Securing Your Web Server: an ansible role
Introduction
Setting up a secure web server is a critical task for any system administrator or web developer. In this guide, we will walk you through creating an Ansible role that sets up all the essential security basics for a web server running Nginx on Ubuntu.
We'll include Fail2ban with custom jails, configure the Uncomplicated Firewall (UFW) to allow HTTP and HTTPS traffic, and ensure that the Nginx configuration is highly secure.
Directory Structure
To organize our Ansible role, create a directory structure like this:
webserver_security/
├── tasks/
│ ├── main.yml
├── vars/
│ ├── main.yml
├── templates/
│ ├── nginx.conf.j2
└── README.md
Role Variables (vars/main.yml)
Define the role variables in the vars/main.yml file:
---
# Nginx Configuration
nginx_config_template: nginx.conf.j2
# UFW Configuration
ufw_allow_services:
- "OpenSSH"
- "Nginx Full"
# Fail2ban Configuration
fail2ban_custom_jail_conf: "/etc/fail2ban/jail.d/custom.conf"
fail2ban_custom_jail_name: "custom"
fail2ban_custom_logpath: "/var/log/nginx/error.log"
Nginx Configuration Template (templates/nginx.conf.j2)
Create a template for the Nginx configuration (templates/nginx.conf.j2). Customize it according to your web server's specific needs:
# Nginx Configuration Template (nginx.conf.j2)
user www-data;
worker_processes auto;
pid /run/nginx/nginx.pid;
events {
worker_connections 768;
# ...
}
http {
# ...
server {
listen 80;
server_name your_domain.com;
location / {
root /var/www/html;
index index.html index.htm;
# ...
}
# ...
}
}
Role Tasks (tasks/main.yml)
Define tasks for your role in the tasks/main.yml file:
---
- name: Install Nginx
apt:
name: nginx
state: present
notify:
- Restart Nginx
- name: Copy Nginx Configuration
template:
src: "{{ nginx_config_template }}"
dest: /etc/nginx/nginx.conf
notify:
- Restart Nginx
- name: Enable UFW
ufw:
state: enabled
rule: "{{ item }}"
loop: "{{ ufw_allow_services }}"
- name: Install Fail2ban
apt:
name: fail2ban
state: present
- name: Create Fail2ban Custom Jail
copy:
content: |
[{{ fail2ban_custom_jail_name }}]
enabled = true
filter = nginx-http-auth
logpath = {{ fail2ban_custom_logpath }}
port = http,https
maxretry = 3
dest: "{{ fail2ban_custom_jail_conf }}"
notify:
- Restart Fail2ban
- name: Ensure services are started and enabled
systemd:
name: "{{ item }}"
state: started
enabled: yes
loop:
- nginx
- fail2ban
Handlers (tasks/main.yml)
Define handlers for your role in the tasks/main.yml file:
handlers:
- name: Restart Nginx
systemd:
name: nginx
state: restarted
- name: Restart Fail2ban
systemd:
name: fail2ban
state: restarted
Using the Role in Your Playbook
In your playbook, use the role as follows:
---
- name: Apply Web Server Security Basics
hosts: your_webserver_hosts
become: yes
roles:
- webserver_security
Replace your_domain.com with your actual domain name in the Nginx template. Customize the template according to your web server's specific requirements.
Running the Playbook
Run your playbook using the ansible-playbook command:
ansible-playbook -i inventory.ini your_playbook.ymlThis comprehensive Ansible role will help you set up a secure web server on Ubuntu with Nginx, Fail2ban, and UFW. It ensures that your Nginx configuration is highly secure, and custom jails are created to block potential attackers.
By following these steps, you'll enhance the security of your web server and protect it from common threats.
