GitHub Actions CI/CD Tutorial Series — Part 2

Habibi Coding | حبيبي كودنق

Published in

Nerd For Tech

8 min readApr 26, 2023

In Part 1 of this tutorial series, we covered the following steps:

*) Replaced RSA SSH key with ed25519
*) Changed port number and disabled password login
*) Installed UFW

If you missed Part 1, you can find it here: Part 1

More security improvements — Yalla | يلا

Disable ping

Disabling ping on your server can offer certain security and operational benefits:

Reduced visibility: Disabling ping responses makes your server less visible to potential attackers who might use ping requests to discover and target active systems on the network.
Mitigation of Denial of Service (DoS) attacks: Disabling ping helps protect your server from ICMP flood attacks, a type of DoS attack that overwhelms the target with a large volume of ICMP echo request packets, consuming resources and potentially causing downtime.
Enhanced privacy: Disabling ping responses can help maintain the privacy of your server and prevent unwanted attention or reconnaissance from malicious actors.
Prevention of network mapping: By disabling ping, you make it more challenging for attackers to create a detailed network map, which could be used to identify weak points and plan targeted attacks.
Resource conservation: Disabling ping frees up resources that would otherwise be consumed by handling ping requests, especially in scenarios where the server is being targeted with numerous ping requests.

SSH again to your Linode Ubuntu instance:

ssh {your-user}@{your-linode-ip} -p 1022

ssh

Edit thebefore.rulesfile from ufw :

sudo vim /etc/ufw/before.rules

At the line “# ok icmp codes for INPUT” add the following line:

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Save and close the file, then reboot your instance with:

sudo reboot

reboot Ubuntu

Wait four to five minutes then try SSH again from your terminal:

ssh {your-user}@{your-linode-ip} -p 1022

Open now a new terminal and try to ping your IPv4 address:

ping {your-linode-ip}

Use of CNAME

I want to use proper CNAMEs for our subdomains www which is for the Frontend andtask-managerwhich is for the Backend.

Go to https://cloud.linode.com/linodes then navigate to Domains.

In the section “A/AAAA Record” remove the asterisks (*) wildcard entry.

Then click on “Add A CNAME Record” and add www & task-manager :

Here is an overview of both sections “A/AAAA Record” & “CNAME Record”:

Change those entries on your domain provider side

Hop to the dashboard of your domain provider and make the Name Server changes:

Wait five to ten minutes then check if the entries are made by typing in the terminal:

dig task-manager.{your-domain}

dig www.{your-domain}

Enable SSL certificates for subdomains

SSH again to your Ubuntu Linode instance:

ssh {your-user}@{your-linode-ip} -p 1022

ssh

Move to your sites-availablefolder of Nginx:

cd /etc/nginx/sites-available/

Open your domain file with an editor:

sudo nano {your-file}

open file with nano

In the second line add after server_name your subdomains www & task-managerplus domain name:

server_name {your-domain} www.{your-domain} task-manager.{your-domain};

Then between the comment # Frontend applicationand proxy_set_header Host $host;proxy_set_header Host $host;add the following condition:

if ($host = task-manager.{your-domain}) {
  return 301 /api;
}

Same for the Backend part, but with www and {your-domain}:

if ($host = www.{your-domain}) {
  return 301 /;
}

if ($host = {your-domain}) {
  return 301 /;
}

At last remove in HTTP server block the if conditions, add the redirect line and also add there the task-managerplus domain name after server_name :

server {

    listen 80 default_server;
    listen [::]:80 default_server;
    server_name {your-domain} www.{your-domain} task-manager.{your-domain};
    return https://$host$request_uri;

}

Then check for config for errors with sudo:

sudo nginx -t

Here is an overview of the file:

server {
        server_name {your-domain} www.{your-domain} task-manager.{your-domain};

      location / {
         # Frontend application

         if ($host = task-manager.{your-domain}) {
           return 301 /api;
         }

         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;

         proxy_pass http://localhost:9091;
      }

      location /api/ {
        # Backend application

        if ($host = www.{your-domain}) {
           return 301 /;
        }

        if ($host = {your-domain}) {
               return 301 /;
        }

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://localhost:9090;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/{your-domain}/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/{your-domain}/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

    listen 80 default_server;
    listen [::]:80 default_server;
    server_name {your-domain} www.{your-domain} task-manager.{your-domain};
    return https://$host$request_uri;

}

Install the certificates

Use Certbot to install domain SSL certificate on Nginx config:

sudo certbot --nginx

install certificates

Just press ENTERwhere it says “blank to select all options shown (Enter ‘c’ to cancel):

At the next input just type eplus ENTER :

Hopefully you see a success message

Then open again your domain file in sites-available and make sure there are no added if conditions from Certbot at the HTTP server block which listens to port 80:

sudo nano {your-file}

nano

Just make sure your Nginx server blocks look like the one added before, only the domain should be different.

Test the configuration (nginx.conf) of the Nginx web server:

sudo nginx -t

Reload the configuration (nginx.conf) of the Nginx web server:

sudo nginx -s reload

config reload

We restarted the firewall (ufw) a few steps before so your Backend and Frontend applications might not run.

Start the Backend application again:

cd node_backend_app/ && nohup node app.js &

start backend app

Start again the Frontend application:

cd node_frontend_app/ && nohup node app.js &

start frontend app

Check if both services are running with:

sudo netstat -tunlp

Then check it on your web browser:

Install Docker

Time to install Docker on Ubuntu.

Make sure first everything is still up to date:

sudo apt update -y

Install upgrades if available:

sudo apt apgrade

Install Docker using the following command:

sudo apt install docker.io

install docker

Start Docker on the system:

sudo systemctl start docker

start docker

Setup Docker run at Startup of machine:

sudo systemctl enable docker

docker on machine startup

Check Docker status:

sudo systemctl status docker

Check the Docker version:

docker --version

Install Docker Compose

We need to install Docker Compose because we will start later our services with docker-compose.yml file:

sudo apt install docker-compose

install docker-compose

Check the Docker Compose version:

docker-compose --version

With that, we conclude the second part of this tutorial series. If you found it useful and informative, give it a clap. Here is Part 3.

Don’t forget to check out the video series on YouTube at https://www.youtube.com/@habibicoding.