Overview
As you had read the title of the article, one thing is sure it will be a bit too technical but will be very helpful for Developers and DevOps engineers out there who have faced the same problem or are currently facing it. Basically, this guide will roam around the Nginx and SSL configuration on aws EC2 machine.
Before jumping right into increasing the server security you guys should give read to the previous articles of the deployment series for a clear understanding on how to deploy the server on EC2 and setup Nginx and SSL certificate. I am attaching the articles below so that you guys can have a look at them if you haven’t read them yet.
1. Deployment on EC2 Instance
2. Serve Flask application With Gunicorn Nginx And SSL On Ubuntu
Problem Statement
Now we are all good, to begin with the problem statement for which I am going to tell you guys the solution in this guide. So, Our team is working on a project FormOle who’s iOS application is currently live and is in users hand. As I am an AI Engineer, I was handling the AI server of that project which was deployed on AWS EC2 Machine.
Everything was going good and the project was working smoothly but one day an SQA found a bug that some hits are getting stuck at the AI Server of FormOle and we are never getting the response back. My first thought after hearing that maybe server memory is getting messed up, I instantly checked it out and found that there’s enough space left for processing multiple hits without overlapping or stucking.
Secondly, I checked the Nginx configurations files and the SSL configurations which are being done on the server, the configurations seem good to me. Then I checked the Nginx logs where finally I found the records for those hits that aren’t being processed.
Path to Nginx logs file:
The path for the Nginx log file is set inside the nginx.conf file, following that path you can access the logs.
Nginx Error Log File:
Then I did research on the error found in the Nginx logs file and came to know that this problem occurs from the client side and not from the server side. Looking deep into the issue I found that there are multiple reasons for this problem to occur,
Mainly
- Malicious Hits OR vulnerable hits
- Getting multiple hits from the same ip address
- The hardware which is being used is outdated etc..
3 Steps to Install an SSL Certificate on AWS EC2 Instance
For handling all the above issues the things that need to be updated on the server are the following:
- Nginx versionÂ
- Openssl version
- SSL/TLS protocols
When all the above 3 mentions things are up-to-date on the server then the server can handle any type of hit without being stuck.
1-How to update Nginx Version
For updating the Nginx version you can follow this simple guide and boom you are 1st step closer in solving the problem.
2-How to update OpenSSL Version
To update OpenSSL, assuming it’s already installed follow the commands written below one by one,
- sudo apt-get update
- sudo apt-get upgrade
- sudo apt-get install opensslÂ
If running all these commands, if it returns 0 packages updated then your OpenSSL version is already updated.
3-How to update SSL/TLS protocols
To update the SSL/TLS protocols changes are being made in two files:
1-Nginx.conf file:
These two lines need to be added or updated inside the nginx.conf in http curly brackets { }.
The reason for updating TLS 1.2 and TLS 1.3 is that these are the latest SSL protocols that need to be updated inside the Nginx settings to make the server work properly for handling the hits coming from different browsers, old, new etc.
2-Options-ssl-nginx.conf file:
I use letsencrypt’s Certbot for ssl certification. It automatically creates a file named options-ssl-nginx.conf at this path /etc/letsencrypt/options-ssl-nginx.conf, where the ssl-protocols needs to be defined too. If you don’t adjust them there, changing the nginx.conf won’t work.
These two lines need to be added or updated inside the options-ssl-nginx.conf.
After updating the ssl_protocols, we also need to specify and set up the ssl_ciphers inside options-ssl-nginx.conf file for handling the new TLS 1.2 and TLS 1.3 versions.
After following these 3 simple steps, I resolved the issue which was that sometimes the hits on the servers get stuck somewhere and the response doesn’t get back. Now my server is working completely fine and hits are getting processed irrespective of the browsers.
Conclusion
If you are a developer and your projects are also deployed on AWS Machine then for making your server up-to-date for handling hits from multiple browsers either old or new then you can follow these steps for version controlling inside Nginx and SSL configuration files…
