One place for hosting & domains

      How To Set Up Continuous Integration Pipelines in Jenkins on Ubuntu 20.04


      Introduction

      Jenkins is an open source automation server intended to automate repetitive technical tasks involved in the continuous integration and delivery of software. With a robust ecosystem of plugins and broad support, Jenkins can handle a diverse set of workloads to build, test, and deploy applications.

      In previous guides, we installed Jenkins on an Ubuntu 20.04 server and configured Jenkins with SSL using an Nginx reverse proxy. In this guide, we will demonstrate how to set up Jenkins to automatically test an application when changes are pushed to a repository.

      For this tutorial, we will be integrating Jenkins with GitHub so that Jenkins is notified when new code is pushed to the repository. When Jenkins is notified, it will checkout the code and then test it within Docker containers to isolate the test environment from the Jenkins host machine. We will be using an example Node.js application to show how to define the CI/CD process for a project.

      Prerequisites

      To follow along with this guide, you will need an Ubuntu 20.04 server with at least 1G of RAM configured with a secure Jenkins installation. To properly secure the web interface, you will need to assign a domain name to the Jenkins server. Follow these guides to learn how to set up Jenkins in the expected format:

      To best control our testing environment, we will run our application’s tests within Docker containers. After Jenkins is up and running, install Docker on the server by following steps one and two of this guide:

      When you have completed the above guides, you can continue on with this article.

      Add the Jenkins User to the Docker Group

      After following the prerequisites, both Jenkins and Docker are installed on your server. However, by default, the Linux user responsible for running the Jenkins process cannot access Docker.

      To fix this, we need to add the jenkins user to the docker group using the usermod command:

      • sudo usermod -aG docker jenkins

      You can list the members of the docker group to confirm that the jenkins user has been added successfully:

      Output

      docker:x:999:sammy,jenkins

      In order for the Jenkins to use its new membership, you need to restart the process:

      • sudo systemctl restart jenkins

      If you installed Jenkins with the default plugins, you may need to check to ensure that the docker and docker-pipeline plugins are also enabled. To do so, click Manage Jenkins from the sidebar, and then Manage Plugins from the next menu. Click on the Available tab of the plugin menu to search for new plugins, and type docker into the search bar. If both Docker Pipeline and Docker plugin are returned as options, and they are unselected, select both, and when prompted, allow Jenkins to restart with the new plugins enabled.

      Jenkins Docker plugins

      This should take approximately a minute and the page will refresh afterward.

      Create a Personal Access Token in GitHub

      In order for Jenkins to watch your GitHub projects, you will need to create a Personal Access Token in our GitHub account.

      Begin by visiting GitHub and signing into your account if you haven’t already done so. Afterwards, click on your user icon in the upper-right hand corner and select Settings from the drop down menu:

      GitHub settings item

      On the page that follows, locate the Developer settings section of the left-hand menu and click Personal access tokens:

      GitHub personal access tokens link

      Click on Generate new token button on the next page:

      GitHub generate new token button

      You will be taken to a page where you can define the scope for your new token.

      In the Token description box, add a description that will allow you to recognize it later:

      GitHub token description

      In the Select scopes section, check the repo:status, repo:public_repo and admin:org_hook boxes. These will allow Jenkins to update commit statuses and to create webhooks for the project. If you are using a private repository, you will need to select the general repo permission instead of the repo subitems:

      GitHub token scope

      When you are finished, click Generate token at the bottom.

      You will be redirected back to the Personal access tokens index page and your new token will displayed:

      GitHub view new token

      Copy the token now so that we can reference it later. As the message indicates, there is no way to retrieve the token once you leave this page.

      Note: As mentioned in the screenshot above, for security reasons, there is no way to redisplay the token once you leave this page. If you lose your token, delete the current token from your GitHub account and then create a new one.

      Now that you have a personal access token for your GitHub account, we can configure Jenkins to watch your project’s repository.

      Add the GitHub Personal Access Token to Jenkins

      Now that we have a token, we need to add it to our Jenkins server so it can automatically set up webhooks. Log into your Jenkins web interface using the administrative account you configured during installation.

      Click on your username in the top-right corner to access your user settings, and from there, click Credentials in the left-hand menu. :

      Jenkins credentials item

      On the next page, click the arrow next to (global) within the Jenkins scope. In the box that appears, click Add credentials:

      Jenkins add credentials button

      You will be taken to a form to add new credentials.

      Under the Kind drop down menu, select Secret text. In the Secret field, paste your GitHub personal access token. Fill out the Description field so that you will be able to identify this entry at a later date. You can leave the Scope as Global and the ID field blank:

      Jenkins credentials form

      Click the OK button when you are finished.

      You will now be able to reference these credentials from other parts of Jenkins to aid in configuration.

      Set Up Jenkins Access to GitHub

      Back in the main Jenkins dashboard, click Manage Jenkins in the left hand menu:

      Jenkins sidebar

      In the list of links on the following page, click Configure System:

      Jenkins configure system link

      Scroll through the options on the next page until you find the GitHub section. Click the Add GitHub Server button and then select GitHub Server:

      Jenkins add GitHub server

      The section will expand to prompt for some additional information. In the Credentials drop down menu, select your GitHub personal access token that you added in the last section:

      Jenkins select GitHub credentials

      Click the Test connection button. Jenkins will make a test API call to your account and verify connectivity:

      Jenkins test GitHub credentials

      When you are finished, click the Save button to implement your changes.

      Set Up the Demonstration Application in your GitHub Account

      To demonstrate how to use Jenkins to test an application, we will be using a “hello world” program created with Hapi.js. Because we are setting up Jenkins to react to pushes to the repository, you need to have your own copy of the demonstration code.

      Visit the project repository and click the Fork button in the upper-right corner to make a copy of the repository in your account:

      Fork example project

      A copy of the repository will be added to your account.

      The repository contains a package.json file that defines the runtime and development dependencies, as well as how to run the included test suite. The dependencies can be installed by running npm install and the tests can be run using npm test.

      We’ve added a Jenkinsfile to the repo as well. Jenkins reads this file to determine the actions to run against the repository to build, test, or deploy. It is written using the declarative version of the Jenkins Pipeline DSL.

      The Jenkinsfile included in the hello-hapi repository looks like this:

      Jenkinsfile

      #!/usr/bin/env groovy
      
      pipeline {
      
          agent {
              docker {
                  image 'node'
                  args '-u root'
              }
          }
      
          stages {
              stage('Build') {
                  steps {
                      echo 'Building...'
                      sh 'npm install'
                  }
              }
              stage('Test') {
                  steps {
                      echo 'Testing...'
                      sh 'npm test'
                  }
              }
          }
      }
      

      The pipeline contains the entire definition that Jenkins will evaluate. Inside, we have an agent section that specifies where the actions in the pipeline will execute. To isolate our environments from the host system, we will be testing in Docker containers, specified by the docker agent.

      Since Hapi.js is a framework for Node.js, we will be using the node Docker image as our base. We specify the root user within the container so that the user can simultaneously write to both the attached volume containing the checked out code, and to the volume the script writes its output to.

      Next, the file defines two stages, i.e., logical divisions of work. We’ve named the first one “Build” and the second “Test”. The build step prints a diagnostic message and then runs npm install to obtain the required dependencies. The test step prints another message and then run the tests as defined in the package.json file.

      Now that you have a repository with a valid Jenkinsfile, we can set up Jenkins to watch this repository and run the file when changes are introduced.

      Create a New Pipeline in Jenkins

      Next, we can set up Jenkins to use the GitHub personal access token to watch our repository.

      Back in the main Jenkins dashboard, click New Item in the left hand menu:

      Jenkins side menu

      Enter a name for your new pipeline in the Enter an item name field. Afterwards, select Pipeline as the item type:

      Jenkins pipeline type

      Click the OK button at the bottom to move on.

      On the next screen, check the GitHub project box. In the Project url field that appears, enter your project’s GitHub repository URL.

      Note: Make sure to point to your fork of the Hello Hapi application so that Jenkins will have permission to configure webhooks.

      Jenkins add GitHub project

      Next, in the Build Triggers section, check the GitHub hook trigger for GITScm polling box:

      Jenkins GitHub hook box

      In the Pipeline section, we need to tell Jenkins to run the pipeline defined in the Jenkinsfile in our repository. Change the Definition type to Pipeline script from SCM.

      In the new section that appears, choose Git in the SCM menu. In the Repository URL field that appears, enter the URL to your fork of the repository again:

      Note: Again, make sure to point to your fork of the Hello Hapi application.

      Jenkins GitHub add pipeline repository

      Note: Our example references a Jenkinsfile available within a public repository. If your project is not publicly accessible, you will need to use the add credentials button to add additional access to the repository. You can add a personal access token as we did with the hooks configuration earlier.

      When you are finished, click the Save button at the bottom of the page.

      Performing an Initial Build and Configuring the Webhooks

      Jenkins does not automatically configure webhooks when you define the pipeline for the repository in the interface. In order to trigger Jenkins to set up the appropriate hooks, we need to perform a manual build the first time.

      In your pipeline’s main page, click Build Now in the left hand menu:

      Jenkins build pipeline now

      A new build will be scheduled. In the Build History box in the lower left corner, a new build should appear in a moment. Additionally, a Stage View will begin to be drawn in the main area of the interface. This will track the progress of your testing run as the different stages are completed:

      Jenkins build progress

      In the Build History box, click on the number associated with the build to go to the build detail page. From here, you can click the Console Output button in the left hand menu to see details of the steps that were run:

      Jenkins console output

      Click the Back to Project item in the left hand menu when you are finished in order to return to the main pipeline view.

      Now that we’ve built the project once, we can have Jenkins create the webhooks for our project. Click Configure in the left hand menu of the pipeline:

      Jenkins configure item

      No changes are necessary on this screen, just click the Save button at the bottom. Now that the Jenkins has information about the project from the initial build process, it will register a webhook with our GitHub project when you save the page.

      You can verify this by going to your GitHub repository and clicking the Settings button. On the next page, click Webhooks from the side menu. You should see your Jenkins server webhook in the main interface:

      Jenkins view webhooks

      If for any reason Jenkins failed to register the hook (for example, due to upstream API changes or outages between Jenkins and Github), you can quickly add one yourself by clicking Add webhook and ensuring that the Payload URL is set to https://my-jenkins-server:8080/github-webhook and the Content type is set to application/json, then clicking Add webhook again at the bottom of the prompt.

      Github add webhook

      Now, when you push new changes to your repository, Jenkins will be notified. It will then pull the new code and retest it using the same procedure.

      To approximate this, in our repository page on GitHub, you can click the Create new file button to the left of the green Clone or download button:

      Jenkins create new file button

      On the next page, choose a filename and some dummy contents:

      Jenkins new file contents

      Click the Commit new file button at the bottom when you are finished.

      If you return to your Jenkins interface, you will see a new build automatically started:

      Jenkins new build started

      You can kick off additional builds by making commits to a local copy of the repository and pushing it back up to GitHub.

      Conclusion

      In this guide, we configured Jenkins to watch a GitHub project and automatically test any new changes that are committed. Jenkins pulls code from the repository and then runs the build and testing procedures from within isolated Docker containers. The resulting code can be deployed or stored by adding additional instructions to the same Jenkinsfile.

      To learn more about GitHub Actions, refer to GitHub’s documentation.



      Source link

      How to Set Up a Website Hit Counter With Redis and PHP on Ubuntu 20.04


      The author selected the Apache Software Foundation to receive a donation as part of the Write for DOnations program.

      Introduction

      A hit counter is an application that records and indicates the number of visits your web page has received. The counter starts from 1 and is incremented once every time a web page is visited.

      To keep track of the visits, the hit counter application requires a form of a database. While disk-based database management systems like MySQL can work, an in-memory database is better in terms of speed, performance, scalability, simplicity, and ease of use. This is where the Redis server comes into play. Redis stores data in your computer’s RAM instead of hitting the disk every time you’re performing an input/output operation. This increases the throughput significantly.

      To track your site visits, you require a Redis hash map. This is a data structure that implements a key-value pair. A hash map provides a hash table that maps keys to values. Once a user visits your web page, you create a key based on their public IP address or username (for authenticated users), and then you initialize their total visits to a value of 1. Then, every time the user revisits your web page, you check their total visits from the Redis hash map based on their IP address/username and increment the value.

      In this guide, you’ll set up a website hit counter with Redis and PHP on your Ubuntu 20.04 server. The PHP scripts in this guide use the visitors’ public IP addresses to track their visits.

      Prerequisites

      To follow along with this guide, make sure you have the following:

      Step 1 — Installing PHP Redis Extension

      In this step, you’ll install a Redis extension that allows PHP to talk to the Redis server. You’ll also create a test web page that implements the Redis hash map to track web visits.

      Before installing the Redis extension, refresh your Ubuntu package information index:

      Then, run the following command to install php-redis. The extension provides an API for communicating with the Redis server key-value store:

      • sudo apt install -y php-redis

      Restart Apache to load the new extension:

      • sudo systemctl restart apache2

      You’ve now installed a PHP extension that talks to your Redis server. Next, you’ll create a test.php web page under the root directory of the Apache webserver. This is just a sample file that visitors request when they visit your website with a browser. Under the hood, the test.php page file loads a hit_counter.php script which you’ll later create to track page visits using the Redis server.

      In a real-life scenario, your website might have tens or even hundreds of web pages. For this guide, you’ll set up a single web page for demonstration purposes.

      In your terminal window, use nano to create a new test.php file under the root directory of your web-server /var/www/html/:

      • sudo nano /var/www/html/test.php

      Then, enter the following information into the test.php file:

      /var/www/html/test.php

      <?php
        require_once 'hit_counter.php';
      ?>
      
      <!DOCTYPE html>
      <html>
      
        <head>
          <title>Sample Test Page</title>
        </head>
      
        <body>
          <h1>Sample test page</h1>
          <p>This is a sample test page.</p>
        </body>
      
      </html>
      
      

      Save and close the file when you’re through with editing. In this step, you’ve created a simple HTML web page that loads a hit_counter.php file when visited. Next, you’ll code the hit_counter.php file to track the test page visits.

      Step 2 — Creating a Redis Hit Counter Script

      When working in a production environment, it’s very conventional to separate re-usable PHP files. This allows you to implement the logic in these files on different parts of the project just by including their paths instead of copy-pasting the code. This makes maintenance easier since you only need to edit a single file in case you need to change the logic. This saves you a lot of time.

      You’re going to apply the same strategy in this guide. You’ll create a single hit_counter.php file that you can include on any web page that requires visitors’ tracking.

      In this file, you’ll use the php-redis library to connect to the Redis server from PHP. Then, you’ll create a Redis hash map to store the number of visits a visitor has made to your website. You’ll use the visitors’ unique IP addresses as Redis keys to distinguish each visitor’s hit counts in the Redis server.

      In your terminal window, open a new hit_counter.php file using nano for editing purposes:

      • sudo nano /var/www/html/hit_counter.php

      With the hit_counter.php file now created, open a new PHP tag <?php. Then, inside a try { block enter the following code to connect to your local Redis server on port 6379. Replace EXAMPLE_PASSWORD with the authentication password for the Redis server:

      /var/www/html/hit_counter.php

      
      <?php
      
          try {
      
              $redis = new Redis();
              $redis->connect('127.0.0.1', 6379);
              $redis->auth('EXAMPLE_PASSWORD');
      

      Next, give the Redis hash map($siteVisitsMap) a name of your choice. This guide uses siteStats for demonstration purposes:

      /var/www/html/hit_counter.php

      
              $siteVisitsMap = 'siteStats';
      
      

      After defining the Redis hash map, you’ll now initialize an empty Redis key ($visitorHashKey). Then, you’ll populate it with the visitors’ IP addresses. You’ll use the value of the $visitorHashKey variable to uniquely identify each visitor requesting your web page:

      /var/www/html/hit_counter.php

      
      
              $visitorHashKey = '';           
      
              if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
      
                  $visitorHashKey = $_SERVER['HTTP_CLIENT_IP'];
      
              } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
      
                  $visitorHashKey = $_SERVER['HTTP_X_FORWARDED_FOR'];
      
              } else {
      
                  $visitorHashKey = $_SERVER['REMOTE_ADDR'];
              }
      
      

      In this code, you’re using the PHP if statement to determine the visitor’s IP address by checking whether the $_SERVER['HTTP_CLIENT_IP'], $_SERVER['HTTP_X_FORWARDED_FOR'], or $_SERVER['REMOTE_ADDR'] variables are populated.

      Following this, initialize a $totalVisits variable to store the total visits for each IP address and assign it a value of 0. Then, use the PHP if (...) {...} else {...} and $redis->hExists($siteVisitsMap, $visitorHashKey) statements to check if the IP address has any entries in the Redis server.

      You’ll use the statement if ($redis->hExists($siteVisitsMap, $visitorHashKey)) {...} to check whether a $visitorHashKey exists in a map named $siteVisitsMap.

      In case the map and the key with the named IP address exist in the Redis server, retrieve it with the statement $visitorData = $redis->hMget($siteVisitsMap, array($visitorHashKey)); and use $totalVisits = $visitorData[$visitorHashKey] + 1; to increment the $totalVisits variable. You’re using the $redis->hMget statement to get hit count data associated with an IP address. The hMget function accepts the name of your map ($siteVisitsMap) and an array of the keys that you want to retrieve from the Redis server. In this case, you only have one key ($visitorHashKey), but you must convert it to an array using the statement array($visitorHashKey).

      In case your script encounters the IP address for the first time, set the $totalVisits variable to 1. Finally, use $redis->hSet($siteVisitsMap, $visitorHashKey, $totalVisits); to set the value of the $visitorHashKey according to the results of the previous if (...) {...} else {...} statement. The $redis->hSet($siteVisitsMap, $visitorHashKey, $totalVisits) statement creates a $siteVisitsMap hash map in the Redis server with a key named $visitorHashKey with a value of $totalVisits.

      Then, welcome the visitor by echoing the total visits and close the } catch (...) {...} block:

      /var/www/html/hit_counter.php

      
              $totalVisits = 0;
      
              if ($redis->hExists($siteVisitsMap, $visitorHashKey)) {
      
                  $visitorData = $redis->hMget($siteVisitsMap, array($visitorHashKey));
                  $totalVisits = $visitorData[$visitorHashKey] + 1;
      
              } else {
      
                  $totalVisits = 1;
      
              }
      
              $redis->hSet($siteVisitsMap, $visitorHashKey, $totalVisits);
      
              echo "Welcome, you've visited this page " .  $totalVisits . " timesn";
      
          } catch (Exception $e) {
              echo $e->getMessage();
          }
      
      

      Once completed, your /var/www/html/hit_counter.php file should be similar to the following code:

      /var/www/html/hit_counter.php

      
      <?php
      
          try {
      
              $redis = new Redis();
              $redis->connect('127.0.0.1', 6379);
              $redis->auth('EXAMPLE_PASSWORD');
      
              $siteVisitsMap  = 'siteStats';
              $visitorHashKey = '';           
      
              if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
      
                 $visitorHashKey = $_SERVER['HTTP_CLIENT_IP'];
      
              } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
      
                 $visitorHashKey = $_SERVER['HTTP_X_FORWARDED_FOR'];
      
              } else {
      
                 $visitorHashKey = $_SERVER['REMOTE_ADDR'];
              }
      
              $totalVisits = 0;
      
              if ($redis->hExists($siteVisitsMap, $visitorHashKey)) {
      
                  $visitorData = $redis->hMget($siteVisitsMap,  array($visitorHashKey));
                  $totalVisits = $visitorData[$visitorHashKey] + 1;
      
              } else {
      
                  $totalVisits = 1;
      
              }
      
              $redis->hSet($siteVisitsMap, $visitorHashKey, $totalVisits);
      
              echo "Welcome, you've visited this page " .  $totalVisits . " timesn";
      
          } catch (Exception $e) {
              echo $e->getMessage();
          }
      

      Save and close the file when you’re through with editing. You’ve now coded a hit_counter.php script. Next, you’ll create another PHP script that generates a report from the data gathered in the Redis hash map.

      Step 3 — Creating a Site Stats Report Script

      Once you’ve collected data in a Redis hash map, it might not make any sense if you’re not able to retrieve and represent the information in a report. In this step, you’ll create a log report to show the different site visitors and the total visits they’ve made on the test web page.

      To create the log report script, run nano on your terminal window and create a new /var/www/html/log_report.php file:

      • sudo nano /var/www/html/log_report.php

      Then, enter the information below into the file. Replace EXAMPLE_PASSWORD with the correct password for the Redis server:

      /var/www/html/log.php

      
      <!DOCTYPE html>
      <html>
      
        <head>
          <title>Site Visits Report</title>
        </head>
      
        <body>
      
            <h1>Site Visits Report</h1>
      
            <table border="1">
              <tr>
                <th>No.</th>
                <th>Visitor</th>
                <th>Total Visits</th>
              </tr>
      
              <?php
      
                  try {
      
                      $redis = new Redis();
                      $redis->connect('127.0.0.1', 6379);
                      $redis->auth('EXAMPLE_PASSWORD');
      
                      $siteVisitsMap = 'siteStats';                          
      
                      $siteStats = $redis->HGETALL($siteVisitsMap);
      
                      $i = 1; 
      
                      foreach ($siteStats as $visitor => $totalVisits) {
      
                          echo "<tr>";
                            echo "<td align = 'left'>"   . $i . "."     . "</td>";
                            echo "<td align = 'left'>"   . $visitor     . "</td>";
                            echo "<td align = 'right'>"  . $totalVisits . "</td>";
                          echo "</tr>";
      
                          $i++;
                      }
      
                  } catch (Exception $e) {
                      echo $e->getMessage();
                  }
      
              ?>
      
            </table>
        </body>
      
      </html>
      

      Save and close the file when you’re through with editing. In the above script, you’re connecting to the Redis server and you’re using the statement $redis->HGETALL($siteVisitsMap); to retrieve your web page visits’ hash map. Then, you’re using the PHP foreach ($siteStats as $visitor => $totalVisits) { statement to loop and display the visitors’ IP addresses and the number of visits they’ve made to your site. You’re using the Redis HGETALL command to retrieve all fields (IP addresses) and values (total visits per each IP address) from the siteVisitsMap map.

      You now have a test page, a hit counter script, and a report page to check your site stats. Next, you’ll test the functionalities of your hit counter and see if everything works.

      Step 4 — Testing the Redis Hit Counter

      In this step, you’ll test the whole logic for your hit counter. Navigate to the following URL on your web browser. Replace your-server-IP with your server’s public IP address or domain name.

      http://your-server-IP/test.php
      

      Refresh the page several times using different devices to generate enough stats. After each visit, you should receive the following output.

      https://xpresservers.com/wp-content/uploads/2021/12/How-to-Set-Up-a-Website-Hit-Counter-With-Redis.png

      Next, visit the following URL to get your site visits report displayed in an HTML table

      http://your-server-IP/log_report.php
      
      

      You should now see a report similar to the following output.

      https://xpresservers.com/wp-content/uploads/2021/12/1640824415_889_How-to-Set-Up-a-Website-Hit-Counter-With-Redis.png

      Your hit counter is now working as expected.

      Conclusion

      In this guide, you’ve set up a website hit counter with Redis and PHP on your Ubuntu 20.04 server.

      As you can see from the sample source code in this guide, Redis provides cleaner methods for creating and updating hash maps.

      As mentioned at the beginning of this guide, using a relational database management system may still work but you’ll write tons of code to insert and update data in underlying tables. In addition, disk-based databases may experience scalability issues when your site grows.

      For more information on using Redis in-memory database, follow the guides below:



      Source link

      How To Set Up Nginx with HTTP/2 Support on Ubuntu 20.04


      A previous version of this tutorial was written by Sergey Zhukaev.

      Introduction

      Nginx is a fast and reliable open-source web server. It gained its popularity due to its low memory footprint, high scalability, ease of configuration, and support for a wide variety of protocols.

      HTTP/2 is a newer version of the Hypertext Transport Protocol, which is used on the Web to deliver pages from server to browser. HTTP/2 is the first major update of HTTP in almost two decades: HTTP1.1 was introduced to the public back in 1999 when webpages were much smaller in size. The Internet has dramatically changed since then, and we are now facing the limitations of HTTP 1.1. The protocol limits potential transfer speeds for most modern websites because it downloads parts of a page in a queue – the previous part must download completely before the download of the next part begins – and an average modern web page downloads dozens of individual CSS, javascript, and image assets.

      HTTP/2 solves this problem because it brings a few fundamental changes:

      • All requests are downloaded in parallel, not in a queue
      • HTTP headers are compressed
      • Pages transfer as a binary, not as a text file, which is more efficient
      • Servers can “push” data even without the user’s request, which improves speed for users with high latency

      Even though HTTP/2 does not require encryption, developers of the two most popular browsers, Google Chrome and Mozilla Firefox, have stated that for security reasons they will support HTTP/2 only for HTTPS connections. Hence, if you decide to set up servers with HTTP/2 support, you must also secure them with HTTPS.

      This tutorial will help you set up a fast and secure Nginx server with HTTP/2 support.

      Prerequisites

      Before getting started, you will need a few things:

      • An Ubuntu 20.04 server set up by following the Ubuntu 20.04 initial server setup guide, including a sudo non-root user and a firewall.
      • Nginx installed on your server, which you can do by following How To Install Nginx on Ubuntu 20.04.
      • A domain name configured to point to your server. You can purchase one on Namecheap or get one for free on Freenom. You can learn how to point domains to DigitalOcean Droplets by following the documentation on How To Manage Your Domain With DigitalOcean.
      • A TLS/SSL certificate configured for your server. You have three options:
      • Nginx configured to redirect traffic from port 80 to port 443, which should be covered by the previous prerequisites.
      • Nginx configured to use a 2048-bit or higher Ephemeral Diffie-Hellman (DHE) key, which should also be covered by the previous prerequisites.

      Step 1 — Enabling HTTP/2 Support

      If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/your_domain with the server_name directive already set appropriately. The first change we will make will be to modify your domain’s server block to use HTTP/2.

      Open the configuration file for your domain using nano or your preferred editor:

      • sudo nano /etc/nginx/sites-enabled/your_domain

      In the file, locate the listen variables associated with port 443:

      /etc/nginx/sites-enabled/your_domain

      ...
          listen [::]:443 ssl ipv6only=on; 
          listen 443 ssl; 
      ...
      

      The first one is for IPv6 connections. The second one is for all IPv4 connections. We will enable HTTP/2 for both.

      Modify each listen directive to include http2:

      /etc/nginx/sites-enabled/your_domain

      ...
          listen [::]:443 ssl http2 ipv6only=on; 
          listen 443 ssl http2; 
      ...
      

      This tells Nginx to use HTTP/2 with supported browsers.

      Save the configuration file and exit the text editor. If you are using nano, press Ctrl+X then, when prompted, Y and then Enter.

      Whenever you make changes to Nginx configuration files, you should check the configuration for errors, using the -t flag, which runs Nginx’s built-in syntax check command:

      If the syntax is error-free, you will receive output like the following:

      Output of sudo nginx -t

      nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
      nginx: configuration file /etc/nginx/nginx.conf test is successful
      

      Next, you’ll configure your Nginx server to use a more restrictive list of ciphers to improve your server’s security.

      Step 2 — Removing Old and Insecure Cipher Suites

      HTTP/2 has a blocklist of old and insecure ciphers that should be avoided. Cipher suites are cryptographic algorithms that describe how the transferred data should be encrypted.

      The method you’ll use to define the ciphers depends on how you’ve configured your TLS/SSL certificates for Nginx.

      If you used Certbot to obtain your certificates, it also created the file /etc/letsencrypt/options-ssl-nginx.conf that contains ciphers that aren’t secure enough for HTTP/2. However, modifying this file will prevent Certbot from applying updates in the future, so we’ll just tell Nginx not to use this file and we’ll specify our own list of ciphers.

      Open the server block configuration file for your domain:

      sudo nano /etc/nginx/sites-enabled/your_domain
      

      Locate the line that includes the options-ssl-nginx.conf file and comment it out by adding a # character to the beginning of the line:

      /etc/nginx/sites-enabled/your_domain

      
          # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<^>
      

      Below that line, add this line to define the allowed ciphers:

      /etc/nginx/sites-enabled/your_domain

      
      ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
      

      Save the file and exit the editor.

      If you used self-signed certificates or used a certificate from a third party and configured it according to the prerequisites, open the file /etc/nginx/snippets/ssl-params.conf in your text editor:

      • sudo nano /etc/nginx/snippets/ssl-params.conf

      Locate the following line:

      /etc/nginx/snippets/ssl-params.conf

      ...
      ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
      ...
      

      Modify it to use the following list of ciphers:

      /etc/nginx/snippets/ssl-params.conf

      
      ...
      ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
      

      Save the file and exit your editor.

      Once again, check the configuration for syntax errors using the nginx -t command:

      If you encounter any errors, address them and test again.

      Once your configuration passes the syntax check, restart Nginx using the systemctl command:

      • sudo systemctl reload nginx.service

      With the server restarted, let’s verify that it works.

      Step 3 — Verifying that HTTP/2 is Enabled

      Let’s ensure the server is running and working with HTTP/2.

      Use the curl command to make a request to your site and view the headers:

      • curl -I -L --http2 https://your_domain

      You’ll receive output like the following:

      HTTP/2 200
      server: nginx/1.18.0 (Ubuntu)
      date: Wed, 10 Nov 2021 17:53:10 GMT
      content-type: text/html
      content-length: 612
      last-modified: Tue, 09 Nov 2021 23:18:37 GMT
      etag: "618b01cd-264"
      accept-ranges: bytes
      

      You can also verify that HTTP/2 is in use in Google Chrome. Open Chrome and navigate to https://your_domain. Open the Chrome Developer Tools (View -> Developer -> Developer Tools) and reload the page (View -> Reload This Page). Navigate to the Network tab, right-click on the table header row that starts with Name, and select the Protocol option from the popup menu.

      You’ll have a new Protocol column that contains h2 (which stands for HTTP/2), indicating that HTTP/2 is working.

      Chrome Developer Tools HTTP/2 check

      At this point, you’re ready to serve content through the HTTP/2 protocol. Let’s improve security and performance by enabling HSTS.

      Step 4 — Enabling HTTP Strict Transport Security (HSTS)

      Even though your HTTP requests redirect to HTTPS, you can enable HTTP Strict Transport Security (HSTS) to avoid having to do those redirects. If the browser finds an HSTS header, it will not try to connect to the server via regular HTTP again for a given time period. No matter what, it will exchange data using only encrypted HTTPS connection. This header also protects us from protocol downgrade attacks.

      Open the server block configuration file for your domain again:

      sudo nano /etc/nginx/your_domain
      

      Add this line to the same block of the file containing the SSL ciphers in order to enable HSTS:

      /etc/nginx/your_domain

      server {
      ...
          ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
          add_header Strict-Transport-Security "max-age=15768000" always;
      }
      ...
      

      The max-age is set in seconds. The value 15768000 is equivalent to 6 months.

      By default, this header is not added to subdomain requests. If you have subdomains and want HSTS to apply to all of them, you should add the includeSubDomains variable at the end of the line, like this:

      /etc/nginx/your_domain

      add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
      

      Save the file, and exit the editor.

      Once again, check the configuration for syntax errors:

      Finally, restart the Nginx server to apply the changes.

      • sudo systemctl reload nginx.service

      Conclusion

      Your Nginx server is now serving HTTP/2 pages. If you want to test the strength of your SSL connection, please visit Qualys SSL Lab and run a test against your server. If everything is configured properly, you should get an A+ mark for security.

      To learn more about how Nginx parses and implements server block rules, try reading Understanding Nginx Server and Location Block Selection Algorithms.



      Source link