Ubuntu 16.04 & Nginx & SSL + Jenkins

• Ubuntu Initial setup
  1. Connect and upgrade
     ssh root@[your_server_ip] apt-get update apt-get full-upgrade

     1 2 3 4

     ssh root@[your_server_ip] apt-get update apt-get full-upgrade

  2. Increase SSL session time
     sudo nano /etc/ssh/sshd_config

     1 2	sudo nano /etc/ssh/sshd_config

     Apply below, if exist, change value, if not exist, add the line.

     TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 100

     1 2 3 4

     TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 100

  3. Create a New User, avoid using root all the time
     adduser [user_name]

     1 2	adduser [user_name]

     Give new user Root privileges

     usermod -aG sudo [user_name]

     1 2	usermod -aG sudo [user_name]

  4. Switch to the new user, install public key
     su - [user_name] mkdir ~/.ssh chmod 700 ~/.ssh

     1 2 3 4

     su - [user_name] mkdir ~/.ssh chmod 700 ~/.ssh

     Copy the public key content you want to use and paste into the remote ssh folder:

     nano ~/.ssh/authorized_keys

     1 2	nano ~/.ssh/authorized_keys

     After copy, restrict the permissions:

     chmod 600 ~/.ssh/authorized_keys exit

     1 2 3

     chmod 600 ~/.ssh/authorized_keys exit

  5. Testing the new user login with ssh key:
     ssh [user_name]@[your_server_ip]

     1 2	ssh [user_name]@[your_server_ip]

     If you can login, then all settings are good.

     If not, check all above steps.

  6. Disable Password Authentication

     sudo nano /etc/ssh/sshd_config

     1 2	sudo nano /etc/ssh/sshd_config

     Find the line that specifies PasswordAuthentication, uncomment it by deleting the preceding #, then change its value to “no”.

     It should look like this after you have made the change:

     PasswordAuthentication no

     1 2	PasswordAuthentication no

     Reload SSH daemon:

     sudo systemctl reload sshd

     1 2	sudo systemctl reload sshd

  7. Open a new terminal, test login
     ssh [user_name]@[your_server_ip]

     1 2	ssh [user_name]@[your_server_ip]

  8. Setup basic firewall
     sudo ufw app list sudo ufw allow OpenSSH sudo ufw enable sudo ufw status

     1 2 3 4 5

     sudo ufw app list sudo ufw allow OpenSSH sudo ufw enable sudo ufw status

• Nginx and Let’s Encrypt
  1. Install Nginx, allow firewall rules
     sudo apt-get install nginx sudo ufw allow 'Nginx FULL' sudo ufw status

     1 2 3 4

     sudo apt-get install nginx sudo ufw allow 'Nginx FULL' sudo ufw status

  2. Check the Nginx install
     Check this URL: http://[server_domain_or_IP]

     1 2 3

     Check this URL: http://[server_domain_or_IP]

  3. Domain DNS change: create an A Record that points your domain to the public IP address of your server.

  4. Install certbot

     $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot

     1 2 3 4 5

     $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot

  5. Use certbot Webroot Plugin
     Edit Nginx default file to allow /.well-known for Webroot Plugin
     sudo nano /etc/nginx/sites-available/default

     1 2	sudo nano /etc/nginx/sites-available/default

     Inside the server block, add this location block:

     location ~ /.well-known { allow all; }

     1 2 3 4

     location ~ /.well-known {     allow all; }

     check for syntac errors:

     sudo nginx -t sudo systemctl restart nginx

     1 2 3

     sudo nginx -t sudo systemctl restart nginx

     Use Webroot plugin to request an SSL

     sudo certbot certonly --webroot --webroot-path=[/var/www/html] -d [example.com] -d [ [www.example.com](http://www.example.com) ]

     1 2	sudo certbot certonly --webroot --webroot-path=[/var/www/html] -d [example.com] -d [ [www.example.com](http://www.example.com) ]

  6. Certificate Files
     After obtaining the cert, you will have the following PEM-encoded files:

     cert.pem : Your domain’s certificate

     chain.pem : The Let’s Encrypt chain certificate

     fullchain.pem : cert.pem and chain.pem combined

     privkey.pem : Your certificate’s private key

     Check that the files exist by running this command (substituting in your domain name):

     sudo ls -l /etc/letsencrypt/live/[your_domain_name]

     1 2	sudo ls -l /etc/letsencrypt/live/[your_domain_name]

  7. Generate Strong Diffie-Hellman Group
     sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

     1 2	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

     This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem .

  8. Configure TLS/SSL on Web Server (Nginx)

     • We will create a configuration snippet containing our SSL key and certificate file locations.
       Within this file, we just need to set the ssl_certificate directive to our certificate file and the ssl_certificate_key to the associated key.
       In our case, this will look like this:
       sudo nano /etc/nginx/snippets/ssl-[example.com].conf ssl_certificate /etc/letsencrypt/live/[example.com]/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[example.com]/privkey.pem;

       1 2 3 4

       sudo nano /etc/nginx/snippets/ssl-[example.com].conf ssl_certificate /etc/letsencrypt/live/[example.com]/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[example.com]/privkey.pem;

     • We will create a configuration snippet containing strong SSL settings that can be used with any certificates in the future.
       sudo nano /etc/nginx/snippets/ssl-params.conf # Paste below inside # # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # disable HSTS header for now #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem;

       1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

       sudo nano /etc/nginx/snippets/ssl-params.conf # Paste below inside #   # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # disable HSTS header for now #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;   ssl_dhparam /etc/ssl/certs/dhparam.pem;

     • We will adjust the Nginx server blocks to handle SSL requests and use the two snippets above.
       Backup server block
       sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak sudo nano /etc/nginx/sites-available/default

       1 2 3

       sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak sudo nano /etc/nginx/sites-available/default

       Eventally, the server block should looks like:

       server { listen 80 default_server; listen [::]:80 default_server; server_name [example.com] [www.example.com]; return 301 https://$server_name$request_uri; } server { # SSL configuration listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include snippets/ssl-[example.com].conf; include snippets/ssl-params.conf; server_name [example.com] [www.example.com]; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location ~ /.well-known { allow all; } }

       1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

       server {     listen 80 default_server;     listen [::]:80 default_server;     server_name [example.com] [www.example.com];     return 301 https://$server_name$request_uri; }   server {     # SSL configuration     listen 443 ssl http2 default_server;     listen [::]:443 ssl http2 default_server;     include snippets/ssl-[example.com].conf;     include snippets/ssl-params.conf;                           server_name [example.com] [www.example.com];     root /var/www/html;         # Add index.php to the list if you are using PHP     index index.html index.htm index.nginx-debian.html;     location / {         # First attempt to serve request as file, then         # as directory, then fall back to displaying a 404.         try_files $uri $uri/ =404;     }               location ~ /.well-known {             allow all;     } }

     This method of configuring Nginx will allow us to keep clean server blocks and put common configuration segments into reusable modules.

  9. check if the nginx setting is right

     sudo nginx -t

     1 2	sudo nginx -t

• check firewall
  sudo ufw status

  1 2	sudo ufw status

• Enabling the Changes in Nginx
  sudo systemctl restart nginx

  1 2	sudo systemctl restart nginx

  use the Qualys SSL Labs Report to see how your server configuration scores:
  https://www.ssllabs.com/ssltest/analyze.html?d=[example.com]

• Setup auto renewal

  sudo crontab -e # Server UTC time 17:10 is Sydney time 3:10 am 10 17 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

  1 2 3 4 5

  sudo crontab -e   # Server UTC time 17:10 is Sydney time 3:10 am 10 17 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"

• Install Jenkins
  wget -q -O - https://pkg.jenkins.io/debian/jenkins-ci.org.key | sudo apt-key add - echo deb http://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list sudo apt-get update sudo apt-get install jenkins

  1 2 3 4 5 6 7

  wget -q -O - https://pkg.jenkins.io/debian/jenkins-ci.org.key | sudo apt-key add -   echo deb http://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list   sudo apt-get update sudo apt-get install jenkins

  Starting Jenkins

  sudo systemctl start jenkins sudo systemctl status jenkins sudo ufw allow 8080 sudo ufw status

  1 2 3 4 5 6

  sudo systemctl start jenkins sudo systemctl status jenkins   sudo ufw allow 8080 sudo ufw status

  Testing

  http:// ip_address_or_domain_name :8080

  Get password

  sudo cat /var/lib/jenkins/secrets/initialAdminPassword

  1 2	sudo cat /var/lib/jenkins/secrets/initialAdminPassword

• Config Nginx
  server { listen 80 default_server; listen [::]:80 default_server; server_name jenkins.jingbojin.com; return 301 https://$server_name$request_uri; } server { # SSL configuration listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include snippets/ssl-jenkins.jingbojin.com.conf; include snippets/ssl-params.conf; server_name jenkins.jingbojin.com; root /var/www/html; access_log /var/log/nginx/jenkins.access.log; error_log /var/log/nginx/jenkins.error.log; location / { include /etc/nginx/proxy_params; proxy_pass http://localhost:8080; proxy_read_timeout 90s; # Fix potential "It appears that your reverse proxy set up is broken" error. proxy_redirect http://localhost:8080 https://jenkins.jingbojin.com; } location ~ /.well-known { allow all; } }

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

  server { listen 80 default_server; listen [::]:80 default_server; server_name jenkins.jingbojin.com; return 301 https://$server_name$request_uri; }   server { # SSL configuration listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include snippets/ssl-jenkins.jingbojin.com.conf; include snippets/ssl-params.conf;   server_name jenkins.jingbojin.com; root /var/www/html;   access_log /var/log/nginx/jenkins.access.log; error_log /var/log/nginx/jenkins.error.log;   location / { include /etc/nginx/proxy_params; proxy_pass http://localhost:8080; proxy_read_timeout 90s; # Fix potential "It appears that your reverse proxy set up is broken" error. proxy_redirect http://localhost:8080 https://jenkins.jingbojin.com; }   location ~ /.well-known { allow all; } }

• Config Jenkins
  sudo nano /etc/default/jenkins

  1 2	sudo nano /etc/default/jenkins

  Locate the JENKINS_ARGS line and add —httpListenAddress=127.0.0.1 to the existing arguments:

  JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"

  1 2	JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"

• Restart Jenkins and Nginx
  sudo systemctl restart jenkins sudo systemctl status jenkins sudo systemctl restart nginx sudo systemctl status nginx

  1 2 3 4 5

  sudo systemctl restart jenkins sudo systemctl status jenkins sudo systemctl restart nginx sudo systemctl status nginx

  • In your web browser, enter “http://[your.ssl.domain.name]”, substituting your domain for your.ssl.domain.name. After you press enter, the URL should start with https and the location bar should indicate that the connection is secure.
  • We’ll enter admin in the “User” field and the auto-generated password that Jenkins created and stored when we installed it.
    sudo cat /var/lib/jenkins/secrets/initialAdminPassword

    1 2	sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Reference:

initial-server-setup-with-ubuntu-16-04

how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

ubuntuxenial-nginx

how-to-configure-jenkins-with-ssl-using-an-nginx-reverse-proxy

how-do-you-score-a-with-100-on-all-categories-on-ssl-labs-test-with-lets-encry