Context

• Platform: Ramnode
• Kernel: Linux 5.4.0-65-generic
• OS: Ubuntu 20.04 LTS

Nginx

Include Files

• Can contain partial blocks of configuration which are included anywhere in a config file with the use of the include directive.
• If a relative path is used then it will begin in /etc/nginx/
• It appears OK to put the include files in a directory where they will be automatically included by nginx (ex: /etc/nginx/conf.d/) as they will be ignored so long as only partial blocks are used otherwise the complete block configurations will be loaded.

Resources

• Nginx Wiki

HTTPS with Let’s Encrypt

Setting up a let’s encrypt certificate involves two steps: 1) getting the certificate for the first time, and 2) renewing the certificate. This is worth keeping in mind if you want to run certbot in docker since some manual steps will be needed for (1) and generating the dhparam file before the server can be run. (1) can be done by running certbot in certonly mode and modifying the nginx config to host certbot’s challenge response on HTTP only (as nginx will fail to start with HTTPS if no certs are present). Or one clever work around will generate temporary self-signed certs simply to get nginx to run and not require the nginx config to be be modified (so long as the challenge response location is also being hosted over HTTP).

I chose to maintain a seperate docker compose config with a seperate nginx config to accomplish (1) in the interest of relative simplicity and isolation. And then borrow most of the docker compose config from Pentacent (Medium) - Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes for handling (2).

The dhparameter file will need to be generated (ex: openssl dhparam -out dhparam.pem 4096) or obtained.

Resources

• Let’s Encrypt - Certbot
• Mozilla - SSL Configuration Generator

• securityheaders.com

• Security StackExchange - What’s the purpose of DH Parameters?

• Pentacent (Medium) - Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes [Tutorial]
• Digital Ocean - How To Secure a Containerized Node.js Application with Nginx, Let’s Encrypt, and Docker Compose [Tutorial]

Docker Compose

Env Vars

• Env vars can be defined and optionally set in the compose file (environment) or via a file reference (env_file).

“WARNING: The ENV_VAR variable is not set. Defaulting to a blank string.”

• When an env var is included via env_file it will not be available in the compose file but it will be available in the container (at least in docker-compose version 1.27.4).
• A symptom of referencing a var in the compose file this way is the warning WARNING: The ENV_VAR variable is not set. Defaulting to a blank string..
• If the env var is being referenced in either entrypoint or command then this can be overcome by using the $$ENV_VAR convention instead of $ENV_VAR to prevent docker-compose from evaluating it.
• Tip: To see the compose-file after being processed use docker-compose config.

Swap

Although this may impact performance it can be handy to enable swap if processes are being OOMed by the kernel. In situations where performance is not a high priority, such as builds, this can be useful to turn on.

See Digital Ocean - How To Add Swap Space on Ubuntu 20.04 for more details and info about tuning.

Checking

swapon --show
free -h

Adding (File)

# allocate space
fallocate -l 500M /swapfile

# secure
chown root:root /swapfile
chmod 600 /swapfile

# set up
mkswap /swapfile

# activate
swapon /swapfile

# confirm
free -h

Add /swapfile none swap sw 0 0 to /etc/fstab to make persistent.

Expanding (File)

# deactivate
swapoff /swapfile

# reallocate space
fallocate -l 1G /swapfile

# reactivate
swapon /swapfile

# confirm
free -h

Removing (File)

# deactivate
swapoff /swapfile

# delete
rm /swapfile

Remove swapfile from /etc/fstab if present.