Here’s the final version of the blog post with the trushang-blog.conf included and detailed explanations for each section:

---

How to Host and Secure Laravel Admin Portal on AWS EC2 with Apache

---

1. Setting Up AWS EC2 Server

Before starting, ensure your EC2 instance is up and running on AWS. You can use a t2.micro instance for small-scale apps. Once you have your EC2 instance, SSH into it and follow the steps below:

1. Update the system:

    sudo yum update -y  # For Amazon Linux
    sudo apt update -y  # For Ubuntu
   

2. Install Apache:

    sudo yum install -y httpd  # For Amazon Linux
    sudo apt install -y apache2  # For Ubuntu
   

3. Start Apache:

    sudo systemctl start httpd  # For Amazon Linux
    sudo systemctl start apache2  # For Ubuntu
   

4. Enable Apache to start on boot:

    sudo systemctl enable httpd  # For Amazon Linux
    sudo systemctl enable apache2  # For Ubuntu
   

---

2. Configuring Apache VirtualHost for Laravel

You will now configure Apache to serve your Laravel project using the domain trushang-blog.com and set up a VirtualHost. Follow these steps:

1. Create a new VirtualHost configuration file for your Laravel app:

    sudo nano /etc/httpd/conf.d/trushang-blog.conf  # For Amazon Linux
    sudo nano /etc/apache2/sites-available/trushang-blog.conf  # For Ubuntu
   

2. Add the following configuration to the file:

    # This is the Apache configuration file for the Laravel blog application
    # The configuration defines the settings for the 'trushang-blog.com' domain.
   
    <VirtualHost *:80>
        # ServerAdmin: The contact email address for the server administrator
        ServerAdmin webmaster@trushang-blog.com
   
        # ServerName: The domain name or public IP address of the server
        ServerName trushang-blog.com
   
        # DocumentRoot: The root directory where your Laravel application is stored
        DocumentRoot /var/www/html/trushang-blog/public
   
        # Directory settings for security and proper functioning
        <Directory /var/www/html/trushang-blog>
            # AllowOverride All: This allows Laravel's .htaccess file to take control of routing.
            AllowOverride All
   
            # Require all granted: This grants access to all clients.
            Require all granted
        </Directory>
   
        # Logging configuration
        # ErrorLog: Specifies where error logs will be stored
        ErrorLog ${APACHE_LOG_DIR}/error.log
   
        # CustomLog: Specifies where access logs will be stored
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
   
    # Disabling Directory Listing: 
    # This ensures that users cannot see a list of files in the directory, protecting sensitive files.
    <Directory /var/www/html/trushang-blog>
        Options -Indexes  # Disables directory listing
    </Directory>
   
    # Security Headers Configuration
   
    # X-Frame-Options: Prevents your site from being embedded in an iframe (clickjacking protection)
    Header always set X-Frame-Options "SAMEORIGIN"
   
    # X-XSS-Protection: Protects against reflected cross-site scripting (XSS) attacks
    Header always set X-XSS-Protection "1; mode=block"
   
    # X-Content-Type-Options: Ensures that browsers don't try to sniff content types and helps prevent certain attacks
    Header always set X-Content-Type-Options "nosniff"
   
    # Content-Security-Policy: Specifies which content is allowed to load and helps mitigate XSS attacks
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"
   
    # Strict-Transport-Security: Enforces secure (HTTPS) connections for the specified period
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   
    # Preventing Clickjacking: The X-Frame-Options header will stop your site from being embedded within an iframe.
   

Explanation of the Configuration:

1. <VirtualHost *:80>: This section defines the basic VirtualHost configuration for the domain trushang-blog.com, which will serve your Laravel app.

2. ServerName and DocumentRoot: These directives ensure that requests to the domain trushang-blog.com will load the application from the public directory inside your Laravel project.

3. <Directory>: The AllowOverride All ensures that Apache respects the .htaccess file in Laravel for URL routing. The Require all granted gives global access to all clients.

4. Logging: The ErrorLog and CustomLog directives define where Apache will store logs for errors and access activity. This is useful for troubleshooting.

5. Security Headers: The added headers protect your application from clickjacking, XSS, content sniffing, and enforce secure HTTPS connections.

6. Disabling Directory Listing: This is crucial for security because it prevents attackers from seeing a list of files in your directories if there’s no index file.

---

3. Uploading Your Laravel Code Using Git

Now, you need to upload your Laravel code to the EC2 server. Here's how to do that using Git:

1. Navigate to the appropriate directory:

    cd /var/www/html
   

2. Clone your repository:

    sudo git clone https://github.com/yourusername/trushang-blog.git
    cd trushang-blog
   

3. Install Laravel dependencies using Composer: If Composer is not installed on your EC2 instance, install it by running:

    curl -sS https://getcomposer.org/installer | php
    sudo mv composer.phar /usr/local/bin/composer
   

   Then, run:

    composer install
   

4. Set proper permissions for Laravel directories:

    sudo chmod -R 775 storage
    sudo chmod -R 775 bootstrap/cache
   

---

4. Securing Your Laravel Application

Here are the security best practices for your Laravel application:

1. Prevent Directory Listing

Disable directory listing in Apache by adding this to your Apache configuration (trushang-blog.conf):

<Directory /var/www/html/trushang-blog>
    Options -Indexes
</Directory>

2. Use SSL/TLS for Secure Communication

To protect your users’ data, SSL is essential. Use Let’s Encrypt to get a free SSL certificate and configure HTTPS. Here’s how:

1. Install Certbot (if you’re using Ubuntu):

    sudo apt install certbot python3-certbot-apache
   

2. Obtain the SSL certificate:

    sudo certbot --apache -d trushang-blog.com
   

3. Force HTTPS in Laravel by setting FORCE_HTTPS=true in your .env file:

    FORCE_HTTPS=true
   

3. Add Security Headers

To protect your application from various attacks, add these HTTP headers to your Apache configuration:

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

4. Secure Cookies and Sessions

To make your app more secure, set SameSite cookie settings and ensure cookies are secure. In your .env file, add:

SESSION_SECURE_COOKIE=true
SESSION_DRIVER=cookie
SESSION_LIFETIME=120

For SameSite cookie settings, configure this in config/session.php:

'same_site' => 'Strict',

---

5. Final Thoughts

By following these steps, your Laravel admin portal hosted on AWS EC2 will be secure and optimized for performance. This setup covers everything from installing Apache, configuring VirtualHost, uploading your Laravel app, and implementing key security practices such as:

• Disabling directory listing

• Using SSL/TLS for encrypted communication

• Adding security headers

• Securing cookies and sessions

Regularly updating your server and Laravel application will keep it safe from new security threats. By following these practices, you ensure a robust and secure environment for your Laravel project.

---

---

This is your final blog post! It includes the trushang-blog.conf file with comments to help users understand each section and ensures that the security steps are clearly explained.