Your perfect TYPO3 Distribution

Transcript

1. Your perfect TYPO3 Distribution Helmut Hummel <[email protected]> Inspiring people to

   share Your perfect TYPO3 Distribution

2. Teaser 2

3. 3 @helhum

4. Lightning Talk Your perfect TYPO3 Distribution • Focus • Productivity

   • Reliability • Security • Features • Environment aware • Context aware • Pluggable 4

5. Your perfect TYPO3 Distribution Target Audience • Little bit of

   composer knowledge • Not command line agnostic • Interest in simplifying and automating development workflows 5

6. Your perfect TYPO3 Distribution Disclaimer • Can contain traces of

   • Butterflies • Rainbows • Unicorns • Kittens 6

7. 7 @helhum

8. What's Perfect? 8

9. 9

10. Not everybody loves ButterflyRainbowUnicornKittens 10

11. And I like to change that! 11

12. Purrrfect TYPO3 Distribution 12

13. Reliability 13

14. 14 Security

15. 15 Environment

16. 16 Context

17. Reliability 17

18. Reproducible 18

19. Easily Reproducible 19

20. Bundle all code 20

21. Bundle all configuration 21

22. Ship a (short!) README 22

23. $short < 10 lines 23

24. How to achieve reliability? 24

25. Version Control 25 !!!

26. GIT 26

27. One repository 27

28. What about third party code? 28

29. Only commit what you maintain 29

30. How to bundle third party code then? 30

31. Reliability Bundling third party code • Describe your dependencies to

    third party code in a file • Specify a version number for every library • Use a tool to evaluate that, fetches the dependencies and puts them into your bundle • Maybe we could use XML or JSON format for that … • … • Wait, what? • Isn't there a tool for that already? 31

32. Composer 32

33. Reliability Composer • Resolves dependencies recursively • Fetches the code

    effectively • Puts everything in place • Let's you directly use third party code • Reproduces exact same state on consecutive installs 33

34. composer require bugatti/car 34

35. 35

36. composer require typo3/cms 36

37. 37

38. Add composer.lock to version control 38

39. The only generated file you should commit 39

40. But what about PackageStates.php? 40

41. Reliability PackageStates.php • Used by TYPO3 to track which extensions

    should be "active" • Why would you install code, but mark it as "inactive"? • typo3/cms comes with ALL TYPO3 system extensions • But you never need all system extensions in a project 41

42. TYPO3 Console 42

43. composer require helhum/typo3-console 43

44. typo3cms install:generatepackagestates 44

45. 45 "require": { "helhum/typo3-console": "^5.4", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor": "^8.7" },

    "scripts": { "post-autoload-dump": [ "typo3cms install:generatepackagestates" ] }

46. What you need, is defined in composer.json 46

47. Now make it more convenient 47

48. composer require typo3-console/composer-auto-commands 48

49. typo3cms install:generatepackagestates 49

50. typo3cms install:fixfolderstructure 50

51. typo3cms install:extensionsetupifpossible 51

52. 52 "require": { "helhum/typo3-console": "^5.4", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor": "^8.7" },

    "scripts": { "post-autoload-dump": [ "typo3cms install:generatepackagestates", "typo3cms install:fixfolderstructure", "typo3cms install:extensionsetupifpossible" ] }

53. 53 "require": { "helhum/typo3-console": "^5.4", "typo3-console/composer-auto-commands": "^0.1.0", "typo3/cms": "^8.7", "typo3/cms-rte-ckeditor":

    "^8.7" }

54. Reliability Benefits • Less cluttered composer.json • Can be a

    nested requirement • Platform agnostic • (works with Windows) 54

55. composer require --dev typo3-console/php-server-command 55

56. composer require --dev \ typo3-console/composer-typo3-auto-install 56

57. Demo 57

58. Reliability Recap • Use version control (git) • Use one

    repository for a project • Only commit what you maintain (but commit composer.lock) • Fetch dependencies with Composer • Let TYPO3 Console generate PackageStates.php • Let TYPO3 Console generate folder structure • Let TYPO3 Console set up extensions on "composer install" 58

59. But we're still installing code we don't need 59

60. That is not good, because … 60

61. 61 Security

62. Why to avoid installing code you don't need? 62

63. Every security flaw is a bug in code 63

64. Every code has bugs 64

65. Every code potentially has security flaws 65

66. 100% secure code is NO code 66

67. TYPO3 Subtree Split 67

68. Security TYPO3 Subtree split • Every core extension is available

    as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW • No symlinks required any more • Packages are directly installed in typo3/sysext 68

69. But there is more … 69

70. Attack Surface 70

71. Information Disclosure 71

72. Every additional file in your document root increases the attack

    surface and is potentially leaking private information 72

73. How does our current document root look like? 73

74. 74 $ ll total 208 drwxr-xr-x 11 helmut staff 374

    Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

75. How to fix that? 75

76. Security Step 1 76 "extra": { "typo3/cms": { "web-dir": "public"

    } }

77. Security Step 2 77 "extra": { "typo3/cms": { "root-dir": "private",

    "web-dir": "public" } }

78. Security Step 3 78 composer require helhum/typo3-secure-web

79. Demo 79

80. Security Recap • Only install code that you need •

    Don't expose vendor directory • Neither expose composer.lock nor composer.json • Don't expose private resources • Only expose public resources and defined entry points • Your TYPO3 document root should only contain 3 PHP files • index.php, typo3/index.php, typo3/install.php • Public assets (icons, css, js, …) 80

81. 81 Environment

82. Environment TYPO3 need to run in multiple environments • Developer

    system • Staging • Testing • Live 82

83. 83 Context

84. Context TYPO3 should be aware of two contexts • Development

    • Production 84

85. Production 85

86. 86

87. Context Production • Run code as fast as possible •

    All caches enabled • Log only important events • Don't disclose internals • No debug trace • No display errors • TYPO3_CONTEXT=Production (default for TYPO3) 87

88. Development 88

89. 89

90. Context Development • Development speed is more important than application

    speed • All caches disabled • Log debug output • Disclose all internals • Complete debug trace • Display all errors • TYPO3_CONTEXT=Development 90

91. Environment / Context Configuration matrix 91 Prod Dev Live cache=true

    db=live x/x Staging cache=true db=staging cache=false db=staging Testing cache=true db=test cache=false db=test Dev cache=true db=dev cache=false db=dev

92. TYPO3's current configuration concept is limited 92

93. 93 Context

94. TYPO3_CONTEXT 94

95. What happens if you change TYPO3_CONTEXT? 95

96. (Almost) Nothing 96

97. Context How to really switch config from prod to dev?

    • Set TYPO3_CONTEXT env var in web server • Look up install tool password • Log into install tool • Go to "Presets" • Select "Debug" preset • Select "Debug" in the preset • Save • Disable Caches in AdditionalConfiguration.php 97

98. 98

99. 99

100. 100

101. 101 Environment

102. LocalConfiguration.php 102

103. AdditionalConfiguration.php 103

104. Introducing a more powerful concept • Allow splitting configuration into

     multiple files • Allow pulling in environment variables • Allow alternative configuration formats (not only PHP files) • Allow processing configuration • Clearly distinguish between production and development context 104 Environment / Context

105. helhum/typo3-config-handling 105

106. helhum/typo3-config-handling • Allows splitting configuration into multiple files • Allows

     pulling in environment variables • Allows alternative configuration file formats (not only PHP files) • Allows processing configuration • Clearly distinguishes between prod and dev config 106 Environment / Context

107. helhum/typo3-config-handling • Integrates seamlessly into TYPO3 via AdditionalConfiguration.php • Integrates

     into composer build process and TYPO3 Console • TYPO3 8.7 only • Planned to be integrated into TYPO3 9 LTS 107 Environment / Context

108. Yaml 108

109. Importing multiple configuration files 109 imports: - { resource: 'includes/*.yaml',

     type: glob } - { resource: 'local.settings.yaml' } Environment / Context

110. Pulling in environment variables 110 value: '%env(TYPO3_INSTALL_DB_USER)%' Environment / Context

111. Different config file for development context 111

112. 112 TYPO3_CONTEXT=Development TYPO3_CONTEXT=Production

113. helhum/dotenv-connector 113

114. Populate env vars in .env file 114

115. How to switch from prod to dev context? 115

116. Write "Development" in .env file 116

117. Write "Development" in .env file 117

118. Demo 118

119. Your perfect TYPO3 Distribution Features • Secure web root with

     only needed code • Convenient during development • Easy onbording • Pluggable • Future proof 119

120. No animals were harmed when creating this presentation 120

121. Thanks! 121

122. Your Perfect TYPO3 Distribution References • https://asciinema.org/a/188348 • https://asciinema.org/a/188375 •

     Images • https://9gag.com/ • http://www.royalcanin.in • http://happypasta.wikia.com/ • http://emmayajewel.com/ • https://ittybitty.city/ 122