Introduction
Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. Firewalls can be host-based, which are configured on a per-server basis using services like IPTables or UFW. Others are network-based, designed to stop traffic before it ever reaches the individual machine. DigitalOcean Cloud Firewalls, available in all regions at no charge, provide a network-based, stateful firewall service for your DigitalOcean Droplets. They block all traffic that isn’t expressly permitted by a rule. They’re designed to be easy to configure, quick to apply, and automation-friendly.
In this tutorial, we will use the DigitalOcean Control Panel to create a basic Cloud Firewall to block all incoming connections except port 22 for SSH and 80 for HTTP. Then we’ll expand the example infrastructure to include a Load Balancer and demonstrate how to limit incoming traffic by the originating source. For a complete overview Cloud Firewall features, see the Introduction to DigitalOcean Cloud Firewall guide.
Step 1 — Creating Droplets
To begin, we’ll create two Droplets and use a cloud-config script in the “User data” field to install Nginx and give each one a unique home page.
In the DigitalOcean console, click “Create Droplet.” We’re creating ours with the following attributes:
Image: Ubuntu 16.04 (Default)
Size: 512 MB
Region: San Francisco 1
Additional options: [x] User data.
User data#cloud-config
packages:
– nginx
runcmd:
– export HOSTNAME=$(cat /etc/hostname)
– echo “<h1>$HOSTNAME</h1>” > /var/www/html/index.html
Droplets: 2
Hostname: web-01 and web-02
Note: You can see an image of the creation form with all the recommended settings selected here. Your Create Droplet screen will look different in the SSH keys area, especially if you’ve never uploaded keys before. You can learn more about using SSH keys to avoid mailing passwords when you create Droplets in the How To Use SSH Keys with DigitalOcean Droplets guide, and it won’t affect the outcome of this tutorial.
Once we complete the form, we’ll click “Create.” Then, when the Droplets are ready, we’ll visit each one in a web browser to verify that Nginx is running. Note that there is a slight delay between the Droplet IP address being listed in the Control Panel and Nginx getting installed and configured.
Each server should display its hostname:
Now that we’re serving web pages on each of our Droplets, we’ll turn our attention to the Firewall.
Step 2 — Creating a Firewall
The Droplets are completely open when they’re created, allowing all inbound and outbound connections. The Cloud Firewall reverses this, denying all inbound and outbound connections not explicitly permitted by a rule
Note: To create a Cloud Firewall, at least one rule must be defined.
In order for the server to be accessible and work as expected, when you create a Cloud Firewall using the Control Panel, it suggests four rules which will:
Allow inbound SSH connections on port 22
Allow all outbound connections
We’ll take a moment to explore these defaults and verify they block Nginx as expected. Then we’ll add a rule to allow users to access the servers with a web browser.
Using the Default Rules
From the DigitalOcean control panel, we’ll navigate to Networking > Firewalls and click “Create Firewall”:
We’ll enter “First-Firewall” in the “Name” field, add web-01 and web-02 in “Apply to Droplets”, and then click “Create Firewall:”
This will take us back to the Firewalls overview page, which provides summary information, including how many Droplets are associated with the firewall, how many rules it has, and when it was created.
If we click its name, First-Firewall, and then click “Droplets” we can see which specific Droplets are affected by the Firewall. From here, we can also add and remove them:
Now that we’ve configured the Firewall and applied its rules, we’ll visit the servers in another browser window. The browser will try to load the page, but this time our Firewall will block access and eventually, instead of a web page displaying the host name, we’ll receive a message like the one below. Note that the actual content of the message will vary depending on the browser and operating system:
This verifies the Firewall blocked incoming HTTP connections.
We’ll also verify that we can connect to the server by opening a terminal and connecting with SSH. Be sure to substitute the username and IP address for your servers.
ssh [email protected]
We should connect without a problem because it is explicitly allowed by the default inbound rule.
Allowing Incoming HTTP Connections
To allow incoming HTTP connections, we’ll return to the control panel and navigate to the First Firewall’s Rules page (Networking > Firewalls > First-Firewall). In the Inbound Rules section, we’ll open the “New rule” dropdown, select “HTTP”, and click “Save”.
This automatically configures an HTTP rule that allows incoming TCP connections on port 80, the default HTTP port.
When we visit our server in a web browser, we’ll see the default Nginx page again:
In this section we’ve created and applied a Cloud Firewall that allows incoming TCP connections from anywhere to port 22 for SSH and on port 80 for HTTP. We’ve made no changes to the Outbound Rules which permit all connections initiated from the Droplet on all ports to all destinations.
In the next section, we’ll add a DigitalOcean Load Balancer to our two Droplets to illustrate how we can further protect our infrastructure by limiting incoming traffic to a specific source.
Step 3 — Adding a DigitalOcean Load Balancer
Load Balancers help spread traffic across multiple servers, making sure that if one server goes down, others are still available. We’re going to create a DigitalOcean Load Balancer and put it in front of our two web servers. Then, we’ll lock down access to the web servers by editing our Firewall’s HTTP rule so that it will only allow incoming connections from the Load Balancer.
Note: Load Balancers require all Droplets to be located in a single data center, and Droplets are either added individually by name or by the addition of a single tag. Droplets with that tag in other data centers will be ignored by the Load Balancer.
Creating the Load Balancer
To create the Load Balancer, we’ll navigate to Networking, then Load Balancers, where we’ll click “Create Load Balancer”. On that screen, we’ll name it “First-Firewall-LB” and add our two Droplets. This will auto-select the data center where the Droplets are located. We’ll accept the default Forwarding rule that directs incoming HTTP connections on port 80 to the backend Droplets over port 80 and leave the Advanced settings as-is, then click the button to create it.
Once the Load Balancer has been created, we can visit its IP address in a web browser and see the first server’s content.
When we reload the page, we’ll see the second server’s content:
However, visitors could circumvent the load balancing by visiting the servers directly at their address. Not only does that mean that we could lose the advantage of distributing traffic, it also means that port 80 is open to any TCP connections, providing a possible entry point for intruders.
To prevent this, we’ll edit our Firewall rule so that only connections from the Load Balancer are permitted, ensuring the Load Balancer is between our servers and the Internet in general.
Note: DigitalOcean Load Balancers are automatically firewalled. Incoming connections are only allowed for the protocols and ports we configure, and outbound connections are only permitted to Droplets we’ve added on the ports we configure.
Restrict Incoming Connections to the Load Balancer
We’ll navigate back to our First-Firewall (Networking > Firewalls > First-Firewall) to restrict the incoming connections to our web servers to the Load Balancer. Under the port 80 rule’s “More” link, we’ll select “Edit Rule.”
In the “Sources” field, we’ll delete the existing values and add the First-Firewall-LB so that the Load Balancer the only thing listed:
Then, we’ll click Save and test our work. We should still be able to reach both servers by visiting the Load Balancer IP address, then reloading the page:
However, now when we visit each web server by its address, the connection should time out:
The Load Balancer makes our infrastructure more highly available by distributing the load. It also lets us scale up or scale down resources. In our next and final step, we’ll demonstrate how to use a tag to make scaling easier.
Step 4 — Using Tags
So far, we’ve added individual Droplets to the Firewall and the Load Balancer. In this section, we’ll explore how to use a tag to manage the relationships between Droplets, the Load Balancer, and the Firewall. Because we can tag Droplets when they’re created, we’ll be able to use our Firewall and Load Balancer at the beginning of a Droplet’s existence.
Tagging the Droplets
First, we’ll add tags to our two web servers. To do so, we’ll navigate to the main Droplets page. For web-01 we’ll open the “More” menu and select “Add tags.”
Then, we’ll type First-Firewall in the “Edit Tags” field that opens. Since it’s a new tag, we’ll need to type the whole thing and won’t receive any suggestions:
When we click “Save Tags”, the tag will be created and applied. We’ll repeat this step for web-02. Now that the tag exists, when we type the part of its name, it will appear on a menu which also displays the number of Droplets currently tagged:
We’ll select “First-Firewall” from the list, then click “Save Tags”.
Now that both of our Droplets are tagged, we’ll adjust the Load Balancer and Firewall to use the new tag instead of the individual Droplet names.
Editing the Load Balancer
We’ll return to Networking > Load Balancers and click “First-Firewall-LB.” Firewalls require that any associated Droplets are removed before switching to tags, so we’re going to remove the Droplets now. This will cause a slight interruption of service between the removal of the Droplets and the addition of the tag, so we’d typically want to create the tag, add it to the Load Balancer when we create it, then add Droplets.
When both of the Droplets have been removed, we’ll click “Add Droplets” and add the First-Firewall tag for Droplet selection:
Now, any Droplet tagged with “First-Firewall” will automatically be behind the Load Balancer.
Adding a Tag to the Firewall
While Load Balancers require all Droplets to be located in a single data center and added with a single tag, Firewall rules can apply to Droplets across both data centers and regions. This allows us to add the tag first, then remove the individual Droplets, avoiding any interruption in the Firewall rules.
Note: When you’ve completed this tutorial, you can learn more about strategically using tags in the guide, How to Organize DigitalOcean Cloud Firewalls
We’ll return to our First-Firewall (Networking > Firewalls > First-Firewall), then select the “Droplets” tab and click “Add Droplets.”
We’ll start typing the tag name, then select it from the list:
When we click “Add Droplet,” we’ll be returned to the overview screen and can see the Droplets are present twice, once because we added them by name, and then again because they are members of the First-Firewall tag.
Now that we’ve added the tag, we’ll remove the name-based Droplet entries by clicking each one’s “More” link, then “Remove.” The final screen should show the Tag we added and the Droplets with that tag:
Now, any Droplet tagged with “First-Firewall” will automatically be inaccessible except for:
HTTP requests from the Load Balancer.
SSH connections from anywhere.
We’ll confirm this in our final step when we tag a Droplet at creation.
Step 5 — Adding a New Droplet
Using tags allows us to automatically add new Droplets to the Load Balancer and Firewall when we first create them. We’ll demonstrate this by creating a new Droplet in the same data center as the Load Balancer, including the “User data” to install the web server, and adding a tag:
Image: Ubuntu 16.04 (Default)
Region: San Francisco 1
Additional options: [x] User data.
User data#cloud-config
packages:
– nginx
runcmd:
– export HOSTNAME=$(cat /etc/hostname)
– echo “<h1>$HOSTNAME</h1>” > /var/www/html/index.html
Hostname: web-03
Tag: First-Firewall
To add the tag, click the link below the hostname:
This will open a text field where we can select our existing tag and apply it:
Finally, we’ll click “Create.”
Once the Droplet is created, we’ll verify that direct TCP connections on port 80 are already blocked by visiting the server at its IP address.Note: When the Droplet creation is complete, if the tag doesn’t appear in the “Tags” column, reload the page in your browser.
After a while, the page should time out:
After a couple of minutes, the new Droplet should available as part of the load balanced pool. To verify this, we’ll visit the Load Balancer IP address and reload the page. If we reload the page two times, we should see its unique content.
To remove a resource from the Load Balancer and Firewall, we would untag the Droplet itself, rather than going to the Load Balancer and then the Firewall.
Conclusion
In this tutorial, we demonstrated how to use the DigitalOcean Control Panel to add individual Droplets to Firewalls, how to restrict a firewall rule to a Load Balancer, and how to use Tags in order to add Droplets to both the Firewall and the Load Balancer at creation.
To learn more about organizing and managing your infrastructure with Cloud Firewalls, see these additional resources:
An Introduction to DigitalOcean Cloud Firewalls
How To Organize DigitalOcean Cloud Firewalls. For demonstration purposes, we used one tag for both the Load Balancer and the Firewall. Using a single tag for both services may be appropriate for some use cases but not for others. Learn how to strategically organize your Cloud Firewalls.
How To Troubleshoot DigitalOcean Firewalls
How To Manage Cloud Firewalls Programmatically
For alternatives to managing your Firewalls with the Control Panel, see:
The DigitalOcean V2 API Documentation.
How To Use Doctl, the Official DigitalOcean Command-Line Client
خرید وی پی ان آنتی فیلترآنتی فیلتر