Using Ansible for Hosting a Blog on a Cloud Server

Creating Hetzner Cloud Server

Installing Nginx

- name: Install nginx
gather_facts: true
hosts:
- admantium
tags:
- nginx
become: true
vars:
nginx_install_from: 'os_repository'
nginx_repository: deb https://nginx.org/packages/mainline/debian/ stretch nginx
nginx_main_upload_enable: true
nginx_main_upload_src: config/nginx.conf
nginx_main_upload_dest: /etc/nginx/
nginx_http_upload_enable: true
nginx_http_upload_src: config/http/*.conf
nginx_http_upload_dest: /etc/nginx/conf.d/
roles:
- nginxinc.nginx

Get Certificates with Let’s Encrypt

apt-get install certbot python-certbot-nginx
certbot certonly --nginx
server {
server_name admantium.com;
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/admantium.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/admantium.com/privkey.pem;

Securing the Web Server

  • Only allow TLSv1.2 and TLSv1.3, older version have been compromised
  • Configure the server to offer a carefully selected set of ssl_ciphers and tell the client to select one of them
  • Set the Strict-Transport-Security header, and proper redirects, to only allow TLS connections.
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
add_header Strict-Transport-Security "max-age=15768000; preload" always;

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store