AWS CloudFormation EC2 UserData example to install NGINX Plus on Ubuntu 20.04 LTS using AWS SecretsManager
Introduction There are a number of ways to automate NGINX Plus instance creation on AWS - you can create a custom AMI, or build a container image. Tools like Ansible, terraform, Pulumi etc. can also install and configure NGINX Plus. This example was tested in CloudFormation template that creates an Ubuntu 20.04 LTS EC2 instance and the uses UserData script to install NGINX Plus. A critical part of NGINX Plus install is to copy your NGINX Plus SSL Certificate and Key - required for access tothe NGINX Plus private repository - into /etc/nginx/ssl/. There a few different ways to achieve this, but the AWS SecretsManager service provides a lot of audit, access control, and security capabilities. You can use the snippets below in your AWS CloudFormation templates to retrieve the NGINX certificate and key from AWS, configure the NGINX repository on your EC2 Instance, and then download and install the software. Prerequisites Store your NGINX Plus Certificate and Key in AWS Secrets Manager - in my example I'm storing the certificate and key in separate secret objects. Create an IAM Role and policy to allow your EC2 Instance to access the secrets. My Policy looks like this: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:<account ID>:secret:*" } ] } Obviously you may want to alter the the scope of the resource access. Attach this policy to a role and assign the role to your EC2 Instance in the CFT: Create a parameter (you could skip this and just add the name to the Instance Profile in the next step, but parameters can be useful if you want to change things at deploy time): NginxInstanceRole: Description: Role for instance Instance Type: String Default: EC2Secrets Reference parameter in the EC2 instance profile: NGInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: !Sub "nginx-instance-profile-${AWS::StackName}" Path: / Roles: - !Ref NginxInstanceRole Reference the instance profile in the EC2 block: # EC2 instance which will have access for http and ssh EC2Instance: Type: 'AWS::EC2::Instance' Properties: InstanceType: !Ref InstanceType SubnetId: !Ref SubnetID SecurityGroupIds: - !Ref WebSecurityGroupID - !Ref AdminSecurityGroupID KeyName: !Ref KeyPairName ImageId: !Ref InstanceImageId IamInstanceProfile: !Ref NginxInstanceRole UserData Block Now in the UserData section of your EC2 instance spec the following commands will: Install the jq package (to parse some output) Install the the AWS CLI Pull the secrets using 'aws secretsmanager get-secrets-value' Use the jq package and tr to get the files into the correct format (there may be a better way to manage this). Follow the standard NGINX plus install (add NGINX repo etc) Start the NGINX Plus service UserData: Fn::Base64: !Sub | #!/bin/bash -xe sudo apt-get update -y # good practice to update existing packages sudo apt-get install -y awscli sudo apt install -y jq sudo mkdir /etc/ssl/nginx # install the key and secret aws secretsmanager get-secret-value --secret-id nginxcert --region ${AWS::Region}| jq --raw-output '.SecretString'| tr -d '"{}'| sudo tee /etc/ssl/nginx/nginx-repo.crt aws secretsmanager get-secret-value --secret-id nginxkey --region ${AWS::Region}| jq --raw-output '.SecretString'| tr -d '"{}'| sudo tee /etc/ssl/nginx/nginx-repo.key # Add the repo sudo wget https://cs.nginx.com/static/keys/nginx_signing.key && sudo apt-key add nginx_signing.key sudo wget https://cs.nginx.com/static/keys/app-protect-security-updates.key && sudo apt-key add app-protect-security-updates.key sudo apt-get install -y apt-transport-https lsb-release ca-certificates printf "deb https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nginx-plus.list sudo wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx # Install and start sudo apt-get update -y # good practice to update existing packages sudo apt-get install nginx-plus -y # install web server sudo systemctl start nginx.service # start webserver This should produce a working NGINX Plus install. Comment below if you'd like a complete working CFT example linked to this article.
State lookup fails with "access denied" for firewall policy
I am in the process of setting up Ubuntu Linux (20.04) clients with VPN access using f5epi. Everything works, except for a firewall policy. The client side logs contain: 2021-09-29,12:50:17:954, 19837,19837,, 48, , 221, CreateInspector(), Created new OesisModule: SDK Version = '4.3.1161.0', V3V4 Adapter Version = '4.3.980.0' 2021-09-29,12:50:17:954, 19837,19837,, 48, , 224, CreateInspector(), Created new reference 2021-09-29,12:50:17:954, 19837,19837,, 48, , 74, OesisModule:Run(), policyData=type=fw&collect=2&count=1&check_list_type=required&vendor_id1=97&id1=0&version1=&platform1=2&state1=1 2021-09-29,12:50:17:954, 19837,19837,, 48, , 169, OesisLogInfoPolicy(), server configuration check list ===> Type: fw vendor_id: 97 id: 0 version: platform: 2 state: 1 2021-09-29,12:50:19:043, 19837,19837,, 48, , 86, OesisModule:Run(), testing product: id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 98, OesisModule:Run(), Product didn't match with any product from "server configuration check list"-> 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_id=97 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , version=1.8.4 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , errors=Failed to get 'state'. code: -32 (Access denied) mId: 1 iId: 11 2021-09-29,12:50:19:087, 19837,19837,, 48, , 155, OesisModule:Run(), leave (check failed) I assume the issue is that the iptables state check is trying to do something it is not allowed to do locally. Does anyone recognize this problem or have any information on what OesisModule is trying to access in this case?F5 VPN Broken on Ubuntu 18.04 LTS
Heads up, the Ubuntu package for the F5 VPN is broken under the upcoming Ubuntu 18.04 LTS. The dependencies are clearly wrong since there has been an ABI change between Qt5.5 (as advertised) and Qt5.9 (installed) - The UI doesn't even show up. Listed dependencies: libqt5core5a (>= 5.5), libqt5network5 (>= 5.5), libqt5widgets5 (>= 5.5), libqt5gui5 (>= 5.5), libqt5dbus5 (>= 5.5), libqt5sql5 (>= 5.5), libqt5webkit5 (>= 5.5), libqt5opengl5 (>= 5.5), libqt5printsupport5 (>= 5.5) Since the package will likely be used on different debian-compatible architectures, it would be advisable to statically compile the library and remove the dependecy alltogether instead of relying on people having an ABI-compatible version that you compiled with. A timely update is appreciated, thanks.
LAB problem: BIG-IP VE + VMware Workstation + Ubuntu
Hi! I am trying to set up a lab to prepare for my 201 exam. This is my setup: OS: Ubuntu 14.10, 64 bit Processor: Intel Core I5-4570 CPU@3.20Ghz x4 Hypervisor: VMWare Workstation 12.1.0 BIG-IP VE: 11.3.0.39.0-scsi If I'am trying to start big-ip ve in VM workstation as a "guest operating system" == Other 64-bit (default setting), VMware workstation shows an error with message: "This virtual machine is configured for 64-bit guest operating systems. However, 64-bit operation is not possible.This host supports Intel VT-x, but Intel VT-x is disabled.Intel VT-x might be disabled if it has been disabled in the BIOS/firmware settings or the host has not been power-cycled since changing this setting.(1) Verify that the BIOS/firmware settings enable Intel VT-x and disable 'trusted execution.'(2) Power-cycle the host if either of these BIOS/firmware settings have been changed.(3) Power-cycle the host if you have not done so since installing VMware Workstation.(4) Update the host's BIOS/firmware to the latest version.For more detailed information, see http://vmware.com/info?id=152." When I try with "guest operating system" option set as "Other", VM Wrokstationd loads GRUB and shows message: "This kernel requires an x86-64 CPU, but only detected an i686 CPU. Unable to boot - please use a Kernel appropriate for your CPU" Please advise how to handle this problem.