Your perfect TYPO3 Distribution

Your perfect TYPO3 Distribution

Presented at TYPO3 Developer Days 2018

6c980f722cf236da20f1bb9e9efeb731?s=128

Helmut Hummel

June 23, 2018
Tweet

Transcript

  1. Your perfect TYPO3 Distribution Helmut Hummel <typo3@helhum.io> Inspiring people to

    share Your perfect TYPO3 Distribution
  2. Teaser 2

  3. 3 @helhum

  4. Lightning Talk Your perfect TYPO3 Distribution • Focus • Productivity

    • Reliability • Security • Features • Environment aware • Context aware • Pluggable 4
  5. Your perfect TYPO3 Distribution Target Audience • Little bit of

    composer knowledge • Not command line agnostic • Interest in simplifying and automating development workflows 5
  6. Your perfect TYPO3 Distribution Disclaimer • Can contain traces of

    • Butterflies • Rainbows • Unicorns • Kittens 6
  7. 7 @helhum

  8. What's Perfect? 8

  9. 9

  10. Not everybody loves ButterflyRainbowUnicornKittens 10

  11. And I like to change that! 11

  12. Purrrfect TYPO3 Distribution 12

  13. Reliability 13

  14. 14 Security

  15. 15 Environment

  16. 16 Context

  17. Reliability 17

  18. Reproducible 18

  19. Easily Reproducible 19

  20. Bundle all code 20

  21. Bundle all configuration 21

  22. Ship a (short!) README 22

  23. $short < 10 lines 23

  24. How to achieve reliability? 24

  25. Version Control 25 !!!

  26. GIT 26

  27. One repository 27

  28. What about third party code? 28

  29. Only commit what you maintain 29

  30. How to bundle third party code then? 30

  31. Reliability Bundling third party code • Describe your dependencies to

    third party code in a file • Specify a version number for every library • Use a tool to evaluate that, fetches the dependencies and puts them into your bundle • Maybe we could use XML or JSON format for that … • … • Wait, what? • Isn't there a tool for that already? 31
  32. Composer 32

  33. Reliability Composer • Resolves dependencies recursively • Fetches the code

    effectively • Puts everything in place • Let's you directly use third party code • Reproduces exact same state on consecutive installs 33
  34. composer require bugatti/car 34

  35. 35

  36. composer require typo3/cms 36

  37. 37

  38. Add composer.lock to version control 38

  39. The only generated file you should commit 39

  40. But what about PackageStates.php? 40

  41. Reliability PackageStates.php • Used by TYPO3 to track which extensions

    should be "active" • Why would you install code, but mark it as "inactive"? • typo3/cms comes with ALL TYPO3 system extensions • But you never need all system extensions in a project 41
  42. TYPO3 Console 42

  43. composer require helhum/typo3-console 43

  44. typo3cms install:generatepackagestates 44

  45. 45 "require": { "helhum/typo3-console": "^5.4", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor": "^8.7" },

    "scripts": { "post-autoload-dump": [ "typo3cms install:generatepackagestates" ] }
  46. What you need, is defined in composer.json 46

  47. Now make it more convenient 47

  48. composer require typo3-console/composer-auto-commands 48

  49. typo3cms install:generatepackagestates 49

  50. typo3cms install:fixfolderstructure 50

  51. typo3cms install:extensionsetupifpossible 51

  52. 52 "require": { "helhum/typo3-console": "^5.4", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor": "^8.7" },

    "scripts": { "post-autoload-dump": [ "typo3cms install:generatepackagestates", "typo3cms install:fixfolderstructure", "typo3cms install:extensionsetupifpossible" ] }
  53. 53 "require": { "helhum/typo3-console": "^5.4", "typo3-console/composer-auto-commands": "^0.1.0", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor":

    "^8.7" }
  54. Reliability Benefits • Less cluttered composer.json • Can be a

    nested requirement • Platform agnostic • (works with Windows) 54
  55. composer require --dev typo3-console/php-server-command 55

  56. composer require --dev \ typo3-console/composer-typo3-auto-install 56

  57. Demo 57

  58. Reliability Recap • Use version control (git) • Use one

    repository for a project • Only commit what you maintain (but commit composer.lock) • Fetch dependencies with Composer • Let TYPO3 Console generate PackageStates.php • Let TYPO3 Console generate folder structure • Let TYPO3 Console set up extensions on "composer install" 58
  59. But we're still installing code we don't need 59

  60. That is not good, because … 60

  61. 61 Security

  62. Why to avoid installing code you don't need? 62

  63. Every security flaw is a bug in code 63

  64. Every code has bugs 64

  65. Every code potentially has security flaws 65

  66. 100% secure code is NO code 66

  67. TYPO3 Subtree Split 67

  68. Security TYPO3 Subtree split • Every core extension is available

    as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW • No symlinks required any more • Packages are directly installed in typo3/sysext 68
  69. But there is more … 69

  70. Attack Surface 70

  71. Information Disclosure 71

  72. Every additional file in your document root increases the attack

    surface and is potentially leaking private information 72
  73. How does our current document root look like? 73

  74. 74 $ ll total 208 drwxr-xr-x 11 helmut staff 374

    Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor
  75. How to fix that? 75

  76. Security Step 1 76 "extra": { "typo3/cms": { "web-dir": "public"

    } }
  77. Security Step 2 77 "extra": { "typo3/cms": { "root-dir": "private",

    "web-dir": "public" } }
  78. Security Step 3 78 composer require helhum/typo3-secure-web

  79. Demo 79

  80. Security Recap • Only install code that you need •

    Don't expose vendor directory • Neither expose composer.lock nor composer.json • Don't expose private resources • Only expose public resources and defined entry points • Your TYPO3 document root should only contain 3 PHP files • index.php, typo3/index.php, typo3/install.php • Public assets (icons, css, js, …) 80
  81. 81 Environment

  82. Environment TYPO3 need to run in multiple environments • Developer

    system • Staging • Testing • Live 82
  83. 83 Context

  84. Context TYPO3 should be aware of two contexts • Development

    • Production 84
  85. Production 85

  86. 86

  87. Context Production • Run code as fast as possible •

    All caches enabled • Log only important events • Don't disclose internals • No debug trace • No display errors • TYPO3_CONTEXT=Production (default for TYPO3) 87
  88. Development 88

  89. 89

  90. Context Development • Development speed is more important than application

    speed • All caches disabled • Log debug output • Disclose all internals • Complete debug trace • Display all errors • TYPO3_CONTEXT=Development 90
  91. Environment / Context Configuration matrix 91 Prod Dev Live cache=true

    db=live x/x Staging cache=true db=staging cache=false db=staging Testing cache=true db=test cache=false db=test Dev cache=true db=dev cache=false db=dev
  92. TYPO3's current configuration concept is limited 92

  93. 93 Context

  94. TYPO3_CONTEXT 94

  95. What happens if you change TYPO3_CONTEXT? 95

  96. (Almost) Nothing 96

  97. Context How to really switch config from prod to dev?

    • Set TYPO3_CONTEXT env var in web server • Look up install tool password • Log into install tool • Go to "Presets" • Select "Debug" preset • Select "Debug" in the preset • Save • Disable Caches in AdditionalConfiguration.php 97
  98. 98

  99. 99

  100. 100

  101. 101 Environment

  102. LocalConfiguration.php 102

  103. AdditionalConfiguration.php 103

  104. Introducing a more powerful concept • Allow splitting configuration into

    multiple files • Allow pulling in environment variables • Allow alternative configuration formats (not only PHP files) • Allow processing configuration • Clearly distinguish between production and development context 104 Environment / Context
  105. helhum/typo3-config-handling 105

  106. helhum/typo3-config-handling • Allows splitting configuration into multiple files • Allows

    pulling in environment variables • Allows alternative configuration file formats (not only PHP files) • Allows processing configuration • Clearly distinguishes between prod and dev config 106 Environment / Context
  107. helhum/typo3-config-handling • Integrates seamlessly into TYPO3 via AdditionalConfiguration.php • Integrates

    into composer build process and TYPO3 Console • TYPO3 8.7 only • Planned to be integrated into TYPO3 9 LTS 107 Environment / Context
  108. Yaml 108

  109. Importing multiple configuration files 109 imports: - { resource: 'includes/*.yaml',

    type: glob } - { resource: 'local.settings.yaml' } Environment / Context
  110. Pulling in environment variables 110 value: '%env(TYPO3_INSTALL_DB_USER)%' Environment / Context

  111. Different config file for development context 111

  112. 112 TYPO3_CONTEXT=Development TYPO3_CONTEXT=Production

  113. helhum/dotenv-connector 113

  114. Populate env vars in .env file 114

  115. How to switch from prod to dev context? 115

  116. Write "Development" in .env file 116

  117. Write "Development" in .env file 117

  118. Demo 118

  119. Your perfect TYPO3 Distribution Features • Secure web root with

    only needed code • Convenient during development • Easy onbording • Pluggable • Future proof 119
  120. No animals were harmed when creating this presentation 120

  121. Thanks! 121

  122. Your Perfect TYPO3 Distribution References • https://asciinema.org/a/188348 • https://asciinema.org/a/188375 •

    Images • https://9gag.com/ • http://www.royalcanin.in • http://happypasta.wikia.com/ • http://emmayajewel.com/ • https://ittybitty.city/ 122