11 KiB

Raw Permalink Blame History

Deployment Guide: Farm Auth Service on AWS Lightsail

This guide will help you deploy the Farm Auth Service on AWS Lightsail Ubuntu server with the domain auth.livingai.app.

Prerequisites

AWS Lightsail Ubuntu server (at least 1GB RAM recommended)
Domain name auth.livingai.app pointing to your Lightsail server IP
Access to AWS Console (for database if using AWS RDS)
SSH access to your Lightsail server

Step 1: Set Up AWS Lightsail Instance

Create Lightsail Instance
- Go to AWS Lightsail Console
- Click "Create instance"
- Choose:
  - Platform: Linux/Unix
  - Blueprint: Ubuntu 22.04 LTS (or latest)
  - Instance plan: At least $5/month (1GB RAM)
- Name: auth-service-server
- Click "Create instance"
Configure Static IP
- In Lightsail, go to Networking → Static IPs
- Click "Create static IP"
- Attach to your instance
- Note the static IP address - you'll need it for DNS configuration
Configure Firewall (Security Groups)
- Go to Networking → Firewall
- Add rules:
  - HTTP (port 80) - Allow from Anywhere
  - HTTPS (port 443) - Allow from Anywhere
  - SSH (port 22) - Allow from Your IP (for security)
  - Custom TCP 3000 - Allow from localhost only (for Node.js app)

Step 2: Configure DNS

Point Domain to Lightsail IP
- Go to your domain registrar (where you manage livingai.app)
- Add/Update A record:
  - Type: A
  - Name: auth (or @ if using subdomain)
  - Value: Your Lightsail static IP address
  - TTL: 300 (5 minutes)
- Wait for DNS propagation (can take up to 48 hours, usually faster)

Verify DNS

# On your local machine
nslookup auth.livingai.app
# Should return your Lightsail IP

Step 3: Initial Server Setup (SSH into server)

Connect to Server

# Download SSH key from Lightsail or use existing key
ssh -i /path/to/your-key.pem ubuntu@your-lightsail-ip

Update System
```
sudo apt update && sudo apt upgrade -y
```

Install Node.js (v18 or higher)

# Install Node.js using NodeSource repository
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Verify installation
node --version
npm --version

Install Nginx

sudo apt install -y nginx
sudo systemctl start nginx
sudo systemctl enable nginx

Install PM2 (Process Manager)
```
sudo npm install -g pm2
```
Install Git
```
sudo apt install -y git
```

Install Certbot (for SSL)

sudo apt install -y certbot python3-certbot-nginx

Step 4: Deploy Application Code

Clone Repository

# Create application directory
cd /home/ubuntu
mkdir -p apps
cd apps

# Clone your repository (adjust URL as needed)
git clone <your-repository-url> farm-auth-service
# OR if you need to upload manually:
# scp -r /path/to/farm-auth-service ubuntu@your-ip:/home/ubuntu/apps/

Navigate to Project Directory
```
cd farm-auth-service
```
Install Dependencies
```
npm install --production
```

Step 5: Configure Environment Variables

Create .env File
```
cp example.env .env
nano .env
```

Configure .env File (Update these values)

# Database Mode
DATABASE_MODE=aws

# AWS Configuration (for SSM Parameter Store)
AWS_REGION=ap-south-1
AWS_ACCESS_KEY_ID=your_aws_access_key_here
AWS_SECRET_ACCESS_KEY=your_aws_secret_key_here
DB_USE_READONLY=false

# Database connection (auto-detected from SSM if not set)
# DB_HOST=db.livingai.app
# DB_PORT=5432
# DB_NAME=livingai_test_db

# JWT Configuration (IMPORTANT: Generate new secrets for production!)
JWT_ACCESS_SECRET=your_strong_random_secret_here_min_32_chars
JWT_REFRESH_SECRET=your_strong_random_secret_here_min_32_chars
JWT_ACCESS_TTL=15m
JWT_REFRESH_TTL=7d

# Redis Configuration (Optional - for rate limiting)
# REDIS_URL=redis://your-redis-host:6379
# Or if password protected:
# REDIS_URL=redis://:password@your-redis-host:6379

# Application Configuration
NODE_ENV=production
PORT=3000
TRUST_PROXY=true

# CORS Configuration (REQUIRED for production)
CORS_ALLOWED_ORIGINS=https://your-mobile-app-domain.com,https://app.livingai.app
# Add all domains that will access this API

# Twilio Configuration (if using SMS OTP)
# TWILIO_ACCOUNT_SID=your_twilio_account_sid
# TWILIO_AUTH_TOKEN=your_twilio_auth_token
# TWILIO_PHONE_NUMBER=+1234567890

# Admin Dashboard (optional)
# ENABLE_ADMIN_DASHBOARD=false

Generate Strong JWT Secrets (Do this on your local machine)

# Generate random secrets (64 characters each)
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Copy the output to JWT_ACCESS_SECRET and JWT_REFRESH_SECRET

Secure .env File
```
chmod 600 .env
```

Step 6: Configure Nginx Reverse Proxy

Create Nginx Configuration

sudo nano /etc/nginx/sites-available/auth.livingai.app

Add Configuration (Before SSL)

server {
    listen 80;
    server_name auth.livingai.app;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

Enable Site

sudo ln -s /etc/nginx/sites-available/auth.livingai.app /etc/nginx/sites-enabled/
sudo nginx -t  # Test configuration
sudo systemctl reload nginx

Step 7: Set Up SSL Certificate (Let's Encrypt)

Obtain SSL Certificate
```
sudo certbot --nginx -d auth.livingai.app
```
- Follow prompts (enter email, agree to terms)
- Choose redirect HTTP to HTTPS (option 2)
Verify Auto-renewal
```
sudo certbot renew --dry-run
```
Update Nginx Config (Certbot should have done this automatically) Your config should now include SSL and redirect HTTP to HTTPS.

Step 8: Start Application with PM2

Start Application

cd /home/ubuntu/apps/farm-auth-service
pm2 start src/index.js --name "auth-service"

Save PM2 Configuration

pm2 save
pm2 startup
# Copy and run the command it outputs (starts PM2 on boot)

PM2 Useful Commands

pm2 list              # View running processes
pm2 logs auth-service # View logs
pm2 restart auth-service  # Restart service
pm2 stop auth-service     # Stop service
pm2 monit             # Monitor resources

Step 9: Configure Firewall (UFW)

Set Up Firewall Rules

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo ufw status

Step 10: Test Deployment

Check Application Status

pm2 status
pm2 logs auth-service --lines 50

Test API Endpoint

# From server
curl http://localhost:3000/health

# From your local machine (should work via domain)
curl https://auth.livingai.app/health

Check Nginx Logs

sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log

Step 11: Database Setup (if using AWS RDS)

Ensure Database is Accessible
- Your Lightsail instance should be able to connect to your AWS RDS instance
- Check security groups allow connection from Lightsail IP
- Verify SSM Parameter Store has correct credentials

Test Database Connection

cd /home/ubuntu/apps/farm-auth-service
node -e "require('./src/db').then(() => console.log('DB Connected')).catch(e => console.error(e))"

Step 12: Optional - Set Up Redis (for Rate Limiting)

If you want to use Redis for rate limiting:

Option A: Install Redis on Same Server

sudo apt install -y redis-server
sudo systemctl start redis-server
sudo systemctl enable redis-server

Then update .env:

REDIS_URL=redis://localhost:6379

Option B: Use AWS ElastiCache
- Create ElastiCache Redis cluster
- Update .env with ElastiCache endpoint:
```
REDIS_URL=redis://your-elasticache-endpoint:6379
```

Monitoring and Maintenance

View Logs

pm2 logs auth-service
pm2 logs auth-service --err  # Error logs only
pm2 logs auth-service --out  # Output logs only

Restart Service

pm2 restart auth-service

Update Application

cd /home/ubuntu/apps/farm-auth-service
git pull  # or upload new files
npm install --production
pm2 restart auth-service

Monitor Resources

pm2 monit
htop  # System resources

Troubleshooting

Application Not Starting

Check logs: pm2 logs auth-service
Verify .env file exists and has correct values
Check database connectivity
Verify all dependencies installed: npm list

502 Bad Gateway

Check if app is running: pm2 status
Check app logs: pm2 logs auth-service
Verify port 3000 is listening: netstat -tlnp | grep 3000
Check Nginx error logs: sudo tail -f /var/log/nginx/error.log

SSL Certificate Issues

Verify DNS points to correct IP: nslookup auth.livingai.app
Check certificate: sudo certbot certificates
Renew manually: sudo certbot renew

Database Connection Issues

Verify AWS SSM parameters are correct
Check AWS credentials in .env
Test database connectivity from server
Check security group allows connection

Security Checklist

Strong JWT secrets generated and stored securely
.env file has 600 permissions
Firewall configured (UFW)
SSL certificate installed and auto-renewal working
CORS configured with specific allowed origins (not *)
AWS credentials have minimal required permissions
Regular security updates: sudo apt update && sudo apt upgrade
PM2 logs are monitored
Database credentials stored in SSM (not in .env)

Backup Strategy

Database Backups
- Set up automated RDS snapshots in AWS Console
- Or use pg_dump for manual backups
Application Code
- Code is in Git repository (already backed up)
- Keep .env file backed up securely (encrypted)
Configuration
- Document all configuration changes
- Keep .env template versioned (without secrets)

Next Steps

Set up monitoring/alerting (e.g., CloudWatch, PM2 Plus)
Configure log rotation for PM2
Set up CI/CD pipeline for automated deployments
Configure health checks and auto-restart on failure
Set up database backups schedule

Support

For issues, check:

Application logs: pm2 logs auth-service
Nginx logs: /var/log/nginx/
System logs: journalctl -xe

11 KiB Raw Permalink Blame History