocol
http://en.wikipedia.org/wiki/Post_Office_Protocol

4. IMAP – Internet Message Access Protocol
http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol

5. Mozilla Thunderbird
http://www.mozillamessaging.com/en-US/thunderbird/

6. Lightning
https://addons.mozilla.org/en-US/thunderbird/addon/2313

7. Provider for Google Calendar
https://addons.mozilla.org/en-US/thunderbird/addon/4631

8. GPG – GNU Privacy Guard
http://www.gnupg.org/

9. Enigmail
http://enigmail.mozdev.org/home/index.php

10. Gmail Help
http://mail.google.com/support/

11. Microsoft SkyDrive
http://en.wikipedia.org/wiki/Windows_Live_SkyDrive

12. Amazon EC2
http://aws.amazon.com/ec2/

13. Microsoft Windows Live SkyDrive
http://skydrive.live.com/

14. Google App Engine
http://code.google.com/appengine/

15. Gmail Labs
http://gmailblog.blogspot.com/2008/06/introducing-gmail-labs.html