Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Server Survival

Server Survival

A guide through the annoying parts of servers. This includes slides I couldn't make it through in the actual presentation.

Chris Fidao

July 27, 2016
Tweet

More Decks by Chris Fidao

Other Decks in Technology

Transcript

  1. Server Survival
    hi!
    @fideloper
    serversforhackers.com

    View Slide

  2. Server Survival
    Server Survival

    View Slide

  3. Goal:
    (don’t memorize)
    understand

    View Slide

  4. Programming Stuff Server Mechanics
    Semi-Ridiculous Chart of
    Learning Curves

    View Slide

  5. View Slide

  6. annoying server things
    security
    supervision
    network
    permissions

    View Slide

  7. Security
    enjoying your new server responsibly

    View Slide

  8. View Slide

  9. Protection
    Process
    Compliance
    Security “Levels”

    View Slide

  10. Protection

    View Slide

  11. access
    network
    Security “Levels”
    basics

    View Slide

  12. Security “Levels”
    don’t be root
    don’t (only) use passwords
    user security

    View Slide

  13. user & access
    new user
    new ssh key
    $ sudo adduser fideloper
    $ sudo usermod -a -G sudo fideloper
    $ ssh-keygen -t rsa -b 4096

    View Slide

  14. $ ssh-keygen -t rsa -b 4096 \
    -f id_whatever
    $ ssh-copy-id -i ~/.ssh/id_whatever \
    fideloper@
    (added to ~/.ssh/authorized_keys file)
    user & access

    View Slide

  15. /etc/ssh/sshd_config
    Port 22 (or) 1234
    PermitRootLogin no (or) without-password
    PasswordAuthentication no
    AllowGroups some-group
    ssh access
    ($ sudo service ssh restart)

    View Slide

  16. firewall
    network

    View Slide

  17. sudo iptables -L -v
    firewall

    View Slide

  18. firewall
    sudo iptables -A INPUT -i lo \
    -j ACCEPT
    sudo iptables -A INPUT -m conntrack \
    —ctstate RELATED,ESTABLISHED -j ACCEPT

    View Slide

  19. firewall
    sudo iptables -A INPUT -p tcp --dport 22 \
    -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 80 \
    -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 443 \
    -j ACCEPT
    sudo iptables -A INPUT -j DROP

    View Slide

  20. firewall

    View Slide

  21. firewall
    drop v reject
    default policy
    $ iptables … -j REJECT
    $ iptables \
    --policy INPUT DROP

    View Slide

  22. (note: services)
    $ cat /etc/services | grep http
    http 80/tcp
    https 443/tcp
    http-alt 8080/tcp

    View Slide

  23. firewall
    sudo apt-get install -y \
    iptables-persistent
    sudo service \
    iptables-persistent save

    View Slide

  24. firewall
    sudo iptables-save > rules.v4
    cat rules.v4 | iptables-restore

    View Slide

  25. firewall
    sudo ip6tables -L -v
    sudo ip6tables-save > rules.v6
    echo rules.v6 | ip6tables-restore

    View Slide

  26. $ sudo apt-get install -y \
    fail2ban
    fail2ban
    1. monitors logs
    2. bans IPs

    View Slide

  27. fail2ban

    View Slide

  28. auto upgrades
    APT::Periodic::Unattended-Upgrade "1";
    Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    };
    Unattended-Upgrade::InstallOnShutdown "false";
    Unattended-Upgrade::Automatic-Reboot "false";
    $ sudo apt-get install -y \
    unattended-upgrades
    files: /etc/apt/apt.conf.d

    View Slide

  29. ¡more!
    There’s always more
    SELinux / AppArmor
    2FA for SSH
    Securing “secrets” (.env)
    Strong PW Enforcement
    (But don’t freak out about it)

    View Slide

  30. Process

    View Slide

  31. policy
    legit, send me
    that password,
    kthnx.
    Hi!
    I’m *totally*

    View Slide

  32. policy
    Define what &
    how you’re able to
    send to people.

    View Slide

  33. policy
    Define what happens
    when people
    leave.

    View Slide

  34. policy
    Define what happens
    when new people
    come.

    View Slide

  35. policy
    Decide on
    “key rotation”
    (and similar access changes)

    View Slide

  36. policy
    policy + automation
    = time
    =

    View Slide

  37. auditing
    aggregate logs ()

    View Slide

  38. View Slide

  39. Compliance

    View Slide

  40. Security “Levels”
    regulation
    • HIPPA/HITECH (health)
    • PCI (ecommerce/credit cards)
    • FERPA (education)
    • Many, many more

    View Slide

  41. Security “Levels”
    regulation
    • Audits
    • Paper work
    • And general security

    View Slide

  42. how far to go?
    “what should I
    care about?”

    View Slide

  43. supervision

    View Slide

  44. fid@host:~# sudo systemctl status ssh
    systemctl status
    systemctl start
    systemctl stop
    systemctl enable
    systemctl disable
    systemd

    View Slide

  45. fid@host:~# sudo service ssh status
    ● ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled; \
    vendor preset: enabled)
    Active: active (running) since Fri 2016-07-22 19:46:40 EDT; 1h 27min ago
    Main PID: 2493 (sshd)
    CGroup: /system.slice/ssh.service
    ├─ 2493 /usr/sbin/sshd -D
    ├─14218 sshd: root [priv]
    └─14219 sshd: root [net]
    Jul 22 21:13:28 host sshd[14114]: Accepted password for root from 76.185.167.253
    port 56786 ssh2
    Jul 22 21:13:28 host sshd[14114]: pam_unix(sshd:session): session opened for user
    root by (uid=0)
    systemd

    View Slide

  46. systemd
    [Unit]
    Description=OpenBSD Secure Shell server
    After=network.target auditd.service
    ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
    [Service]
    EnvironmentFile=-/etc/default/ssh
    ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
    ExecReload=/bin/kill -HUP $MAINPID
    KillMode=process
    Restart=on-failure
    RestartPreventExitStatus=255
    Type=notify
    [Install]
    WantedBy=multi-user.target
    Alias=sshd.service /lib/systemd/system/ssh.service

    View Slide

  47. systemd
    [Unit]
    Description=Laravel Queue
    [Service]
    User=forge
    Group=forge
    Restart=on-failure
    WorkingDirectory=/home/user/forge/mysite.com/current
    ExecStart=/usr/bin/php artisan queue:work --daemon
    [Install]
    WantedBy=multi-user.target
    /lib/systemd/system/laravel.service

    View Slide

  48. fid:~# sudo systemctl enable laravel
    fid:~# sudo systemctl start laravel
    fid:~# sudo systemctl status laravel
    systemd

    View Slide

  49. supervisord
    fid@spr:~# sudo apt-get install -y supervisor
    fid@spr:~# sudo systemctl start supervisor

    View Slide

  50. supervisord
    fid@spr:~# sudo systemctl status supervisor
    ● supervisor.service - Supervisor process control system for
    UNIX
    Loaded: loaded (/lib/systemd/system/supervisor.service;
    disabled; vendor preset: enabled)
    Active: active (running) since Tue 2016-07-26 17:13:54 EDT;
    3s ago
    Docs: http://supervisord.org
    Main PID: 3712 (supervisord)
    Tasks: 1
    Memory: 11.1M
    CPU: 216ms
    CGroup: /system.slice/supervisor.service
    !"3712 /usr/bin/python /usr/bin/supervisord -n -c /
    etc/supervisor/supervisord.conf
    Jul 26 17:13:54 spr systemd[1]: Started Supervisor process
    control system for UNIX.

    View Slide

  51. [program:lara_queue]
    command=php artisan queue:work --daemon
    directory=/home/forge/app.com/current
    autostart=true
    autorestart=true
    startretries=3
    redirect_stderr=true
    stdout_logfile=/home/forge/…/logs/queue.log
    user=forge
    numproc=4
    supervisord
    /etc/supervisor/conf.d/lara_q.conf

    View Slide

  52. forge: supervisord

    View Slide

  53. forge: supervisord
    any old daemon

    View Slide

  54. Network

    View Slide

  55. ifconfig

    View Slide

  56. ifconfig
    private network
    f@db:~$ ifconfig
    eth0 Link encap:Ethernet HWaddr 04:01:31:20:63:01
    inet addr:162.243.164.216 Bcast:162.243.164.255 Mask:255.255.255.0
    inet6 addr: fe80::601:31ff:fe20:6301/64 Scope:Link

    eth1 Link encap:Ethernet HWaddr 04:01:31:20:63:02
    inet addr:10.136.11.155 Bcast:10.136.255.255 Mask:255.255.0.0
    inet6 addr: fe80::601:31ff:fe20:6302/64 Scope:Link

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host

    View Slide

  57. network binding
    a tcp socket:
    :
    a unix socket:
    unix://path/to/file.sock

    View Slide

  58. network binding
    forge@site:~$ netstat -ap | grep http
    tcp 0 0 *:http *:* LISTEN 3797/nginx: worker
    tcp 0 0 *:https *:* LISTEN 3797/nginx: worker

    View Slide

  59. network binding

    View Slide

  60. network: mysql
    unix socket

    View Slide

  61. tcp socket
    network: mysql

    View Slide

  62. localhost != 127.0.0.1
    (in mysql)
    network: mysql

    View Slide

  63. network: mysql
    #
    # Instead of skip-networking the default is now to listen only on
    # localhost which is more compatible and is not less secure.
    bind-address = 10.136.11.155
    f@db:~$ mysql -h localhost -u root -p
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.
    f@db:~$ mysql -h 127.0.0.1 -u root -p
    Enter password:
    ERROR 2003 (HY000): Can't connect to MySQL server on
    '127.0.0.1' (111)


    View Slide

  64. network: mysql
    f@db:~$ mysql -h 10.136.11.155 -u root -p
    Enter password:
    ERROR 1130 (HY000): Host '10.136.11.155' is not allowed
    to connect to this MySQL server
    f@db:~$ mysql -u root -p -e "create user root@'10.136.11.155'
    identified by 'root';"
    Enter password:
    f@db:~$ mysql -h 10.136.11.155 -u root -p
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.


    View Slide

  65. network
    but normally it is

    View Slide

  66. 1.Find networks (interfaces)
    2.Learn about socket types
    3.See examples of mysql
    4.Future: Permissions in Forge
    network
    review

    View Slide

  67. Permissions

    View Slide

  68. who can do things
    user - file/dir owner
    group - file/dir group - shared
    permissions!
    other - anyone else

    View Slide

  69. what can they do
    read - read file, list directory
    write - write to file, add new file/dir
    execute - execute command, cd into

    View Slide

  70. usr@hst:~$ chown -R www-data:www-data \
    /var/www/example.com
    usr@hst:~$ chmod -R u=rwx,g=rx,o=rx \
    /var/www/example.com
    usr@hst:~$ chmod -R u=rwx,go=rx \
    /var/www/example.com
    usr@hst:$ chmod ug+x,o-x \
    /var/www/example.com/artisan
    setting permissions

    View Slide

  71. d rwx r-x r-x
    dir user group other
    permissions

    View Slide

  72. - rwx r-x r-x
    file user group other
    permissions

    View Slide

  73. user@host:/var/www$ ls -lAh
    total 4.0K
    drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
    example
    d rwx rwx r-x
    deploy : www-data

    View Slide

  74. usr@host:/var/www$ ps axf o pid,user,group,comm \
    | grep -i '[n]ginx\|[p]hp'
    4290 root root nginx
    4291 www-data www-data \_ nginx
    2887 root root php-fpm7.0
    2889 www-data www-data \_ php-fpm7.0
    2890 www-data www-data \_ php-fpm7.0
    not just files

    View Slide

  75. user@host:/var/www$ ls -lAh
    total 4.0K
    drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
    php + web files
    file_put_contents(
    '/var/www/example.com/new-file.txt',
    'Here is a new line'
    ); // ✅

    View Slide

  76. remember
    files owned by www-data
    then
    run php as www-data
    $ sudo -u www-data php artisan foo:bar

    View Slide

  77. Just Works™

    View Slide


  78. web files
    there’s no place like
    forge@host:~/store.helpspot.com/current$ ls -lAh
    drwxrwxr-x 15 forge forge app
    -rwxrwxr-x 1 forge forge artisan
    drwxrwxr-x 3 forge forge bootstrap
    -rw-rw-r-- 1 forge forge composer.json
    -rw-rw-r-- 1 forge forge composer.lock

    View Slide

  79. // File /etc/nginx/nginx.conf
    user forge;
    worker_processes auto;
    pid /run/nginx.pid;
    events { … }
    http { … }
    nginx

    View Slide

  80. // File /etc/php5/fpm/pool.d/www.conf
    listen = /var/run/php5-fpm.sock
    listen.owner = www-data
    listen.group = www-data
    listen.mode = 0666
    user = forge
    group = forge
    -rw-rw-rw
    php-fpm

    View Slide

  81. // File /etc/php5/fpm/pool.d/www.conf
    listen = 127.0.0.1:9000
    listen.owner = www-data
    listen.group = www-data
    listen.mode = 0666
    user = forge
    group = forge
    php-fpm

    View Slide


  82. web files
    there’s no place like
    forge@host:~/store.helpspot.com/current$ ls -lAh
    drwxrwxr-x 15 forge forge app
    -rwxrwxr-x 1 forge forge artisan
    drwxrwxr-x 3 forge forge bootstrap
    -rw-rw-r-- 1 forge forge composer.json
    -rw-rw-r-- 1 forge forge composer.lock

    View Slide

  83. There’s More!
    ACLs

    View Slide

  84. ACL

    View Slide

  85. ACL
    ACL Defaults

    View Slide

  86. $ sudo setfacl -Rm \
    > g:www-data:rwx,d:g:www-data:rwx \
    > /var/www/html
    ACL

    View Slide

  87. ACL
    Owned by root
    Group www-data:rwx

    View Slide

  88. ACL
    User-based!

    View Slide

  89. Server Survival
    thanks!
    @fideloper
    serversforhackers.com

    View Slide

  90. pkg managers
    1. searching
    2. installing

    View Slide

  91. pkg managers
    apt-get & apt
    sudo apt-get update
    sudo apt update
    sudo apt-get install whatever
    sudo apt install whatever

    View Slide

  92. pkg managers
    search
    sudo apt search mysql-server
    ubuntu@host:~$ apt search mysql-server
    mysql-server/trusty-updates,trusty-security 5.5.49-0…
    mysql-server-5.5/trusty-updates,trusty-security
    MySQL database server binaries and system database setup
    mysql-server-5.6/trusty-updates,trusty-security
    MySQL database server binaries and system database setup

    View Slide

  93. pkg managers
    show
    sudo apt show -a \
    mysql-server-5.6
    Package: mysql-server-5.6
    Version: 5.6.30-0ubuntu0.14.04.1
    Package: mysql-server-5.6
    Version: 5.6.16-1~exp1

    View Slide

  94. pkg managers
    policy
    sudo apt-cache policy \
    mysql-server-5.6
    mysql-server-5.6:
    Installed: (none)
    Candidate: 5.6.30-0ubuntu0.14.04.1
    Version table:
    5.6.30-0ubuntu0.14.04.1 0
    500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
    trusty-updates/universe amd64 Packages
    500 http://security.ubuntu.com/ubuntu/
    trusty-security/universe amd64 Packages
    5.6.16-1~exp1 0
    500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
    trusty/universe amd64 Packages

    View Slide

  95. pkg managers
    package=version
    sudo apt-get install \
    mysql-server-5.6=5.6.16-1~exp1

    View Slide

  96. pkg managers
    repositories
    sudo add-apt-repository \
    ppa:ondrej/php

    View Slide

  97. pkg managers
    ubuntu@host: /etc/apt/sources.list.d $ ls -lah
    -rw-r--r-- 1 root root ondrej-ubuntu-php-xenial.list
    ubuntu@host: /etc/apt/sources.list.d $ cat \
    ondrej-ubuntu-php-xenial.list
    deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
    # deb-src http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
    repositories

    View Slide

  98. pkg managers
    ubuntu@host: ~ sudo apt-key adv --recv-keys --keyserver \
    hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
    ubuntu@host: ~ echo 'deb http://ftp.utexas.edu/mariadb/
    repo/10.1/ubuntu xenial main' \
    | sudo tee /etc/apt/sources.list.d/mariadb.list
    manual install

    View Slide

  99. pkg managers
    ubuntu@host: /etc/apt $ vim sources.list
    # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
    # newer versions of the distribution.
    deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
    deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
    # # Major bug fix updates produced after the final release of the
    # # distribution.
    deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
    deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main \
    restricted
    # # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
    # # team. Also, please note that software in universe WILL NOT receive any
    # # review or updates from the Ubuntu security team.
    deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
    deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
    included repositories

    View Slide

  100. pkg managers
    repositories

    View Slide

  101. –@fideloper
    “Am I done now?”

    View Slide

  102. DNS & Domains

    View Slide

  103. DNS: ¯\_(ツ)_/¯
    ~~ just *TRY* ~~
    to coherently explain
    controlling domains
    to the average [non-tech-client-whoever]
    challenge:

    View Slide

  104. ¯\_(ツ)_/¯
    (we’ll ignore the seedy
    secondary market of
    domain-squatting asshats)

    View Slide

  105. you bought a domain
    DNS

    View Slide

  106. …but you control it somewhere else
    DNS

    View Slide

  107. DNS
    “somewhere else” points [sub]domains…
    somewhere else…

    View Slide

  108. this slide intentionally left blank

    View Slide

  109. dig

    View Slide

  110. dig
    mx records

    View Slide

  111. nslookup
    mx records again

    View Slide

  112. Domains + Web Server

    View Slide

  113. Domains + Web Server

    View Slide

  114. set host header

    View Slide

  115. default_server

    View Slide

  116. (set host header again)

    View Slide

  117. meanwhile, fideloper.com

    View Slide

  118. Logs

    View Slide

  119. /var/log/*

    View Slide

  120. wtf, Vagrant?
    less
    terrible.

    View Slide

  121. fideloper@host  ~  vagrant box
    Usage: vagrant box []
    Available subcommands:
    add
    list
    outdated
    remove
    repackage
    update
    boxes (servers)

    View Slide

  122. where’s my stuff?
    ~/.vagrant.d/boxes
    ~/.vagrant.d/tmp
    C:/Users/[USER]/.vagrant.d/boxes
    C:/Users/[USER]/.vagrant.d/tmp

    View Slide

  123. • ssh by default
    • can add your own (but we’ll do better)
    port forwarding
    SSH Default

    View Slide

  124. port forwarding
    $ vagrant ssh-config
    Just like ~/.ssh/config

    View Slide

  125. port forwarding
    $ ssh \
    > -i /Users/fideloper/…/virtualbox/private_key \
    > -p 2222 \
    > vagrant@localhost

    View Slide

  126. port forwarding

    View Slide

  127. port forwarding
    (aside: It’s common to forward to port 80)
    config.vm.network "forwarded_port", guest: 80, host: 8000
    $> curl -I localhost:8000
    HTTP/1.1 302 Found
    Server: nginx/1.9.9
    Content-Type: text/html; charset=UTF-8
    Date: Sat, 02 Jul 2016 17:57:49 GMT
    Location: http://localhost:8000/login

    View Slide

  128. port forwarding
    But, two boxes can’t forward to same port!
    config.vm.network "forwarded_port", guest: 80, host: 8000
    config.vm.network "forwarded_port", guest: 80, host: 8888 ✅
    first box:
    second box:

    View Slide

  129. sequel pro
    2.5 Ways to
    Connect to MySQL
    (without *any* MySQL configuration)

    View Slide

  130. sequel pro
    1 - Port Forward
    config.vm.network "forwarded_port", guest: 3306, host: 33060

    View Slide

  131. sequel pro
    config.vm.network "forwarded_port", guest: 3306, host: 33060

    View Slide

  132. sequel pro
    2 - SSH Tunnel
    $> ssh -p 2222 \
    -i /Users/fideloper/…/virtualbox/private_key \
    -L 3306:localhost:3306 vagrant@localhost

    View Slide

  133. sequel pro

    View Slide

  134. sequel pro
    2.5 - SSH Tunnel

    View Slide

  135. • 1. Port forwarding (homestead way - easy)
    • 2. Manual SSH tunnel
    • 3. Sequel Pro SSH Tunnel

    View Slide

  136. sequel pro
    Remember the SSH Tunnel!
    You can use it in production to view a database.

    View Slide

  137. file sharing
    config.vm.synced_folder “~/Sites", "/home/vagrant/Sites"
    default file share
    slow with a large # files

    View Slide

  138. file sharing
    config.vm.synced_folder “~/Sites", "/home/vagrant/Sites",
    id: "core",
    :nfs => true,
    :mount_options => [‘nolock,vers=3,udp,noatime,actimeo=2,fsc']
    network file share
    handles large # files better

    View Slide

  139. file sharing
    where to run build steps?
    (especially ones that watch files)

    View Slide

  140. file sharing
    (I’ve actually used Docker for this instead)
    docker run --rm \
    -v ~/Sites/some-project:/opt \
    some_node_img:latest \
    gulp watch

    View Slide

  141. adding projects
    How I made adding a new project painless
    (and stopped editing /etc/hosts)

    View Slide

  142. adding projects
    An annoying process:

    View Slide

  143. adding projects
    1. Share More Files:
    config.vm.synced_folder "~/Sites/a", "/var/www/a"
    config.vm.synced_folder "~/Sites/b", “/var/www/b"

    View Slide

  144. adding projects
    2. Create another server config
    vagrant@vagrant:/etc/nginx/sites-available$ sudo cp \
    laravel-a laravel-b
    vagrant@vagrant:/etc/nginx/sites-available$ sudo vim \
    laravel-b
    server {
    listen 80;
    server_name laravel-b.dev;

    View Slide

  145. adding projects
    3. Edit /etc/hosts:
    1 ##
    2 # Host Database
    3 #
    4 # localhost is used to configure the loopback interface
    5 # when the system is booting. Do not change this entry.
    6 ##
    7 127.0.0.1 localhost
    8 255.255.255.255 broadcasthost
    9 ::1 localhost
    10
    11 192.168.33.10 laravel-a.dev laravel-b.dev

    View Slide

  146. adding projects
    A better way:

    View Slide

  147. adding projects
    1. One File Share
    config.vm.synced_folder "~/Sites", "/home/vagrant/Sites"

    View Slide

  148. adding projects
    2. Install DNSMasq
    brew install dnsmasq
    cd $(brew —prefix) # /usr/local
    echo 'address=/.dev/192.168.33.10' > etc/dnsmasq.conf
    sudo cp -v $(brew --prefix dnsmasq) \
    homebrew.mxcl.dnsmasq.plist /Library/LaunchDaemons
    sudo launchctl load -w /Library/LaunchDaemons/ \
    homebrew.mxcl.dnsmasq.plist
    sudo mkdir -p /etc/resolver
    echo "nameserver 127.0.0.1" | sudo tee /etc/resolver/dev

    View Slide

  149. adding projects
    2. DNSMasq continued
    fideloper@Christophers-iMac  ~  dig whatever-i-want.dev \
    @127.0.0.1
    ;; QUESTION SECTION:
    ;whatever-i-want.dev. IN A
    ;; ANSWER SECTION:
    whatever-i-want.dev. 0 IN A 192.168.33.10

    View Slide

  150. adding projects
    3. Magic Nginx Config
    server {
    listen 80;
    server_name ~^(.*)\.dev$;
    set $file_path $1;
    root /home/vagrant/Sites/$file_path/public;
    index index.html index.htm index.php;
    # And so on …

    View Slide

  151. adding projects
    cd ~/Sites
    mkdir -p ~/mysite/public
    echo “ mysite/public/index.php

    View Slide

  152. [Bonus] Databases
    • User/Network Security
    • SSH Tunnel
    • mysqldump / xtrabackup

    View Slide

  153. [Bonus] Vagrant
    • Port forwarding
    • Configuration
    • My Homestead config
    • NFS cache

    View Slide

  154. [Bonus] Philosophy
    • Be ready to throw out a server (Ansible)
    • Docker is not your first answer without ops people

    View Slide