This is the 12th article in the DevOps series. It is a tutorial on installing Nginx with SSL. Nginx is a high performance Web server and can be used as a load balancer.
Nginx is a Web server written in C by Igor Sysoev. It can be used as a load balancer, reverse proxy and HTTP cache server. Nginx was designed to handle over 10,000 client connections and has support for TLS (transport layer security) and SSL (secure sockets layer). It requires a very low memory footprint and is IPv6-compatible. Nginx can also be used as a mail server proxy. It was first released in 2004 under a BSD-like licence.
The OpenSSL project provides a free and open source software security library that implements the SSL and TLS protocols. This library is used by applications to secure communication between machines in a computer network. The library is written in C and Assembly, and uses a dual-licence — Apache License 1.0 and a four-clause BSD licence. The library implements support for a number of ciphers and cryptographic functions. It was first released in 1998 and is widely used in Internet Web servers.
An Ubuntu 16.04.1 LTS guest virtual machine (VM) instance using KVM/QEMU is chosen to install Nginx.
$ cat /etc/lsb-releaseDISTRIB_ID=UbuntuDISTRIB_RELEASE=16.04DISTRIB_CODENAME=xenialDISTRIB_DESCRIPTION=”Ubuntu 16.04.1 LTS” |
The default installation on the guest VM does not come with Python2, and hence you need to install this on the guest machine, manually, as shown below:
$ sudo apt-get update$ sudo apt-get install python-minimal |
The host system is a Parabola GNU/Linux-libre x86_64 system, and Ansible is installed on the host system using the distribution package manager. The version of Ansible used is 2.4.2.0 as indicated below:
$ ansible --versionansible 2.4.2.0config file = /etc/ansible/ansible.cfgconfigured module search path = [u’/home/shakthi/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]ansible python module location = /usr/lib/python2.7/site-packages/ansibleexecutable location = /bin/ansiblepython version = 2.7.14 (default, Sep 20 2017, 01:25:59) [GCC 7.2.0] |
You should add an entry to the /etc/hosts file for the guest Ubuntu VM, as follows:
192.168.122.244 ubuntu |
On the host system, let’s create a project directory structure to store the Ansible playbooks, inventory and configuration files, as follows:
ansible/inventory/kvm//playbooks/configuration//playbooks/admin//files/ |
An ‘inventory’ file is created inside the inventory/kvm folder that contains the following:
ubuntu ansible_host=192.168.122.244 ansible_connection=ssh ansible_user=ubuntu ansible_password=password |
You should now be able to issue commands to the guest OS, using Ansible. For example:
$ ansible -i inventory/kvm/inventory ubuntu -m pingubuntu | SUCCESS => {“changed”: false,“ping”: “pong”} |
Installing Nginx
The Nginx software package in Ubuntu can be installed on the guest machine. The APT package repository is first updated before installing the Nginx Web server. The Uncomplicated Firewall (UFW) is then used to enable both HTTP and HTTPS access on the guest OS. The Web server is then started, and the playbook waits for the server to listen on port 80. The Ansible playbook is provided below for reference:
---- name: Install nginxhosts: ubuntubecome: yesbecome_method: sudogather_facts: truetags: [nginx]tasks:- name: Update the software package repositoryapt:update_cache: yes- name: Install nginxpackage:name: “{{ item }}”state: latestwith_items:- nginx- name: Allow Nginx Fullufw:rule: allowname: Nginx Fullstate: enabled- name: Allow Nginx Fullufw:rule: allowname: OpenSSHstate: enabled- name: Start nginxservice:name: nginxstate: started- wait_for:port: 80 |
The above playbook can be invoked as follows:
$ ansible-playbook -i inventory/kvm/inventory playbooks/configuration/nginx-ssl.yml --tags nginx -K |
The -K option prompts for the sudo password of the Ubuntu user. You can append multiple -v to the end of the playbook invocation to get a more verbose output.
If you open a browser on the host system with the URL http://192.168.122.244, you should see the default Nginx home page as shown in Figure 1.
Generating SSL certificates
The required SSL certificates need to be created using Ansible. The OpenSSL and Python-openssl packages are installed after updating the APT software repository in Ubuntu. An OpenSSL private key is generated in the /etc/ssl/private/ansible.com.pem file. The /etc/ssl/csr directory is created before generating the OpenSSL certificate signing request (CSR) with the required certificate parameters in the /etc/ssl/csr/www.ansible.com.csr file. The actual self-signed certificate is then generated as shown in the following playbook:
- name: Create SSL certificateshosts: ubuntubecome: yesbecome_method: sudogather_facts: truetags: [ssl]tasks:- name: Update the software package repositoryapt:update_cache: yes- name: Install opensslpackage:name: “{{ item }}”state: latestwith_items:- openssl- python-openssl- name: Generate an OpenSSL private keyopenssl_privatekey:path: /etc/ssl/private/ansible.com.pem- name: Create directoryfile:path: /etc/ssl/csrstate: directorymode: 0755- name: Generate an OpenSSL Certificate Signing Requestopenssl_csr:path: /etc/ssl/csr/www.ansible.com.csrprivatekey_path: /etc/ssl/private/ansible.com.pemcountry_name: INorganization_name: Ansibleemail_address: author@shakthimaan.comcommon_name: www.ansible.com- name: Generate a self signed certificateopenssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprivatekey_path: /etc/ssl/private/ansible.com.pemcsr_path: /etc/ssl/csr/www.ansible.com.csrprovider: selfsigned |
The above playbook can be run as follows:
$ ansible-playbook -i inventory/kvm/inventory playbooks/configuration/nginx-ssl.yml --tags ssl -K |
Configuring Nginx for SSL
The final step is to configure Nginx to use SSL. A self-signed.conf file is created in the /etc/nginx/snippets folder that contains the following:
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;ssl_certificate_key /etc/ssl/private/ansible.com.pem; |
The SSL parameter configurations are stored in the /etc/nginx/snippets/ssl-params.conf file as shown below:
# from https://cipherli.st/# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.htmlssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;ssl_ecdh_curve secp384r1;ssl_session_cache shared:SSL:10m;ssl_session_tickets off;ssl_stapling on;ssl_stapling_verify on;resolver 8.8.8.8 8.8.4.4 valid=300s;resolver_timeout 5s;# Disable preloading HSTS for now. You can use the commented out header line that includes# the “preload” directive if you understand the implications.#add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff; |
The Nginx Web server configuration for this host (google.com, for example) is then created in the /etc/nginx/sites-enabled folder with the following contents:
server {listen 80;root /var/www/html;index index.nginx-debian.html;server_name google.com www.google.com;}server {listen 443 ssl http2 default_server;include snippets/self-signed.conf;include snippets/ssl-params.conf;} |
The Ansible playbook for configuring Nginx with SSL is as follows:
- name: Setup nginx with SSLhosts: ubuntubecome: yesbecome_method: sudogather_facts: truetags: [https]tasks:- copy:src: ../../files/self-signed.confdest: /etc/nginx/snippets/self-signed.confowner: rootgroup: rootmode: 0644- copy:src: ../../files/ssl-params.confdest: /etc/nginx/snippets/ssl-params.confowner: rootgroup: rootmode: 0644- copy:src: ../../files/google.comdest: /etc/nginx/sites-enabled/google.comowner: rootgroup: rootmode: 0644- name: Restart nginxservice:name: nginxstate: restarted- wait_for:port: 443 |
The above playbook can be executed as follows:
$ ansible-playbook -i inventory/kvm/inventory playbooks/configuration/nginx-ssl.yml --tags https -K |
You can now open https://192.168.122.244 in a browser on the host system, and view the self-signed certificate as shown in Figure 2.
After accepting the certificate, you will be able to see the default Nginx home page as shown in Figure 3.
You can also use the curl command to view the home page from the command line, as follows:
$ curl https://192.168.122.244 -k<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href=”http://nginx.org/”>nginx.org</a>.<br/>Commercial support is available at<a href=”http://nginx.com/”>nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html> |
Validation
You can run a number of validation checks on the SSL certificate, periodically, to ascertain that it still holds good and meets your requirements. A few examples of sanity checks that you can perform on the certificate are shown below for reference:
- name: Validate SSL certificatehosts: ubuntubecome: yesbecome_method: sudogather_facts: truetags: [validate]tasks:- name: Certificate matches with the private keyopenssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprivatekey_path: /etc/ssl/private/ansible.com.pemprovider: assertonly- name: Certificate can be used for digital signaturesopenssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprovider: assertonlykey_usage:- digitalSignaturekey_usage_strict: true- name: Certificate uses a recent signature algorithm (no SHA1, MD5 or DSA)openssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprovider: assertonlysignature_algorithms:- sha224WithRSAEncryption- sha256WithRSAEncryption- sha384WithRSAEncryption- sha512WithRSAEncryption- sha224WithECDSAEncryption- sha256WithECDSAEncryption- sha384WithECDSAEncryption- sha512WithECDSAEncryption- name: Certificate matches the domainopenssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprovider: assertonlysubject_alt_name:- DNS:www.ansible.com- name: Certificate is valid for another month (30 days) from nowopenssl_certificate:path: /etc/ssl/certs/nginx-selfsigned.crtprovider: assertonlyvalid_in: 2592000 |
You can invoke the above validation checks in the playbook using the following command:
$ ansible-playbook -i inventory/kvm/inventory playbooks/configuration/nginx-ssl.yml --tags validate -K |
Uninstalling
An uninstall playbook is provided in the playbooks/admin/uninstall-nginx.yml file to stop the Nginx Web server, disable access to the port in the firewall, and to remove the software from the guest VM:
---- name: Uninstall Nginxhosts: ubuntubecome: yesbecome_method: sudogather_facts: truetags: [server]tasks:- name: Stop the web serverservice:name: nginxstate: stopped- name: Disable Nginx Fullufw:rule: denyname: Nginx Fullstate: enabled- name: Uninstall apache2package:name: “{{ item }}”state: absentwith_items:- nginx |
The above playbook can be run as follows:
$ ansible-playbook -i inventory/kvm/inventory playbooks/admin/uninstall-nginx.yml -K |
You can verify the firewall status using the ufw command, as shown below:
$ sudo ufw statusStatus: activeTo Action From-- ------ ----Nginx Full DENY AnywhereOpenSSH ALLOW AnywhereNginx Full (v6) DENY Anywhere (v6)OpenSSH (v6) ALLOW Anywhere (v6) |
Please refer to the Nginx documentation website (https://nginx.org/en/docs/) for more information.
