To yourself devops or configure Nginx proxy for Apache Tomcat on Ubuntu in 5 minutes with https and firewall
- Tutorial
I am not an admin, but sometimes there are tasks that are easier (and more interesting) to solve myself than to delegate.
Occasionally, we need to “raise” the servlet container (most often Apache Tomcat) and set up proxying for it, ssl termination (or more simply https) and cover it all with a firewall (leaving only ssh and http / https out).
It so happened that over the last week I solved this problem three times (this is how the stars became, and before that - two years ago) and this experience was transformed into this little opus.
So, given Ubuntu server 18.04 or 16.04 (most likely you will not have problems with earlier versions of 14.04 or so). If you do not have a Ubuntu server, you can quickly “raise” it, for example, to Digital Ocean (my referral link). After writing the article, I noticed that DO for new accounts gives $ 100 for 60 days to try, if you specify a loan.
DNS
For a simple scheme for obtaining a free https certificate from Let's Encrypt, we will need access to the DNS server. We register in it the IP address of our Ubuntu server with the name, say, xyz. Let's assume, for definiteness, that you have a domain mydomain.com, i.e. DNS name of our server will be xyz.mydomain.com
Installation
Install Apache Tomcat (I will use version 8)
apt install tomcat8
And now Nginx
apt install nginx-core
Customization
Nginx
Configuring Nginx registered earlier in the DNS server name (file / etc / nginx / sites-available / default )
server_name xyz.mydomain.com;
Register a link to the installed Apache Tomcat (if you didn’t change anything, then it “lives” on port 8080). We need to add an upstream block to the server block .
upstream tomcat {
server127.0.0.1:8080 fail_timeout=0;
}
server {
...
Make changes to the location block and redirect all traffic to Apache Tomcat
server {
...
location / {
# try_files $uri $uri/ =404;include proxy_params;
proxy_pass http://tomcat/;
}
Check that everything is correct
service nginx configtest
and restart nginx
service nginx restart
Apache tomcat
In principle, this part is optional, and if it doesn’t matter to you that real ip addresses, ports, the scheme for which the request goes (I’m talking about https) and the requested server come to tomcat, then this step can be omitted. However, in some cases this step is required (for example, for Java Web Start technology aka JNLP).
Add to the /etc/tomcat8/server.xml file in the <Host /> block .
<Host>
...
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"remoteIpHeader="x-forwarded-for"remoteIpProxiesHeader="x-forwarded-by"protocolHeader="x-forwarded-proto"
/></Host>
Restart tomcat
service tomcat8 restart
HTTPS certificate
HTTPS certificate with verification via http will help us get the certbot bot, or rather its modification for nginx'a - python-certbot-nginx
On Ubuntu 18.04, to install certbot'a just run
apt install python-certbot-nginx
For Ubuntu 16.04 - you will have to tinker with the addition of repositories, etc. (see the detailed guide for the link ).
Run
certbot --nginx
In the process, we specify your email, accept the license agreement, do not allow “fumble” your data with Let's Encrypt, confirm the DNS name to which the certificate will be issued, agree to let the bot otconfigure nginx.
Voila :)
Just in case, we check that the renewal of the certificate will pass without problems (the certificate is issued for 90 days and after that it can be extended indefinitely for the same period).
certbot renew --dry-run
And for internal paranoia we check that the cron file is in place.
ls -al /etc/cron.d/certbot
Firewall
Stop and make backup (snapshot) virtualki.
ufw allow ssh
ufw allow http
ufw allow https
ufw default allow outgoing
ufw default deny incoming
ufw show added
We pray!
ufw enable
ufw status
We check that everything turned out - the site is accessible via https, http traffic is redirected and ports, except for those previously listed, and ssh are securely closed.
PS I sincerely hope that this text can be useful to someone and will be glad to constructive criticism.
PPS And maybe the all-knowing ALL will tell me the replacement of certbot for Windows? It is necessary that he received the initial certificate (ideally, updated it on a schedule, and not at all chic brilliance) he configured nginx himself. Yes, I understand that you can certainly take the tool for let's encrypta + IIS and use it in my script, but what if there is a ready-made “ideal”?