To secure our Nautilus infrastructure in Stratos Datacenter we have decided to install and configure firewalld on all app servers. We have Apache and Nginx services running on these apps. Nginx is running as a reverse proxy server for Apache. We might have more robust firewall settings in the future, but for now, we have decided to go with the given requirements listed below:
a. Allow all incoming connections on Nginx port.
b. Allow incoming connections from LB host only on Apache port and block for all others.
c. All rules must be permanent.
d. Zone should be public.
e. If Apache or Nginx services aren't running already, please make sure to start them.
Sample Answer:
##first let's start with apache and nginx service, ports verification
#login to app server
ssh <user>@<server>
#switch to root user
sudo su
#check the apache service status
systemctl status httpd
#check the nginx service status
systemctl status nginx
# if the above services not running you can start it using the below command otherwise ignore it.
systemctl start httpd
systemctl start nginx
# now we will get the apache Listen port by using the below command (note down the port number we will use for later configuration)
cat /etc/httpd/conf/httpd.conf | grep Listen
output will looks liks:
Listen 5003
# now we will get ngnix Listen port by using the below command (note down the port number we will use for later configuration)
cat /etc/nginx/nginx.conf | grep listen
output will looks like this:
listen 8096 default_server;
#now let's install firewalld service
yum install -y firewalld
# enable and start the firewalld service and check the status using below comands
systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld
#before doing the any firewall changes do some pre-check using these commands
firewall-cmd --state
firewall-cmd --get-default-zone
firewall-cmd --zone=public --list-all
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones
## let's do the firewall configuration
#allow the nginx port (make sure, you have to use your nginx port, which you find from our earlier steps, check those steps)
firewall-cmd --permanent --zone=public --add-port=8096/tcp
#allow services http and https
firewall-cmd --permanent --zone=public --add-service={http,https}
#allow the appache port (make sure, you have to use your LB host ip and apache port,which you find from our earlier steps, check those steps)
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="<LB-host-IP>" port protocol=tcp port=5003 accept'
#add interface
firewall-cmd --permanent --zone=public --change-interface=wan
#relaod firewalld service to take effect
firewall-cmd --reload
#now do the post-check using these commands
firewall-cmd --zone=public --list-all
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones
#last step, you have to do the Nginx reverse proxy configuration as below
(you have to give the correct port and server IP as per your question )
vi /etc/nginx/nginx.conf
server {
listen <nginx-port>;
listen [::]:<nginx-port>;
server_name <App-server-IP>;
root /usr/share/nginx/html;
}
location / {
proxy_pass http://<app-server-IP>:<apache-port>/;
}
#save the configuration and restart nginx and apache services
systemctl restart nginx
systemctl restart apache
* YOU MUST DO ALL THE ABOVE steps in ALL THE APPLICATION SERVERS.
##final Testing
# From Jump Host
curl -I <app-server-IP-01>:<nginx_port>
curl -I <app-server-IP-02>:<nginx_port>
curl -I <app-server-IP-03>:<nginx_port>
# From LB host
curl -I <app-server-IP-01>:<nginx_port>
curl -I <app-server-IP-02>:<nginx_port>
curl -I <app-server-IP-03>:<nginx_port>
curl -I <app-server-IP-01>:<apache_port>
curl -I <app-server-IP-02>:<apche_port>
curl -I <app-server-IP-03>:<apache_port>
*Please comment on this post if you facing any issues in the steps, also provide your feedback in the comments :)
Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.
No comments:
Post a Comment