Azure hosting LEMP with PHP 7.1 and Laravel 5.4 — Part 3

The last two articles: Part 1 and Part 2, accomplished creating an Azure virtual machine host and automatically installing a Nginx Laravel example application using a MySQL data store. This final article will add access and force redirection to HTTPS.

The following commands are being run from a Mac OS X machine and should be translatable to a Linux or Windows environment.

Bold text shows commands as they should be entered literally by the reader at the command prompt.

Italicized capitalized text inside inclusive curly braces, ‘{LIKE_THIS}’, shows text that should be replaced with user-supplied values.

AZURE

To allow access to HTTPS, we first have to make port 443 (HTTPS) accessible from the Azure virtual machine host.

az vm open-port --port 443 --priority 800 --resource-group {UNIQUE_RESOURCE-GROUP_NAME} --name {UNIQUE_VIRTUAL-MACHINE_NAME}

We now have to register for a certificate, authenticate and install them, and finally configure and restart Nginx. Luckily for us, this can be all automated and free because of the excellent Certbot client and LetsEncrypt certificates.

CertBot

Install Script

install_ssl.sh

In the above script we first generate more secure Diffie-Hellman parameters and set them in the Nginx configuration file. We then use CertBot with some options to help make it more non-interactive:

  • --email To pass on recovery email.
  • --agree-tos To agree to the Terms of Service.
  • --no-eff-email To not join the EFF mailing list.
  • --non-interactive Run without asking for user input.

The next option deals with forcing the use of HTTPS:

  • --redirect Redirect the request to HTTPS from the web server.

The final option: --test-cert, is to use the LetsEncrypt staging server as there is a rate limit (at the time of writing: 5) on the number of certificates that can be created per domain. This would have to be removed when releasing to production.

Copy to Local

curl --silent --location --output install_ssl.sh https://git.io/v5Urw && chmod +x install_ssl.sh

Copy to Host

scp -pq install_ssl.sh $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com:~/

Run on Host

ssh -t $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com "./install_ssl.sh"

The above script will ask for your email address as a safety precaution for account recovery in the event of key loss or account compromise. The -t option tells ssh to allocate a terminal as the install script will be requesting input (the email) from the user. After executing on the host, view the website at:

https://{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com

CertBot suggests that you test the security at:

https://www.ssllabs.com/ssltest/analyze.html?d={UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com

Because we added the Diffie-Hellman parameters the overall score will be an ‘A’ even though the result points out the use of a test certficate. Finally, review the configuration to see what changed:

ssh $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com "cat /etc/nginx/sites-available/default"

This block of statements should have been added:

ssl_dhparam /etc/ssl/certs/dhparam.pem;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com/privkey.pem; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

Conclusion

In this article we have completed securing an installation of a Nginx web server using CertBot and LetsEncrypt certificates. Users can now access the example Laravel application through HTTPS and will be redirected if they try to access it using the HTTP protocol. This concludes the article series, feel free to use the mentioned scripts and modify to your desire to help automate your workflow.

Daydreaming night owl, giver of unsolicited advice, software engineer by passion, always learning and ever living...

Daydreaming night owl, giver of unsolicited advice, software engineer by passion, always learning and ever living...