Linode, Firewall, Cloudflare Full (Strict) with Terraform Cloud

You built your application and now looking for a way to deploy it with a managed security? You'd like to have a simple yet powerful enough solution that can extend later on? We have an example web server setup in this article that provides you that. At KelebekLabs, whenever we choose to go with a basic server setup, not PaaS or Kubernetes, we follow these principles.

Cloudflare Application Security gives us a lot of services for free, such as DDoS protection, managing bad bots, rate limiting, free SSL certificate and many others. What we need to do is to make sure all the connections to our servers are going through Cloudflare and only. We're going to configure a firewall at our server provider side to make sure we only allow connection from Cloudflare so that the people who knows our IP address won't be able to bypass our security. You can think this as almost hiding your servers from the internet as Cloudflare will be the only door to your servers. In our example, we use Linode, a developer friendly, low cost cloud provider.


Instead of setting up the things manually at Linode, we're using Terraform, and to manage that we're using Terraform Cloud. In this article, you'll learn to set it up easily.

Preparing for Infrastructure as Code

We need a place where we're going to define our infrastructure, how many servers we have, what are their sizes, their connections in between etc. You can just create a new private repository on Github, or you can create a folder in your existing project. I prefer the second option as I like the monorepo more, so just create a readme file under terraform directory in your codebase.

Terraform Cloud

Terraform Cloud is an amazing service by HashiCorp with a free pricing option that helps you to ease your Terraform journey. It automatically connects to your repository, keeps the terraform state(the last state of your infrastructure, how many serves were created etc) for you, helps you to have your environment variables for you in their UI. Just create an account (you can use login via GitHub if you click on Continue via HCP) and then create a workspace, which is basically your system.








Remember the option we talked about earlier, creating a folder in a repo, you can specify it while you're creating a workspace. Congratulations, you now have an automation, doing any changes under terraform directory will generate a new terraform plan.

Generating a Linode Token for Terraform Cloud

We need to give permission to Terraform Cloud to create servers for us on Linode. We're going to do that via personal API tokens.
WARNING: Terraform will create servers, make sure that you're aware of what's created and how much does it cost for you.

You can create an API token by going to API tokens page under My Profile.


Once you get the token, add this as an environment variable in our Workspace at Terraform Cloud. Great, now Terraform Cloud can do operations on Linode.

Cloudflare SSL

As mentioned at the beginning, Cloudflare protects our system from various problems. We're now going to focus on the connection between Cloudflare -- Linode. Cloudflare generates an SSL certificate that is called Origin Server (Linode is our Origin Server in this case) certificates that ensures the connection between Cloudflare and Linode is fully secure.



Assuming that your DNS is already managed by Cloudflare, we can begin to make our configuration there. Create an Origin Server certificates by providing your domain name. The generated certificate will only be used between Cloudflare to Linode, real users won't be aware of it at all.


After creating the certificates, copy them as terraform variables in your Workspace variables pages at Terraform Cloud. Copy Private Key as SSL_CERTIFICATE_KEY and the other as SSL_CERTIFICATE.


Now you have all the necessary configuration ready, you'll be able to access these keys in your server and use them in your web server configuration.

Provision with Terraform

It's time for coding our infrastructure, you should put these IaC (Infrastruce as Code) files in your terraform folder. Once you commit them to your repository, you'll see a plan in your Terraform Cloud waiting for your approval. Once you approve your plan, Terraform is going to create an Ubuntu server for you with a simple init script, configure the firewall to only allow connections through Cloudflare and injects the SSL certificate keys as files.

#!/bin/bash
# <UDF name="SSL_CERTIFICATE" label="CLOUDFLARE_SSL_CERTIFICATE" example="public key" default="">
# <UDF name="SSL_CERTIFICATE_KEY" label="CLOUDFLARE_SSL_CERTIFICATE_KEY" example="private key" default="">
# stop the script if any error occurs
set -o errexit
set -o nounset
# don't ask yes/no questions, just continue
export DEBIAN_FRONTEND=noninteractive
# get the latest updates, install some fundamentals and enable automated security updates
apt-get update && apt-get upgrade -y
apt-get install -y ntp fail2ban unattended-upgrades
ln -fs /usr/share/zoneinfo/UTC /etc/localtime
dpkg-reconfigure -f noninteractive tzdata
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades
# add a default non-root user: ubuntu
adduser --disabled-password --gecos "" --shell /bin/bash ubuntu
chpasswd <<<"ubuntu:ubuntu"
usermod -aG sudo ubuntu
# install docker and docker compose
apt-get install -y docker.io docker-compose
systemctl enable --now docker
usermod -aG docker ubuntu
# enable linux level firewall
ufw allow in https
ufw default deny incoming
ufw enable
# disable ssh, we're going to access via LiSH console
systemctl disable ssh
systemctl stop ssh
# save the certificates as files
echo "$SSL_CERTIFICATE" > ssl_certificate.pem
echo "$SSL_CERTIFICATE_KEY" > ssl_certificate.key
view raw backend_stackscript.sh hosted with ❤ by GitHub
# LINODE_TOKEN is set as a workspace variable in Terraform Cloud
provider "linode" {
}
resource "linode_firewall" "backend_firewall" {
label = "backend_firewall"
# cloudflare ip addresses, only allow traffic coming through cloudflare and over https
inbound {
label = "allow-https"
action = "ACCEPT"
protocol = "TCP"
ports = "443"
ipv4 = ["173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "141.101.64.0/18", "108.162.192.0/18", "190.93.240.0/20", "188.114.96.0/20", "197.234.240.0/22", "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/13", "104.24.0.0/14", "172.64.0.0/13", "131.0.72.0/22"]
}
inbound_policy = "DROP"
outbound_policy = "ACCEPT"
linodes = [linode_instance.backend_prod.id]
}
resource "linode_stackscript" "backend" {
label = "backend"
description = "Backend init script"
script = file("${path.module}/backend_stackscript.sh")
images = ["linode/ubuntu22.04"]
rev_note = "initial version"
}
resource "random_password" "password" {
length = 16
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
}
# authorized_keys is not important actually it's needed by linode. just generate anything and put the public one here (https://8gwifi.org/sshfunctions.jsp)
resource "linode_instance" "backend_prod" {
image = "linode/ubuntu22.04"
label = "backend-prod"
group = "Terraform"
region = "us-west"
type = "g6-standard-1"
authorized_keys = [ "YOUR_LOCAL_PUBLIC_SSH_KEY" ]
root_pass = random_password.password.result
stackscript_id = linode_stackscript.backend.id
stackscript_data = {
"SSL_CERTIFICATE" = var.SSL_CERTIFICATE
"SSL_CERTIFICATE_KEY" = var.SSL_CERTIFICATE_KEY
}
}
view raw main.tf hosted with ❤ by GitHub
worker_processes 1;
events { worker_connections 1024; }
http {
sendfile on;
upstream backend {
server 127.0.0.1:3000 fail_timeout=0;
}
server {
listen 443;
ssl on;
ssl_certificate /root/ssl_certificate.pem;
ssl_certificate_key /root/ssl_certificate.key;
location / {
proxy_pass http://backend;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
client_max_body_size 100m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}
view raw nginx.conf hosted with ❤ by GitHub
variable "SSL_CERTIFICATE" {
type = string
}
variable "SSL_CERTIFICATE_KEY" {
type = string
}
view raw variables.tf hosted with ❤ by GitHub
terraform {
cloud {
organization = "YOUR_TERRAFORM_CLOUD_ORGANIZATION_NAME"
workspaces {
name = "YOUR_TERRAFORM_CLOUD_WORKSPACE"
}
}
required_providers {
linode = {
source = "linode/linode"
version = ">= 1.29.2"
}
}
}
view raw versions.tf hosted with ❤ by GitHub

Deploy your application

Now you have your server up and running, go to Linode console to access to your server via Lish Console, it's a secure way to access to your server. Clone your application server and configure your nginx. There's an example nginx configuration attached as nginx.conf. This part is left out on purpose as the deployment can be different for everyone.

Configure your DNS with your server's IP address

This part is a bit hacky for my case, if I find a better option, I'll update the article.

So, since we have our Linode server up and running, get its IP Address and add this as an A record with Proxy on option on Cloudflare. Now you should be able to send a request to your server in a secure way.

Conclusion

We learnt how to programmatically provision our infrastructure with a basis of production grade security in a high level perspective. This gives us a peace of mind as we know we're protected from most of the basic attacks. Now we can learn more how to configure our Cloudflare better, how to improve our Application level security, go through OWASP Top 10,  organizational security principles etc. Building Secure applications is key for Reliability, Reliable applications boosts customers' and the developers' happiness. We'd like to be a part of this message by sharing our knowledge, so please reach out to us if you find any difficultly or anything wrong in this article.

Popular posts from this blog

Load Testing with Ruby-JMeter

You're ready for your product's launch, you'd like to show your customers finally there's a solution for their pain. You expect 1000 people using your service per hour, you made all the calculations and somehow you're confident. But, are you? Load Testing is here to simulate the traffic, 1000 people using your service per hour, and increase your confidence on launch day(and after). The story for FolderCode, a temporary file uploading service, was exactly like above, and just to show how it was addressed in its backlog, see the picture below. Designing your JMeter Test Plan JMeter is a well-known tool for load or stress testing, it basically sends requests to your application within the given time, according to the behaviour plan you provided. The plans are designed to be detailedly configurable and focused on load-testing jargon. That makes the JMeter a comprehensive solution, however makes it a bit hard to understand & focus on the well written tests. Here com...
Read more

How to Communicate Your Process Visually using BPMN as Code

When you have multiple participants in a process, and we often do, you realize that you're dealing with a lot of miscommunication / misalignment issues. It's so hard to remember who was doing what and when, furthermore it's even harder to make some optimization in the process itself as you lose the control over it.  Besides you'll need to group all the participants together for them tell their opinions. Processes are long and complex, but they're there even if you don't formalize them. So, why don't we find a way to approach it in an easy way? First thing each of us would do in such a situation is drawing some boxes and lines, a.k.a. diagrams. Today, we're going to talk about ways of drawing some diagrams, in a comprehensive yet simple way. Business Process Model and Notation (BPMN) BPMN diagram is like Flowchart , but the tasks (activities) are grouped by the participants. It can be drawn / read by both business or technical people as the main purpose i...
Read more