Letsencrypt – HTTPS is the better way

Letsencrypt is free SSL Certificate Authority (CA). Provides you renewable free of charge secure connection to your resources from the internet. (https://letsencrypt.org/) Here i am going to explain how to secure web app (in my case its Jenkins run on port 8080) using Letsencrypt and NginX.

First you have to have your app running on a cloud environment like Azure or AWS. Make sure you get a domain name for your VM instance (Ex: blog.southeastasia.cloudapp.azure.com). You need a proper domain name configured with your cloud instance otherwise Letsencrypt reject your certificate request.

Things to per-configure in your cloud before begin

  1. Open both 80 and 443 to public
  2. Make sure you have a domain name for your resource

In my case, I have Jenkins up and running in a docker container with internal port 8080 and external port 8081, I have added my Jenkins to a external network called ‘nginx-network’

version: '3.7'

services:

  jenkins:
    image: jenkins/jenkins:latest
    container_name: jenkins
    user: root
    environment:
     - JENKINS_ARGS="--prefix=/jenkins"
    volumes:
     - ./jenkins_home:/var/jenkins_home
     - /var/run/docker.sock:/var/run/docker.sock
     - /usr/bin/docker:/usr/bin/docker
     - /usr/local/bin/docker-compose:/usr/local/bin/docker-compose
    ports:
     - 8081:8080
     - 50000:50000
    networks:
     - nginx-network

networks:
  nginx-network:
    external: true

Configuring NginX with Letsencrypt + Certbot

Download Letsencrypt automated script from here

https://raw.githubusercontent.com/wmnnd/nginx-certbot/master/init-letsencrypt.sh

Replace the domain name to yours

Put ‘init-letsencrypt.sh’ in the same folder where your ‘docker-compose.yml’ exists. The docker-compose for spin up Nginx and get certificates from Letsencript using Certbot as follows.

version: '3.7'

services:

  nginx:
    image: nginx:1.17.6-alpine
    container_name: nginx
    volumes:
     - ./nginx_data:/etc/nginx/conf.d
     - ./certbot_data/conf:/etc/letsencrypt
     - ./certbot_data/www:/var/www/certbot
    ports:
     - 80:80
     - 443:443
    networks:
     - nginx-network

  certbot:
    image: certbot/certbot
    volumes:
     - ./certbot_data/conf:/etc/letsencrypt
     - ./certbot_data/www:/var/www/certbot
    networks:
     - nginx-network

networks:
  nginx-network:
    external: true

Create all empty directories and put your ‘app.conf’ file inside ‘nginx_data’ directory.

upstream jk {
    server jenkins:8080;
    keepalive 256;
}

server {

        listen 80 default_server;
        listen [::]:80 default_server;

        server_name xxx.southeastasia.cloudapp.azure.com;

        location /.well-known/acme-challenge/{
                root /var/www/certbot;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        listen 443 ssl;
        server_name xxx.southeastasia.cloudapp.azure.com;

        ssl_certificate /etc/letsencrypt/live/xxx.xx.cloudapp.azure.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xxx.xx.cloudapp.azure.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        location / {

                proxy_set_header        Host $host:$server_port;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_redirect http:// https://;
                proxy_pass http://jk;

                proxy_http_version 1.1;
                proxy_request_buffering off;
                proxy_buffering off;
        }
}

Now the configurations are done. Lets get the certificates now.

Execute ‘init-letsencrypt.sh’ file and see the magic !

Then visit to your web app in the cloud. You can see now your free SSL certificate is issued from Letsencrypt is in action.

Website SSL
Certificate Details

Lets Encrypt , Coz Self Signed is for Kids šŸ™‚ …..

SpringBoot CI/CD with Azure Container Registry and Jenkins (Part 1)

Create Git Clone, ACR Push/Pull, Docker Run Pipeline Stages

Jenkins is the mostly and widely used pipelining tool for continuous deployments. Here I am planing to explain you that how to push an SpringBoot application build image to Azure Container registry and reused it inside your docker-compose file while you run your deployment. There are some basic steps to complete before the Jenkins pipeline part.

  1. From your Azure Console, create container registry and get your login password from Settings -> Access keys (We are going to create Jenkins credential id using this)
  2. You have a SpringBoot app with Dockerfile, docker-compose file and Jenkins file located in same directory structure
SpringBoot Application Directory Structure
Azure Container Registry

Here is the sample content of above files

Dockerfile
docker-compose file
Jenkinsfile

In your Jenkins, if you are using Jenkins docker image you have to have below configurations

First execute below in your Jenkins host machine

sudo adduser jenkins
sudo usermod -a -G docker jenkins

Here I map docker and docker-compose executable files from host machine to Jenkins docker container, so Jenkins can execute docker commands.

Jenkins docker-compose file

Jenkins – Create pipeline using existing Jenkinsfile

Log into your Jenkins and Select “New Item” -> Pipeline , put a suitable name for your build

You can add triggers later, for now , go to “Pipeline Section” and select “pipeline script from SCM”

Put your Git repo, if your repo is a private one add credentials by clicking Add button

Mention your branch, if you are using different branch than master, put that name

Script path is “Jenkinsfile”, its relative url to your project

Adding Azure Container registry credentials to Jenkins

Go to Credentials -> System -> Global credentials (unrestricted) -> Add Credentials

Username/password Entry

In your Pipeline script , put the same credential ID as above

Now you can execute “Build Now” command

Build Now

Summery of the flow (pipeline)

  1. Compile your java code using maven
  2. Package it to jar
  3. Optimize and jar (break fat jar)
  4. Build docker image
  5. Push the image to ACR with tag
  6. Pull back the image
  7. Remove all previous docker containers
  8. Spin up all the containers (including dependencies) using docker-compose

You can check the containers after the deployment

Running Containers

Source-code

https://github.com/dumindarw/reactive-eventservice

To be continued ….

Run ApacheDS on Docker

ApacheDS is a free and opensource simple directory management software. If you need to quickly setup LDAP for any of your projects , ApacheDS will be the easiest and most prominent solution. There are some advance and feature-full solutions such as FreeIPA but setup will be a pain in the ass for developers (if you are not from DevOps background)

Unfortunately there are no official images in the Docker Hub for ApacheDS. Here are some simple steps to up and run your own docker based LDAP server !

Build the ApacheDS Image

docker build -t apacheds 

Run the container

docker run -dt --name apacheds_container -p 389:10389 -p 636:10636 apacheds:latest

Here we expose 336 as our LDAP port to outside world

LDAP Clients

There are various LDAP clients available to examine and view directory structures.

It is recommended to use Apache Directory Studio but for a quick demo I will use JXplorer (default admin password is ‘secret’)

Now you have full access to your LDAP. You can create new partitions and add entries as you wish.

Setup Jasper Reporting Server through NGINX virtual host with SSL in Windows

Jasper server is running top of a Tomcat instance and by default it uses the port 8080.
All jasper related files located inside the webapp folder

Ex- C:\Jaspersoft\jasperreports-server-cp-6.4.2\apache-tomcat\webapps\jasperserver

First we will set jasper to run on the http://localhost:8080 instead of http://localhost:8080/jasperserver
to do that, we will make a folder called webapps2 in apache-tomcat folder and inside that we will create a ROOT directory.
Then, we have to copy apache-tomcat/webapps/jasperserver content to newly created apache-tomcat/webapps/ROOT/ folder.
After that, we have to tell tomcat to look into our new webapps2 folder instead of webapps folder, to do that

Open apache-tomcat/conf/server.xml and change the appBase to webapps2

Restart the jasper service or tomcat and now you can see your jasper server run on http://localhost:8080

Configuring the Virtual Host

Open windows host file (C:\Windows\System32\drivers\etc\hosts) and add below line


127.0.0.1 reporting.duminda.com

Installing NGINX and setup as a windows service

Download NGINX for windows and extract it into your C:/ drive
Your NGINX HOME would be C:\nginx-1.15.2

open nginx.conf file located in conf directory and add below section


server {

listen 443 ssl;
server_name reporting.duminda.com;

access_log logs/reporting.duminda.com.access.log;

ssl_certificate C:/Users/Duminda/certificate.crt;
ssl_certificate_key C:/Users/Duminda/private-key.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {

proxy_pass http://127.0.0.1:8080/;

}
}

Create crt and key files in your machine and replace ssl_certificateĀ (your Self Signed Certificate) ,ssl_certificate_key with appropriate paths.

Above configuration will create a virtual host and point to our jasper server.

So all the incoming requests receiving to https://reporting.duminda.com will pass to http://127.0.0.1:8080

Setup NGINX as a windows service

Download NSSM (https://nssm.cc/download) and install service by executing below command (as admin)


nssm.exe install nginx

1

Set arguments as -p C:\nginx-1.15.2

Now you have installed nginx service, go to windows services and start the nginx

Visit the https://reporting.duminda.com and enjoy jaspering ….