DigitalOcean server

Setting up Debian Droplet on Digital Ocean

A PDF version of this page can be found here.

Something that you should consider doing, is setting up an actual server to serve out your web pages. This is a practical skill that is worth learning if you are interested in creating web content. This allows you to have greater control over how the web content is maintained and used. The following is an example of how this can be done using a paid account on DigitalOcean.

Creating a new DigitalOcean account

Here, I will use made-up names. Substitute your own names for the username and DigitalOcean account name.

You can start by creating a new gmail account with the username of your choice (if available). For example, suppose you create a new gmail account called my.custom.acct@gmail.com

You can use this account to to create a new account called My Custom Account on DigitalOcean. You will be given a project to start called "first-project". You can change the name of the project by selecting the project and going to Settings and changing the name in the Name box.

change project name

Then, create a Droplet called by clicking selecting Droplets on the left menu and then clicking on the Create Droplet button.

create new droplet

An affordable but still usable which uses Debian 12x64. This Droplet has 1 GB of RAM and a 25 GB disk.

For the Region choose the location closest to you. For the image, you can select Debian, version 12 x64. Choose the Basic (shared CPU) for Droplet type.

choose image

For the CPU options, you can choose Regular Disk type: SSD and the $6/mo plan which has 1 GB of RAM, 25 GB of hard drive space and can transfer up to 1000 GB per month. This is an affordable server that can be used for most basic web pages.

cpu options

You can choose Password as your Authentication Method, and enter in your root password. Under Finalize Details, change the hostname to a name that will help you remember what this droplet is about. After you have set these things, you can click on the blue Create Droplet button down at the bottom. You will see the projected monthly cost on the left of this button.

authentication method

Debian Droplet setup

This assumes that you know how to do basic user management on a Debian-based operating system. So, you should know how to run commands like adduser to create a user and add that user to the sudo group. This also assumes that you can open a terminal on your own machine that can SSH to your new server.

If you click on your Droplet, you can start by opening the Console.

droplet start console

This will start a root console that you can use to create a user that has sudo privileges. Then, open a terminal on your local computer and use SSH to login to your newly created user account. Run the following commands:

$ sudo apt update
$ sudo apt install ufw
$ sudo ufw allow ssh  && sudo ufw allow http && sudo ufw allow https
$ sudo ufw enable
$ sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

Install Apache

$ sudo apt update
$ sudo apt install apache2 -y
$ sudo systemctl start apache2

Go to browser and check (substitute the IP address assigned to your Droplet) http://xxx.xxx.xxx.x

You should see the Apache2 Debian Default Page.

Enable Apache to automatically start at system boot.

$ sudo systemctl enable apache2

Verify that Apache is running

$ sudo systemctl status apache2
apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enab>
     Active: active (running) since Sun 2025-03-30 20:24:11 UTC; 4min 19s ago
       Docs: https://httpd.apache.org/docs/2.4/
   Main PID: 3689 (apache2)
      Tasks: 55 (limit: 1108)
     Memory: 8.8M
        CPU: 67ms
     CGroup: /system.slice/apache2.service
             ├─3689 /usr/sbin/apache2 -k start
             ├─3691 /usr/sbin/apache2 -k start
             └─3692 /usr/sbin/apache2 -k start

Use namecheap to get a domain name

You want to add a domain name so that it is easier to get to your site and so that you can secure the site using SSL. One of the commonly used domain providers is namecheap

Create a namecheap account. This account is free, but you will have to pay for your domain.

Enter the domain name of your choosing in the Search box. After clicking on Search, you will see some choices here. Choose the domain name that suits your needs in terms of the name and the cost. Then, add it to the cart and pay for this.

While connected to your namecheap account, click on Account menu and select Domain List on left panel. Select the domain, your_domain_name (substitute your domain name) by clicking on the MANAGE button.

manage domain2

For the NAMESERVERS, use Custom DNS and set use the DigitalOcean nameservers:

add custom dns nameservers

Click on the green check mark to save these changes.

Managing the Apache configuration file on the Droplet

SSH to the virtual machine.

$ cd /etc/apache2/sites-available
$ sudo cp 000-default.conf your_domain_name.conf
$ sudo nano your_domain_name.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/docs/your_domain
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/docs/your_domain>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Create directory and disable old site

$ sudo mkdir -p /var/www/docs/your_domain
$ sudo a2dissite 000-default.conf

Enable new site:

$ sudo a2ensite your_domain.conf
$ sudo service apache2 reload

Create test file for viewing:

$ cd /var/www/docs/your_domain
$ sudo mkdir test
$ sudo chown your_username:your_username test
$ cd test
$ nano test.html
<!DOCTYPE html>
<html>
   <body>
      This is a test page
   </body>
</html>

Open browser to http://your_ip_address/test/test.html

After this works edit /etc/apache2/sites-available/your_domain.conf to add these two lines:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName your_domain // (1)
        ServerAlias www.your_domain // (2)
        DocumentRoot /var/www/docs/your_domain
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/docs/your_domain>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

  1. Add the domain name you purchased here

  2. The ServerAlias will be used so that www.your_domain works also.

Then, run:

$ sudo service apache2 reload

Add domain to DigitalOcean Project

Click on the Project in the DigitalOcean dashboard. In the left panel select Networking. Select the Domains menu and add the domain to the project. If you don’t do this the NS Record set does not get broadcast. This was probably why the DNS propagation was taking so long to take place.

add domain to project

Add DNS records for the domain

Once the domain has been created, you need to add some DNS records. If you click on your Project you will now see your domain. On the right side, click on the …​ and select Manage domain:

manage domain

Then you can create some A type records. Enter the hostname as an @ and then select the IP address that will show up as a choice for the will direct to box. Then create the record. You can do this for both your_domain and www.your_domain as is shown. Note that the NS type records will be created automatically for you.

create NS records

The domain name can take 24-48 hours to be activated. This is because the digitalocean DNS servers will take time to perform the DNS propagation. Make sure that you add a domain to your project.

Next step is to obtain SSL certificate. But, domain needs to be active first.

Checking DNS propagation

Go to https://www.whatsmydns.net/ and enter your_domain into their search bar to see if DNS propagation has started. You need to have waited long enough for this to start happening. Here is what this looks like once the DNS propagation has completed. This is shown for an actual domain that I created.

dns propagation check

Securing site using SSL

Install Certbot

To obtain a SSL certificate with Let’s Encrypt, you need to install the Certbot software on the server:

$ sudo apt update
$ sudo apt install certbot python3-certbot-apache

Create configuration file for SSH

$ cd /etc/apache2/sites-available
$ sudo nano your_domain-le-ssl.conf
<VirtualHost *:443>
	ServerName your_domain
	ServerAlias www.your_domain
	DocumentRoot /var/www/docs/your_domain
</VirtualHost>

This is all you need as Certbot will find the configuration files that contain the ServerName and ServerAlias that matches the domains you are specifying when running the script next.

Enable site and mod

$ sudo a2enmod ssl
$ sudo a2ensite your_domain.cc-le-ssl.conf
$ sudo a2ensite your_domain.conf
$ sudo systemctl restart apache2

The first command will enable the ssl module. The second command will enable the your_domain-le-ssl.conf site. This is the one that will use SSL. The third command is to make sure that Apache is listening on port 80. The last command restarts the apache2 server to make sure that the ssl module is loaded and the enabled site is reloaded.

Check ufw status

$ sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

As can be seen ports 80 and 443 are open.

Run Certbot interactively

$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): your_email
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
[source,console]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your_domain
2: www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for your_domain and www.your_domain
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/your_domain/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/your_domain/privkey.pem
This certificate expires on 2025-07-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for your_domain to /etc/apache2/sites-enabled/your_domain-le-ssl.conf
Successfully deployed certificate for www.your_domain to /etc/apache2/sites-enabled/your_domain-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://your_domain and https://www.your_domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can test to see if you can connect in the browser using:

https://www.your_domain/test/test.html

If something goes wrong using Certbot

If you could view your page without https earlier and are not able to view the page any longer. Then, you can do the following to try again:

Steps to clean certbot attempt out.
$ sudo rm -rf /etc/letsencrypt
$ sudo apt --purge remove python3-certbot-apache
$ sudo apt --purge remove certbot
$ sudo rm /etc/apache2/sites-enabled/*

Edit /etc/apache2/sites-available/your_domain.conf to be:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName your_domain
        ServerAlias www.your_domain
        DocumentRoot /var/www/docs/your_domain
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/docs/your_domain>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Edit /etc/apache2/sites-available/your_domain-le-ssl.conf to be:
<VirtualHost *:443>
        ServerName your_domain
        ServerAlias www.your_domain
        DocumentRoot /var/www/docs/your_domain
</VirtualHost>

Then run the following:

$ cd /etc/apache2/sites-available
$ sudo a2ensite your_domainr-le-ssl.conf
$ sudo a2ensite your_domain.conf
$ sudo service apache2 restart
$ sudo service apache2 status

Check if active. Then run

$ sudo apt install certbot python3-certbot-apache
$ sudo certbot --apache

Final Apache configuration files:

your_domain.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	ServerName your_domain
	ServerAlias www.your_domain
	DocumentRoot /var/www/docs/your_domain
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/docs/your_domain>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on // (1)
RewriteCond %{SERVER_NAME} =your_domain [OR] // (2)
RewriteCond %{SERVER_NAME} =www.your_domain // (3)
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] //(4)
</VirtualHost>

  1. Lines marked 1 through 4 have been added by the certbot process.

your_domain-le-ssl.conf
<VirtualHost *:443>
	ServerName your_domain
	ServerAlias www.your_domain
	DocumentRoot /var/www/docs/your_domain
Include /etc/letsencrypt/options-ssl-apache.conf // (1)
SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem // (2)
SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem // (3)
</VirtualHost>

  1. Lines marked 1 through 3 have been added by the certbot process.