Securing Your Web Server: an ansible role

Securing Your  Web Server:  an ansible role
Photo by FLY:D / Unsplash


Setting up a secure web server is a critical task for any system administrator or web developer. In this guide, we will walk you through creating an Ansible role that sets up all the essential security basics for a web server running Nginx on Ubuntu.

We'll include Fail2ban with custom jails, configure the Uncomplicated Firewall (UFW) to allow HTTP and HTTPS traffic, and ensure that the Nginx configuration is highly secure.

Directory Structure

To organize our Ansible role, create a directory structure like this:

├── tasks/
│   ├── main.yml
├── vars/
│   ├── main.yml
├── templates/
│   ├── nginx.conf.j2

Role Variables (vars/main.yml)

Define the role variables in the vars/main.yml file:

# Nginx Configuration
nginx_config_template: nginx.conf.j2

# UFW Configuration
  - "OpenSSH"
  - "Nginx Full"

# Fail2ban Configuration
fail2ban_custom_jail_conf: "/etc/fail2ban/jail.d/custom.conf"
fail2ban_custom_jail_name: "custom"
fail2ban_custom_logpath: "/var/log/nginx/error.log"

Nginx Configuration Template (templates/nginx.conf.j2)

Create a template for the Nginx configuration (templates/nginx.conf.j2). Customize it according to your web server's specific needs:

# Nginx Configuration Template (nginx.conf.j2)
user www-data;
worker_processes auto;
pid /run/nginx/;

events {
    worker_connections 768;
    # ...

http {
    # ...
    server {
        listen 80;

        location / {
            root /var/www/html;
            index index.html index.htm;
            # ...

        # ...

Role Tasks (tasks/main.yml)

Define tasks for your role in the tasks/main.yml file:

- name: Install Nginx
    name: nginx
    state: present
    - Restart Nginx

- name: Copy Nginx Configuration
    src: "{{ nginx_config_template }}"
    dest: /etc/nginx/nginx.conf
    - Restart Nginx

- name: Enable UFW
    state: enabled
    rule: "{{ item }}"
  loop: "{{ ufw_allow_services }}"

- name: Install Fail2ban
    name: fail2ban
    state: present

- name: Create Fail2ban Custom Jail
    content: |
      [{{ fail2ban_custom_jail_name }}]
      enabled  = true
      filter   = nginx-http-auth
      logpath  = {{ fail2ban_custom_logpath }}
      port     = http,https
      maxretry = 3
    dest: "{{ fail2ban_custom_jail_conf }}"
    - Restart Fail2ban

- name: Ensure services are started and enabled
    name: "{{ item }}"
    state: started
    enabled: yes
    - nginx
    - fail2ban

Handlers (tasks/main.yml)

Define handlers for your role in the tasks/main.yml file:

  - name: Restart Nginx
      name: nginx
      state: restarted

  - name: Restart Fail2ban
      name: fail2ban
      state: restarted

Using the Role in Your Playbook

In your playbook, use the role as follows:

- name: Apply Web Server Security Basics
  hosts: your_webserver_hosts
  become: yes

    - webserver_security

Replace with your actual domain name in the Nginx template. Customize the template according to your web server's specific requirements.

Running the Playbook

Run your playbook using the ansible-playbook command:

ansible-playbook -i inventory.ini your_playbook.yml

This comprehensive Ansible role will help you set up a secure web server on Ubuntu with Nginx, Fail2ban, and UFW. It ensures that your Nginx configuration is highly secure, and custom jails are created to block potential attackers.

By following these steps, you'll enhance the security of your web server and protect it from common threats.