Azure hosting LEMP with PHP 7.1 and Laravel 5.4 — Part 3
The last two articles: Part 1 and Part 2, accomplished creating an Azure virtual machine host and automatically installing a Nginx Laravel example application using a MySQL data store. This final article will add access and force redirection to HTTPS.
The following commands are being run from a Mac OS X machine and should be translatable to a Linux or Windows environment.
CONVENTIONS
Bold text shows commands as they should be entered literally by the reader at the command prompt.
Italicized capitalized text inside inclusive curly braces, ‘{LIKE_THIS}’, shows text that should be replaced with user-supplied values.
AZURE
To allow access to HTTPS, we first have to make port 443 (HTTPS) accessible from the Azure virtual machine host.
HTTPS
az vm open-port --port 443 --priority 800 --resource-group {UNIQUE_RESOURCE-GROUP_NAME} --name {UNIQUE_VIRTUAL-MACHINE_NAME}
SSL
We now have to register for a certificate, authenticate and install them, and finally configure and restart Nginx. Luckily for us, this can be all automated and free because of the excellent Certbot client and LetsEncrypt certificates.
Install Script
In the above script we first generate more secure Diffie-Hellman parameters and set them in the Nginx configuration file. We then use CertBot with some options to help make it more non-interactive:
--emailTo pass on recovery email.--agree-tosTo agree to the Terms of Service.--no-eff-emailTo not join the EFF mailing list.--non-interactiveRun without asking for user input.
The next option deals with forcing the use of HTTPS:
--redirectRedirect the request to HTTPS from the web server.
The final option: --test-cert, is to use the LetsEncrypt staging server as there is a rate limit (at the time of writing: 5) on the number of certificates that can be created per domain. This would have to be removed when releasing to production.
Copy to Local
curl --silent --location --output install_ssl.sh https://git.io/v5Urw && chmod +x install_ssl.sh
Copy to Host
scp -pq install_ssl.sh $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com:~/
Run on Host
ssh -t $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com "./install_ssl.sh"
The above script will ask for your email address as a safety precaution for account recovery in the event of key loss or account compromise. The -t option tells ssh to allocate a terminal as the install script will be requesting input (the email) from the user. After executing on the host, view the website at:
https://{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com
CertBot suggests that you test the security at:
https://www.ssllabs.com/ssltest/analyze.html?d={UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com
Because we added the Diffie-Hellman parameters the overall score will be an ‘A’ even though the result points out the use of a test certficate. Finally, review the configuration to see what changed:
ssh $USER@{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com "cat /etc/nginx/sites-available/default"
This block of statements should have been added:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
listen 443 ssl; # managed by Certbotssl_certificate /etc/letsencrypt/live/{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/{UNIQUE_VIRTUAL-MACHINE_NAME}.eastus.cloudapp.azure.com/privkey.pem; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
Conclusion
In this article we have completed securing an installation of a Nginx web server using CertBot and LetsEncrypt certificates. Users can now access the example Laravel application through HTTPS and will be redirected if they try to access it using the HTTP protocol. This concludes the article series, feel free to use the mentioned scripts and modify to your desire to help automate your workflow.
