Configure Nginx Proxy for Semaphore Ansible Web UI

In our last article, we covered installation of Semaphore Ansible Web UI on Debian/Ubuntu and CentOS Linux distributions. This guide will focus on installing and configuring Nginx as a reverse proxy for Semaphore Ansible Web UI.

The only pre-requisite for this setup are:

• CentOS / RHEL / Ubuntu or Debian Linux distribution.
• Installed and working Semaphore
• User account with sudo privileges

Step 1: Install Semaphore Ansible Web UI

You should have installed Semaphore before proceeding with this setup. Use below guides for reference.

• Setup Semaphore Ansible Web UI on Ubuntu / Debian
• Install Semaphore Ansible Web UI on CentOS 7

Step 2: Install Nginx Web Server

Install Nginx Web server on your Semaphore server or a difference instance which will be used as proxy server for Semaphore.

# Install Nginx on Ubuntu / Debian
sudo apt update
sudo apt install vim nginx

# Install Nginx on CentOS
sudo yum -y install epel-release
sudo yum -y install vim nginx

Once the service is installed, start it and set to be started at system boot.

sudo systemctl start nginx
sudo systemctl enable nginx

Verify that status of nginx service is “running“.

$ systemctl status nginx
 ● nginx.service - A high performance web server and a reverse proxy server
    Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2022-04-19 13:34:37 UTC; 6s ago
      Docs: man:nginx(8)
   Process: 12190 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Process: 12189 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Main PID: 12193 (nginx)
     Tasks: 2 (limit: 4915)
    CGroup: /system.slice/nginx.service
            ├─12193 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
            └─12194 nginx: worker process
 Apr 19 09:39:45 mydebian systemd[1]: Starting A high performance web server and a reverse proxy server…
 Apr 19 09:39:45 mydebian systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument
 Apr 19 09:39:45 mydebian systemd[1]: Started A high performance web server and a reverse proxy server.

Step 3: Configure Nginx proxy for Semaphore

Create semaphore nginx configuration file.

sudo vim /etc/nginx/conf.d/semaphore.conf

Paste below contents to the file.

upstream semaphore {
    server 127.0.0.1:3000;
  }

server {
  	listen 80;
  	server_name ansible.example.com;
    	client_max_body_size 0;
    	chunked_transfer_encoding on;

    location / {
      proxy_pass http://semaphore/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /api/ws {
      proxy_pass http://semaphore/api/ws;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Origin "";
    }
}

ansible.example.com should be change to match the domain you want to use. Validate file syntax after the change:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx

sudo systemctl restart nginx

If you don’t have DNS, add a line to your /etc/hosts file with Nginx server IP and host name.

$ sudo vim /etc/hosts
192.168.10.15 ansible.example.com

Also, modify your semaphore config to accommodate the new URL:

$ sudo vim /etc/semaphore/config.json
....
        "web_host": "http://ansible.example.com",
....

Restart the Semaphore service:

sudo systemctl restart semaphore

You should be able to access semaphore web interface with domain name configured in Nginx http://ansible.example.com.

Step 4: Configure https for Nginx Proxy

It is recommended to use SSL certificate in your Nginx configuration to secure access to semaphore. Let’s obtain Let’s Encrypt Certificate for this use.

Install certbot tool.

# Ubuntu / Debian
sudo apt update
sudo apt install certbot python-certbot-nginx

# Fedora
sudo dnf install certbot python2-certbot-nginx
sudo dnf install certbot python2-certbot-apache

# RHEL 8 based systems
sudo yum -y install epel-release
sudo yum -y install certbot python3-certbot-nginx

# CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot python2-certbot-nginx

Stop nginx service.

sudo systemctl stop nginx

Then request for Let’s Encrypt SSL certificates.

sudo certbot --nginx -d ansible.example.com

You should get output similar to this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for ansible.example.com
Performing the following challenges:
http-01 challenge for ansible.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/semaphore.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/semaphore.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ansible.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: [email protected]).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ansible.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ansible.example.com/privkey.pem
   Your certificate will expire on 2022-07-18. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

SSL configurations generated after command has been run.

upstream semaphore {
    server 127.0.0.1:3000;
  }

server {
    server_name ansible.example.com;
      client_max_body_size 0;
      chunked_transfer_encoding on;

    location / {
      proxy_pass http://semaphore/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /api/ws {
      proxy_pass http://semaphore/api/ws;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Origin "";
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ansible.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ansible.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = ansible.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name ansible.example.com;
    return 404; # managed by Certbot
}

Replace example.com with your domain name.

Validate Nginx configuration.

$ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx service if configurations are okay.

sudo systemctl restart nginx

Modify the semaphore config to allow HTTPS access using your domain name:

$ sudo vim /etc/semaphore/config.json
....
        "web_host": "https://ansible.example.com",
....

Restart the service:

sudo systemctl restart semaphore

Access Semaphore console via https://example.com:

You now have a secure access to Semaphore Ansible Web UI with host name instead of access through an IP address and port 3000.