By Seb Rose. Cucumber has been running its own Cyber-Dojo instance for several years. Recently, due to changes to the cucumber website, it became necessary to support the HTTPS protocol. This turned out to be quite simple (once Jon fixed a defect we found in Cyber-Dojo’s nginx config), but I thought it might be useful to pull together the steps in one place.
[Big thanks to Jon Jagger, Mike Long, and Jon Skeet for their help getting us up and running]
Google Cloud VM
We operate our Cyber-Dojo instance in a virtual machine (VM) on Google Cloud (other cloud providers are available). While getting https set up, I created and deleted numerous VMs. Here I will outline the process I followed:
- Go to
console.cloud.google.com
- Navigate to
Compute Engine | VM Instances
- Click
Create Instance
- Refer to Google’s help documentation for general guidance. Specific Cyber-Dojo advice is:
- Click
Create
and that’s the VM created
Install Cyber-Dojo
From the VM Instances page on Google Cloud, find the VM instance that you have just created and click the SSH
link in the Connect
column. This will open a terminal window.
Follow the instructions in this blog post to install Cyber-Dojo.
Part of these instructions require you to log out of the terminal and log back in again. This is important!
To log back in, simply click the SSH
link again. All of the install instructions below need to be carried out in a terminal window.
Once you’ve installed Cyber-Dojo, follow the instructions to start it up and navigate to it using the External IP
address shown in the VM Instance table. Note, you cannot click the IP address link to the left of the SSH
link (in the Connect
column) since that will prefix the IP address with https:// which is not yet installed. You must use the raw IP address. Cyber-Dojo should now be working correctly on http.
Now bring down your Cyber-Dojo server:
Install nginx
Cyber-Dojo is made up of multiple services, each running in its own Docker container. One of the Docker containers uses nginx to process incoming requests. We could try to get this container to handle HTTPS requests, but that would require us to modify the Docker image. Mike Long suggested a simpler technique.
Mike’s suggestion was to install nginx directly on the VM. This instance of nginx will handle all incoming http and https requests, forwarding them over http to the Cyber-Dojo nginx container. This allows us to support https without making any modifications to any Docker image that ships with Cyber-Dojo.
On Ubuntu 18.04 follow the install instructions on the nginx website.
Now, if you navigate to the External IP
address shown in the VM Instance table you should be presented with an nginx holding page, where before you would have seen Cyber-Dojo.
Install an SSL certificate
I used Certbot from the EFF to create and install an SSL certificate. The process is simple and well documented on their website. Follow the instructions to install Cerbot, but DO NOT RUN Certbot YET.
When you run Certbot, it will attempt to verify that the website is accessible via the domain name that certificate references. For this verification to be successful, you will need to ensure that your website URL points to the External IP
address shown in the VM Instance table. How you do this depends on who provides your DNS services.
For our instance of Cyber-Dojo, we have a DNS A record for a sub-domain of cucumber.io
(so the full domain name looked like, xxxxx.cucumber.io
) which resolves to the External IP
address shown in the VM Instance table.
Once you have setup your DNS, you can run Certbot from the terminal:
You will be asked for several pieces of information during the process:
- You need to provide the full domain name (not URL) for your website, eg ours looked like
xxxxx.cucumber.io
- Select the option to redirect all http requests to https
The whole process should take no longer than a minute and should complete without errors!
The certificate only lasts for 90 days, so you’ll probably want to set it to auto-renew. I created a cron job to do this every 2 months:
- $ sudo crontab -e
- Add the following text to the cron file:
* * * */2 * certbot renew
- Save the cron file
Configure nginx
To configure nginx, you’ll need to edit /etc/nginx/sites-available/default
The editors available by default are quite limited. I used nano
.
The configuration file (/etc/nginx/sites-available/default
) has already been modified by Certbot - and you’ll see comments to that effect throughout it. The change you need to make is to use a location block inside the server block listening on port 443.
So, look for text that reads:
listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot
Slightly above these two lines is a short location / { … }
block. Replace this location block with the following code:
location / { proxy_pass http://127.0.0.1:8000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; }
Check it:
If it reports ok, restart the nginx server
The final step
The most important statement in the location
block is:
proxy_pass http://127.0.0.1:8000;
This forwards all requests to port 8000, so Cyber-Dojo needs to be listening to requests on port 8000. This is very easy to do. Restart Cyber-Dojo using the following command:
Navigate to the URL that you specified in the DNS (e.g. xxxxx.cucumber.io
) and you should now be able to use Cyber-Dojo over https :-)
Notes
-
I chose Ubuntu 18.04 because Cyber-Dojo has been tested on that platform. Other OS images may well work just as well. ↩
-
We use an SSD disk for speed - but this will cost you more than a standard persistent disk. ↩
-
100GB is possibly overkill - you may well be able to operate successfully with a much smaller drive. ↩
No comments:
Post a Comment