To yourself devops or configure Nginx proxy for Apache Tomcat on Ubuntu in 5 minutes with https and firewall

I am not an admin, but sometimes there are tasks that are easier (and more interesting) to solve myself than to delegate.

Occasionally, we need to “raise” the servlet container (most often Apache Tomcat) and configure proxying for it, ssl termination (or, more simply, https) and cover it all with a firewall (leaving only ssh and http / https out).
')
It so happened that over the last week I solved this problem three times (this is how the stars became, and before that - two years ago) and this experience was transformed into this little opus.

So, given Ubuntu server is 18.04 or 16.04 (most likely you will not have problems with earlier versions 14.04 or so). If you do not have a Ubuntu server, you can quickly “raise” it, for example, to Digital Ocean (my referral link). After writing the article I noticed that DO for new accounts gives $ 100 for 60 days to try, if you specify a loan.

DNS

For a simple scheme for obtaining a free https certificate from Let's Encrypt, we will need access to the DNS server. We register in it the IP address of our Ubuntu server with the name, say, xyz. Let's, for definiteness, suppose that you have a domain mydomain.com, i.e. DNS name of our server will be xyz.mydomain.com

Installation

Install Apache Tomcat (I will use version 8)

apt install tomcat8 

And now Nginx

 apt install nginx-core 

Customization

Nginx

Configuring Nginx registered earlier in the DNS server name (file / etc / nginx / sites-available / default )

 server_name xyz.mydomain.com; 

We register the link to the installed Apache Tomcat (if you didn’t change anything, then it “lives” on port 8080). We need to add an upstream block to the server block.

 upstream tomcat { server 127.0.0.1:8080 fail_timeout=0; } server { ... 

Make changes to the location block and redirect all traffic to Apache Tomcat

 server { ... location / { # try_files $uri $uri/ =404; include proxy_params; proxy_pass http://tomcat/; } 

Check that everything is correct

 service nginx configtest 

and restart nginx

 service nginx restart 

Apache tomcat

In principle, this part is optional, and if it doesn’t matter to you that real ip addresses, ports, the scheme for which the request goes (I’m talking about https) and the requested server “come” to tomcat, then this step can be omitted. However, in some cases this step is required (for example, for Java Web Start technology aka JNLP).

Add to the /etc/tomcat8/server.xml file in the <Host /> block.

 <Host> ... <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> </Host> 

Restart tomcat

 service tomcat8 restart 

HTTPS certificate

HTTPS certificate with verification via http will help us get the certbot bot, or rather its modification for nginx'a - python-certbot-nginx

On Ubuntu 18.04, installing certbot is sufficient to complete

 apt install python-certbot-nginx 

For Ubuntu 16.04 - you will have to tinker with the addition of repositories, etc. (see the detailed guide for the link ).

Run

 certbot --nginx 

In the process, we specify our email, accept the license agreement, do not allow “fumble” our data with Let's Encrypt, confirm the DNS name to which the certificate will be issued, agree to let the bot otconfigure nginx.

Voila :)

Just in case, we check that the renewal of the certificate will pass without problems (the certificate is issued for 90 days and after that it can be extended indefinitely for the same period).

 certbot renew --dry-run 

And for internal paranoia we check that the cron file is in place.

 ls -al /etc/cron.d/certbot 

Firewall

Stop and make backup (snapshot) virtualki.

 ufw allow ssh ufw allow http ufw allow https ufw default allow outgoing ufw default deny incoming ufw show added 

We pray!

 ufw enable ufw status 

We check that everything turned out - the site is accessible via https, http traffic is redirected and ports, except for those previously listed, and ssh are securely closed.

PS I sincerely hope that this text can be useful to someone and will be glad to constructive criticism.

PPS And maybe the all-knowing ALL prompts me to replace certbot for Windows? It is necessary that he received the initial certificate (ideally, updated it on a schedule, and not at all chic brilliance) he configured nginx himself. Yes, I understand that you can certainly take the tool for let's encrypta + IIS and use it in my script, but what if there is a ready-made “ideal”?