Enhancing The Web Server
Technical Background
In this exercise, we extend an existing web server by:
1. Registering DNS A records pointing to the server.
2. Enabling TLS (HTTPS) using Let's Encrypt certificates.
Why DNS A Records?
A DNS A record maps a hostname to an IPv4 address.
In this exercise you create two records:
www.gXY.sdi.hdm-stuttgart.cloud→ Server IPgXY.sdi.hdm-stuttgart.cloud→ Server IP
These allow users to reach the server using easy-to-remember domain names instead of raw IP addresses.
TLS (Transport Layer Security) encrypts the connection, ensuring data privacy and integrity. In this exercise Let's Encrypt is used to issue free certificates. staging endpoint (--staging) are initially used to avoid rate limit issues. After successful testing, a requested production certificate will be used.
Solution
Prerequisits
Create the same files and folderstructure as done before in exercise 17 Modules For SSH Host Key Handling.
The HMAC key for your server is stored inside Moodle.
Allow HTTPS Traffic in Firewall
- Add this firewall rule to
/KnownHostsByModule/network.tf:
rule {
direction = "in"
protocol = "tcp"
port = "443"
source_ips = ["0.0.0.0/0", "::/0"]
}
- Apply changes:
terraform apply
Warning
Ensure port 443 is open before requesting a certificate.
Creating a DNS Record
- Export your HMAC key:
export HMAC=hmac-sha512:<YOUR_KEY_HMAC_KEY>
Note
This is needed for authentication
- Add DNS records for both the
wwwsubdomain and the bare domain with nsupdate:
nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update add www.gXY.sdi.hdm-stuttgart.cloud 10 A <your-server-ip>
> send
> quit
nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update add gXY.sdi.hdm-stuttgart.cloud 10 A <your-server-ip>
> send
> quit
Warning
TTL = 10 seconds for testing. In production, a longer TTL is recommended.
- Verify the records:
dig +noall +answer @8.8.8.8 www.gXY.sdi.hdm-stuttgart.cloud
dig +noall +answer @8.8.8.8 gXY.sdi.hdm-stuttgart.cloud
Note
Wait for DNS propagation before running Certbot .
Install Certbot and Request Staging Certificate
- Update server and install certbot:
sudo apt update
sudo apt install certbot python3-certbot-nginx
- Request a staging certificate:
sudo certbot --nginx --staging -d gXY.sdi.hdm-stuttgart.cloud -d www.gXY.sdi.hdm-stuttgart.cloud
Warning
Use --staging to avoid hitting Let's Encrypt rate limits during testing.
- Verify HTTPS access:
curl -I https://gXY.sdi.hdm-stuttgart.cloud
curl -I https://www.gXY.sdi.hdm-stuttgart.cloud
Success
Expected Output:
HTTP/2 200
- Request production certiface:
sudo certbot --nginx -d gXY.sdi.hdm-stuttgart.cloud -d www.gXY.sdi.hdm-stuttgart.cloud