Answer for KodeKloud Question -Linux Firewalld Setup

 To secure our Nautilus infrastructure in Stratos Datacenter we have decided to install and configure firewalld on all app servers. We have Apache and Nginx services running on these apps. Nginx is running as a reverse proxy server for Apache. We might have more robust firewall settings in the future, but for now, we have decided to go with the given requirements listed below:

a. Allow all incoming connections on Nginx port.

b. Allow incoming connections from LB host only on Apache port and block for all others.

c. All rules must be permanent.

d. Zone should be public.

e. If Apache or Nginx services aren't running already, please make sure to start them.

Sample Answer:

##first let's start with apache and nginx service, ports verification 

#login to app server

    ssh <user>@<server>

#switch to root user

    sudo su

#check the apache service status 

systemctl status httpd

#check the nginx service status

systemctl status nginx

# if the above services not running you can start it using the below command otherwise ignore it.

systemctl start httpd

systemctl start nginx

# now we will get the apache Listen port  by using the below command (note down the port number we will use for later configuration)

    cat /etc/httpd/conf/httpd.conf | grep Listen

output will looks liks: 
Listen 5003

# now we will get ngnix Listen port  by using the below command (note down the port number we will use for later configuration)

cat /etc/nginx/nginx.conf | grep listen

output will looks like this:

listen       8096 default_server;

#now let's install firewalld service 

yum install -y firewalld

# enable and start the firewalld service and check the status using below comands 

    systemctl enable firewalld
    systemctl start firewalld
    systemctl status firewalld

#before doing the any firewall changes do some pre-check using these commands 

firewall-cmd --state

        firewall-cmd --get-default-zone

        firewall-cmd --zone=public --list-all 
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones

## let's do the firewall configuration

#allow the nginx port (make sure, you have to use your nginx port, which you find from our earlier steps, check those steps)

firewall-cmd --permanent --zone=public --add-port=8096/tcp 

#allow services http and https

firewall-cmd --permanent --zone=public --add-service={http,https}

#allow the appache port (make sure, you have to use your LB host ip and apache port,which you find from our earlier steps, check those steps)

     firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source                                address="<LB-host-IP>" port protocol=tcp port=5003 accept'

#add interface

    firewall-cmd --permanent --zone=public --change-interface=wan

#relaod firewalld service to take effect

    firewall-cmd --reload

#now do the post-check using these commands 

        firewall-cmd --zone=public --list-all 
firewall-cmd --zone=public --list-ports
firewall-cmd --get-active-zones

#last step, you have to do the Nginx reverse proxy configuration as below 

(you have to give the correct port and server IP as per your question ) 

vi /etc/nginx/nginx.conf

server {

  listen          <nginx-port>;

  listen          [::]:<nginx-port>;

  server_name     <App-server-IP>;

  root            /usr/share/nginx/html;

}

location / {

   proxy_pass http://<app-server-IP>:<apache-port>/;

}

#save the configuration and restart nginx and apache services 

    systemctl  restart nginx

    systemctl restart apache

* YOU MUST DO ALL THE ABOVE steps in ALL THE APPLICATION SERVERS.

##final Testing 

# From Jump Host

    curl -I  <app-server-IP-01>:<nginx_port>

    curl -I  <app-server-IP-02>:<nginx_port>

    curl -I  <app-server-IP-03>:<nginx_port>

# From LB host

    

    curl -I  <app-server-IP-01>:<nginx_port>

    curl -I  <app-server-IP-02>:<nginx_port>

    curl -I  <app-server-IP-03>:<nginx_port>

    curl -I  <app-server-IP-01>:<apache_port>

    curl -I  <app-server-IP-02>:<apche_port>

    curl -I  <app-server-IP-03>:<apache_port>

*Please comment on this post if you facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Application Security

 We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 8087 and 8091, respectively. We have iptables firewall installed on this server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx's port and block all incoming connections to Apache's port. Also, make sure rules are permanent.

Sample Answer:

#login to backup server 

    ssh <user>@<server>

#switch to root user 

    sudo su 

#verify the iptables before doing any chnages 

    cat /etc/sysconfig/iptables

#run below commands in terminal ( you MUST make sure the correct ports of Nginx and Apache from your question)

    iptables -A INPUT -p tcp --dport 8091 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -p tcp --dport 8087 -m conntrack --ctstate NEW -j REJECT

# to save above entries run below comand in terminal

    iptables-save > /etc/sysconfig/iptables

#verify ( you can see your entries inside )

    cat /etc/sysconfig/iptables

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Setup SSL for Nginx

 The system admins team of xFusionCorp Industries needs to deploy a new application on App Server 3 in Stratos Datacenter. They have some pre-requites to get ready that server for application deployment. Prepare the server as per requirements shared below:

1. Install and configure nginx on App Server 3.
2. On App Server 3 there is a self signed SSL certificate and key present at location /tmp/nautilus.crt and /tmp/nautilus.key. Move them to some appropriate location and deploy the same in Nginx.
3. Create an index.html file with content Welcome! under Nginx document root.
4. For final testing try to access the App Server 3 link (either hostname or IP) from jump host using curl command. For example curl -Ik https://<app-server-ip>/.

Sample Answer:

# read the question and find that, on which server nginx needs to be install ( in my case its on app 3 )

#login to app 3 server

    ssh <user>@<server IP>

#switch to root user 

    sudo su 

#install the nginx( epel-release also need to be install before nginx)

    yum install -y epel-release

    yum install -y nginx 

 #edit the nginx conf file 

    cd /etc/nginx 

    vi nginx.conf

# you need do the changes on 2 section as below ( the IP should be the respective app server IP)

# under the settings for TLS enabled server section you need to uncomment by removing the # in front of all the lines up to the bottom of the page and edit as below entries only.

# double check that, your nginx.conf file looks like as per the above screenshots
    save the file 

# now let's copy the nautilus.crt and nautilus.key files to the correct location

        cp /tmp/nautilus.crt /etc/pki/CA/certs/

        cp /tmp/nautilus.key /etc/pki/CA/private/

# now create an index.html with word Welcome! on nginx document root ( in the above screenshot you can find the root location )

  cd /usr/share/nginx/html

    ls -l

#when you do ls -l command you might be index.html already presented on this location but you can't edit that file.

    vi index.html ( you will get error when you tried to save the file>

# 2 solution for the above issue 

     # you can remove the existing file and create a new one 

                rm -r index.html and recreate it  vi index.html with a word Welcome!

    # you can do as below 

            mkdir /usr/share/nginx/doc/HTML

            # navigate to newly creted location

                cd /usr/share/nginx/doc/HTML

            # create inside HTML directory

                   vi index.html with a word Welcome!

            #save the file 

                    wq!

# start the nginx service 

        systemctl start nginx

# verify from JUMP host( you wil get 200 Ok response)

        curl -Ik https://<app-server-ip>/ 

*  if you face any issues in the steps, please comment me under this post.

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Linux Ngnix as Reverse Proxy

Nautilus system admin's team is planning to deploy a front end application for their backup utility on Nautilus Backup Server, so that they can manage the backups of different websites from a graphical user interface. They have shared requirements to set up the same; please accomplish the tasks as per detail given below:

a. Install Apache Server on Nautilus Backup Server and configure it to use 6100 port (do not bind it to 127.0.0.1 only, keep it default i.e let Apache listen on server's IP, hostname, localhost, 127.0.0.1 etc).

b. Install Nginx webserver on Nautilus Backup Server and configure it to use 8094.

c. Configure Nginx as a reverse proxy server for Apache.

d. There is a sample index file /home/index.html on Jump Host, copy that file to Apache's document root.

e. Make sure to start Apache and Nginx services.

f. You can test final changes using curl command, e.g curl http://<backup server IP or Hostname>:8094.

Sample Answer:

##Read questions, We will do one by one

# login to backup server ( user and server IP of backup server)

ssh <user>@<server>

# switch to root user

sudo su 

##first install apache(httpd) annd nginx ( we wil do the configuration part later )

# install apache

yum install -y httpd

#install epel-release ( need for nginx)

yum install epel-release

#install ngnix

yum install nginx

#we can verify by using rpm command 

rpm -aq httpd

rpm -aq nginx

# now do the apache(httpd) configuration part 

cd /etc/httpd/conf

vi httpd.conf

#change the Listen port from 80 to 6100 ( which is given in question a, check your question )

Listen 6100

#Go to ServerName and and remove # change as it below 

    ServerName 172.16.238.16:6100

Now save the config file

#now will do the chnage on nginx.conf ( change the port as given in the question)

    vi /etc/nginx/nginx.conf

#edit as below 

server {

    listen 8094 default_server;

    listen [::]:8094 default_server; 

    server_name 172.16.238.16;

}

location / {

proxy_pass http://172.16.238.16:6100;

}

save the file 

#now from the jump host copy the index.html

    scp /home/index.html clint@172.16.238.16:/tmp/

#now login back to the backup server and copy the index.html file from /tmp/ to the apache document root location

cp /tmp/index.html /var/www/html/

# start the httpd and nginx services 

        systemctl start httpd

systemctl start nginx

# verify by using curl 

curl http://172.16.238.16:8094

curl http://172.16.238.16:6100

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.