To yourself devops or configure Nginx proxy for Apache Tomcat on Ubuntu in 5 minutes with https and firewall

  • Tutorial


I am not an admin, but sometimes there are tasks that are easier (and more interesting) to solve myself than to delegate.

Occasionally, we need to “raise” the servlet container (most often Apache Tomcat) and set up proxying for it, ssl termination (or more simply https) and cover it all with a firewall (leaving only ssh and http / https out).

It so happened that over the last week I solved this problem three times (this is how the stars became, and before that - two years ago) and this experience was transformed into this little opus.

So, given Ubuntu server 18.04 or 16.04 (most likely you will not have problems with earlier versions of 14.04 or so). If you do not have a Ubuntu server, you can quickly “raise” it, for example, to Digital Ocean (my referral link). After writing the article, I noticed that DO for new accounts gives $ 100 for 60 days to try, if you specify a loan.

DNS


For a simple scheme for obtaining a free https certificate from Let's Encrypt, we will need access to the DNS server. We register in it the IP address of our Ubuntu server with the name, say, xyz. Let's assume, for definiteness, that you have a domain mydomain.com, i.e. DNS name of our server will be xyz.mydomain.com

Installation


Install Apache Tomcat (I will use version 8)

apt install tomcat8

And now Nginx

apt install nginx-core

Customization


Nginx


Configuring Nginx registered earlier in the DNS server name (file / etc / nginx / sites-available / default )

server_name xyz.mydomain.com; 

Register a link to the installed Apache Tomcat (if you didn’t change anything, then it “lives” on port 8080). We need to add an upstream block to the server block .

upstream tomcat {
  server127.0.0.1:8080 fail_timeout=0;
}
server {
...

Make changes to the location block and redirect all traffic to Apache Tomcat

server {
...
        location / {
#               try_files $uri $uri/ =404;include proxy_params;
                proxy_pass http://tomcat/;
        }

Check that everything is correct

service nginx configtest

and restart nginx

service nginx restart

Apache tomcat


In principle, this part is optional, and if it doesn’t matter to you that real ip addresses, ports, the scheme for which the request goes (I’m talking about https) and the requested server come to tomcat, then this step can be omitted. However, in some cases this step is required (for example, for Java Web Start technology aka JNLP).

Add to the /etc/tomcat8/server.xml file in the <Host /> block .

<Host>
...
      <ValveclassName="org.apache.catalina.valves.RemoteIpValve"remoteIpHeader="x-forwarded-for"remoteIpProxiesHeader="x-forwarded-by"protocolHeader="x-forwarded-proto"
        /></Host>

Restart tomcat

service tomcat8 restart

HTTPS certificate


HTTPS certificate with verification via http will help us get the certbot bot, or rather its modification for nginx'a - python-certbot-nginx

On Ubuntu 18.04, to install certbot'a just run

apt install python-certbot-nginx

For Ubuntu 16.04 - you will have to tinker with the addition of repositories, etc. (see the detailed guide for the link ).

Run

certbot --nginx 

In the process, we specify your email, accept the license agreement, do not allow “fumble” your data with Let's Encrypt, confirm the DNS name to which the certificate will be issued, agree to let the bot otconfigure nginx.

Voila :)

Just in case, we check that the renewal of the certificate will pass without problems (the certificate is issued for 90 days and after that it can be extended indefinitely for the same period).

certbot renew --dry-run

And for internal paranoia we check that the cron file is in place.

ls -al /etc/cron.d/certbot

Firewall


Stop and make backup (snapshot) virtualki.

ufw allow ssh
ufw allow http
ufw allow https
ufw default allow outgoing
ufw default deny incoming
ufw show added

We pray!
ufw enable
ufw status

We check that everything turned out - the site is accessible via https, http traffic is redirected and ports, except for those previously listed, and ssh are securely closed.

PS I sincerely hope that this text can be useful to someone and will be glad to constructive criticism.

PPS And maybe the all-knowing ALL will tell me the replacement of certbot for Windows? It is necessary that he received the initial certificate (ideally, updated it on a schedule, and not at all chic brilliance) he configured nginx himself. Yes, I understand that you can certainly take the tool for let's encrypta + IIS and use it in my script, but what if there is a ready-made “ideal”?

Also popular now: