+U Maxout!

domain and iptables update notes

Posted on In , Disqus:

An update on adding sub domain name to existing godaddy domain service, setting up nginx to forward 4096 port to 80, setting up firewall rules with iptables, iptables-persistent on Ubuntu VPS. jenkins.maxwu.me is now a sub-domain.

The previous jenkins service is running on Ubuntu VPS but I just added a 301 forwarding on Godaddy domain service. Therefore, the readers will read the real IP address in browser URL column. It has no buffering service so Jenkins has to keep the slow connections over internet. The third reason is to harden this VPS host since the service is publicly accessible globally.

Setting up Nginx

From Nginx config file we can see that all files in /etc/nginx/sites-enabled will be included by default. We can create a site description file by copying the file default as a template. The simplified contents are as below:

>cat jenkins
server {
  listen 80;
  root /var/run/jenkins/war/;
  server_name jenkins.maxwu.me;

  access_log      /var/log/nginx/jenkins/access.log;
  error_log       /var/log/nginx/jenkins/error.log;
  ignore_invalid_headers off; #pass through headers from Jenkins which are considered invalid by Nginx server.
  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
    rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
  }

  location /userContent {
	root /var/lib/jenkins/;
        if (!-f $request_filename){
           #this file does not exist, might be a directory or a /**view** url
           rewrite (.*) /$1 last;
	   break;
        }
	sendfile on;
  }

  location @jenkins {
      sendfile off;
      proxy_pass         http://127.0.0.1:4096;
      proxy_redirect     default;

      proxy_set_header   Host             $host;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_max_temp_file_size 0;

      #this is the maximum upload size
      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffer_size          4k;
      proxy_buffers              4 32k;
      proxy_busy_buffers_size    64k;
      proxy_temp_file_write_size 64k;
}

  location / {

     # Optional configuration to detect and redirect iPhones
      if ($http_user_agent ~* '(iPhone|iPod)') {
          rewrite ^/$ /view/iphone/ redirect;
      }

      try_files $uri @jenkins;
   }

}

Further reference could be found Jenkins Doc.

Add Sub Domain

This step with Godaddy is convenient. Click the domain management function and add an A-Record to existing domain:

Host -> Input your sub-domain name, here is "jenkins"; Target -> Input IP to reolve with; TTL -> By default, keep 60min.

After a while, nslookup jenkins.maxwu.me could return new results:

ⓑ maxwu> nslookup jenkins.maxwu.me
Server:	8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	jenkins.maxwu.me
Address: 104.224.136.48

Harden host with firewall

To check existing rules, iptables -L -n. Ubuntu has a good utility to save and reload iptables rules, -- "iptables-persistent". Install iptables-persistent with apt-get, service iptables-persistent save|reload could save your time to add network interface up/down scripts. The rules file by default locates at /etc/iptables.ipv4.

Here are my iptables rules for references. I added general notes.

Allow Specified Inputs

# Replace 22 with your customized SSH port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
# Allow Ping request
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Allow loopback
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

The pervious version introduces an issue to block 127.0.0.1 loopback connection other than 80/22 ${ssh} /4096 ${actual_service_port_behind_nginx}

It causes selenium tests fail with Jenkins. After adding loopback acceptance rule into INPUT chain, this issue is resolved. This issue costs an hour tonight. At first, I thought it is a memory issue since the VPS only has 512MB shared RAM. However, a detailed check shew that Cucumber-Selenium only spent around 200MB memory during the test with default GC. So adding MAVEN_OPT with JVM parameters won't resolve it.

By the way, if there is concern on Jenkins JVM parameters, readers can find them at /etc/default/jenkins file. Variable name is JAVA_ARGS.

Besides, to limit the maven job JVM memory, it could be specified within MAVEN_OPTS environmental variables.

[2017-03-01]

Allow Established Sessions

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Log Dropped Packets

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Set Policy Rule (default rule)

If you are operating remotely, make sure this step executed at last.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

Have fun!

###--Change Log--

2017-03-01, Max, Fix an issue with iptables loopback.

2017-03-01, Max, Update nginx config with Jenkins reverse proxy documentation.

2017-02-28, Max, Init the notes.

EOF