Slide 1
Slide 1 text
Server Survival
hi!
@fideloper
serversforhackers.com
Slide 2
Slide 2 text
Server Survival
Server Survival
Slide 3
Slide 3 text
Goal:
(don’t memorize)
understand
Slide 4
Slide 4 text
Programming Stuff Server Mechanics
Semi-Ridiculous Chart of
Learning Curves
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
annoying server things
security
supervision
network
permissions
Slide 7
Slide 7 text
Security
enjoying your new server responsibly
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
Protection
Process
Compliance
Security “Levels”
Slide 10
Slide 10 text
Protection
Slide 11
Slide 11 text
access
network
Security “Levels”
basics
Slide 12
Slide 12 text
Security “Levels”
don’t be root
don’t (only) use passwords
user security
Slide 13
Slide 13 text
user & access
new user
new ssh key
$ sudo adduser fideloper
$ sudo usermod -a -G sudo fideloper
$ ssh-keygen -t rsa -b 4096
Slide 14
Slide 14 text
$ ssh-keygen -t rsa -b 4096 \
-f id_whatever
$ ssh-copy-id -i ~/.ssh/id_whatever \
fideloper@
(added to ~/.ssh/authorized_keys file)
user & access
Slide 15
Slide 15 text
/etc/ssh/sshd_config
Port 22 (or) 1234
PermitRootLogin no (or) without-password
PasswordAuthentication no
AllowGroups some-group
ssh access
($ sudo service ssh restart)
Slide 16
Slide 16 text
firewall
network
Slide 17
Slide 17 text
sudo iptables -L -v
firewall
Slide 18
Slide 18 text
firewall
sudo iptables -A INPUT -i lo \
-j ACCEPT
sudo iptables -A INPUT -m conntrack \
—ctstate RELATED,ESTABLISHED -j ACCEPT
Slide 19
Slide 19 text
firewall
sudo iptables -A INPUT -p tcp --dport 22 \
-j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 \
-j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 \
-j ACCEPT
sudo iptables -A INPUT -j DROP
Slide 20
Slide 20 text
firewall
Slide 21
Slide 21 text
firewall
drop v reject
default policy
$ iptables … -j REJECT
$ iptables \
--policy INPUT DROP
Slide 22
Slide 22 text
(note: services)
$ cat /etc/services | grep http
http 80/tcp
https 443/tcp
http-alt 8080/tcp
Slide 23
Slide 23 text
firewall
sudo apt-get install -y \
iptables-persistent
sudo service \
iptables-persistent save
Slide 24
Slide 24 text
firewall
sudo iptables-save > rules.v4
cat rules.v4 | iptables-restore
Slide 25
Slide 25 text
firewall
sudo ip6tables -L -v
sudo ip6tables-save > rules.v6
echo rules.v6 | ip6tables-restore
Slide 26
Slide 26 text
$ sudo apt-get install -y \
fail2ban
fail2ban
1. monitors logs
2. bans IPs
Slide 27
Slide 27 text
fail2ban
Slide 28
Slide 28 text
auto upgrades
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Automatic-Reboot "false";
$ sudo apt-get install -y \
unattended-upgrades
files: /etc/apt/apt.conf.d
Slide 29
Slide 29 text
¡more!
There’s always more
SELinux / AppArmor
2FA for SSH
Securing “secrets” (.env)
Strong PW Enforcement
(But don’t freak out about it)
Slide 30
Slide 30 text
Process
Slide 31
Slide 31 text
policy
legit, send me
that password,
kthnx.
Hi!
I’m *totally*
Slide 32
Slide 32 text
policy
Define what &
how you’re able to
send to people.
Slide 33
Slide 33 text
policy
Define what happens
when people
leave.
Slide 34
Slide 34 text
policy
Define what happens
when new people
come.
Slide 35
Slide 35 text
policy
Decide on
“key rotation”
(and similar access changes)
Slide 36
Slide 36 text
policy
policy + automation
= time
=
Slide 37
Slide 37 text
auditing
aggregate logs ()
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Compliance
Slide 40
Slide 40 text
Security “Levels”
regulation
• HIPPA/HITECH (health)
• PCI (ecommerce/credit cards)
• FERPA (education)
• Many, many more
Slide 41
Slide 41 text
Security “Levels”
regulation
• Audits
• Paper work
• And general security
Slide 42
Slide 42 text
how far to go?
“what should I
care about?”
Slide 43
Slide 43 text
supervision
Slide 44
Slide 44 text
fid@host:~# sudo systemctl status ssh
systemctl status
systemctl start
systemctl stop
systemctl enable
systemctl disable
systemd
Slide 45
Slide 45 text
fid@host:~# sudo service ssh status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; \
vendor preset: enabled)
Active: active (running) since Fri 2016-07-22 19:46:40 EDT; 1h 27min ago
Main PID: 2493 (sshd)
CGroup: /system.slice/ssh.service
├─ 2493 /usr/sbin/sshd -D
├─14218 sshd: root [priv]
└─14219 sshd: root [net]
Jul 22 21:13:28 host sshd[14114]: Accepted password for root from 76.185.167.253
port 56786 ssh2
Jul 22 21:13:28 host sshd[14114]: pam_unix(sshd:session): session opened for user
root by (uid=0)
systemd
Slide 46
Slide 46 text
systemd
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=sshd.service /lib/systemd/system/ssh.service
Slide 47
Slide 47 text
systemd
[Unit]
Description=Laravel Queue
[Service]
User=forge
Group=forge
Restart=on-failure
WorkingDirectory=/home/user/forge/mysite.com/current
ExecStart=/usr/bin/php artisan queue:work --daemon
[Install]
WantedBy=multi-user.target
/lib/systemd/system/laravel.service
Slide 48
Slide 48 text
fid:~# sudo systemctl enable laravel
fid:~# sudo systemctl start laravel
fid:~# sudo systemctl status laravel
systemd
Slide 49
Slide 49 text
supervisord
fid@spr:~# sudo apt-get install -y supervisor
fid@spr:~# sudo systemctl start supervisor
Slide 50
Slide 50 text
supervisord
fid@spr:~# sudo systemctl status supervisor
● supervisor.service - Supervisor process control system for
UNIX
Loaded: loaded (/lib/systemd/system/supervisor.service;
disabled; vendor preset: enabled)
Active: active (running) since Tue 2016-07-26 17:13:54 EDT;
3s ago
Docs: http://supervisord.org
Main PID: 3712 (supervisord)
Tasks: 1
Memory: 11.1M
CPU: 216ms
CGroup: /system.slice/supervisor.service
!"3712 /usr/bin/python /usr/bin/supervisord -n -c /
etc/supervisor/supervisord.conf
Jul 26 17:13:54 spr systemd[1]: Started Supervisor process
control system for UNIX.
Slide 51
Slide 51 text
[program:lara_queue]
command=php artisan queue:work --daemon
directory=/home/forge/app.com/current
autostart=true
autorestart=true
startretries=3
redirect_stderr=true
stdout_logfile=/home/forge/…/logs/queue.log
user=forge
numproc=4
supervisord
/etc/supervisor/conf.d/lara_q.conf
Slide 52
Slide 52 text
forge: supervisord
Slide 53
Slide 53 text
forge: supervisord
any old daemon
Slide 54
Slide 54 text
Network
Slide 55
Slide 55 text
ifconfig
Slide 56
Slide 56 text
ifconfig
private network
f@db:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 04:01:31:20:63:01
inet addr:162.243.164.216 Bcast:162.243.164.255 Mask:255.255.255.0
inet6 addr: fe80::601:31ff:fe20:6301/64 Scope:Link
…
eth1 Link encap:Ethernet HWaddr 04:01:31:20:63:02
inet addr:10.136.11.155 Bcast:10.136.255.255 Mask:255.255.0.0
inet6 addr: fe80::601:31ff:fe20:6302/64 Scope:Link
…
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
…
Slide 57
Slide 57 text
network binding
a tcp socket:
:
a unix socket:
unix://path/to/file.sock
Slide 58
Slide 58 text
network binding
forge@site:~$ netstat -ap | grep http
tcp 0 0 *:http *:* LISTEN 3797/nginx: worker
tcp 0 0 *:https *:* LISTEN 3797/nginx: worker
Slide 59
Slide 59 text
network binding
Slide 60
Slide 60 text
network: mysql
unix socket
Slide 61
Slide 61 text
tcp socket
network: mysql
Slide 62
Slide 62 text
localhost != 127.0.0.1
(in mysql)
network: mysql
Slide 63
Slide 63 text
network: mysql
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 10.136.11.155
f@db:~$ mysql -h localhost -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
f@db:~$ mysql -h 127.0.0.1 -u root -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on
'127.0.0.1' (111)
✅
Slide 64
Slide 64 text
network: mysql
f@db:~$ mysql -h 10.136.11.155 -u root -p
Enter password:
ERROR 1130 (HY000): Host '10.136.11.155' is not allowed
to connect to this MySQL server
f@db:~$ mysql -u root -p -e "create user root@'10.136.11.155'
identified by 'root';"
Enter password:
f@db:~$ mysql -h 10.136.11.155 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
✅
Slide 65
Slide 65 text
network
but normally it is
Slide 66
Slide 66 text
1.Find networks (interfaces)
2.Learn about socket types
3.See examples of mysql
4.Future: Permissions in Forge
network
review
Slide 67
Slide 67 text
Permissions
Slide 68
Slide 68 text
who can do things
user - file/dir owner
group - file/dir group - shared
permissions!
other - anyone else
Slide 69
Slide 69 text
what can they do
read - read file, list directory
write - write to file, add new file/dir
execute - execute command, cd into
Slide 70
Slide 70 text
usr@hst:~$ chown -R www-data:www-data \
/var/www/example.com
usr@hst:~$ chmod -R u=rwx,g=rx,o=rx \
/var/www/example.com
usr@hst:~$ chmod -R u=rwx,go=rx \
/var/www/example.com
usr@hst:$ chmod ug+x,o-x \
/var/www/example.com/artisan
setting permissions
Slide 71
Slide 71 text
d rwx r-x r-x
dir user group other
permissions
Slide 72
Slide 72 text
- rwx r-x r-x
file user group other
permissions
Slide 73
Slide 73 text
user@host:/var/www$ ls -lAh
total 4.0K
drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
example
d rwx rwx r-x
deploy : www-data
Slide 74
Slide 74 text
usr@host:/var/www$ ps axf o pid,user,group,comm \
| grep -i '[n]ginx\|[p]hp'
4290 root root nginx
4291 www-data www-data \_ nginx
2887 root root php-fpm7.0
2889 www-data www-data \_ php-fpm7.0
2890 www-data www-data \_ php-fpm7.0
not just files
Slide 75
Slide 75 text
user@host:/var/www$ ls -lAh
total 4.0K
drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
php + web files
Slide 76
Slide 76 text
remember
files owned by www-data
then
run php as www-data
$ sudo -u www-data php artisan foo:bar
Slide 77
Slide 77 text
Just Works™
Slide 78
Slide 78 text
web files
there’s no place like
forge@host:~/store.helpspot.com/current$ ls -lAh
drwxrwxr-x 15 forge forge app
-rwxrwxr-x 1 forge forge artisan
drwxrwxr-x 3 forge forge bootstrap
-rw-rw-r-- 1 forge forge composer.json
-rw-rw-r-- 1 forge forge composer.lock
Slide 79
Slide 79 text
// File /etc/nginx/nginx.conf
user forge;
worker_processes auto;
pid /run/nginx.pid;
events { … }
http { … }
nginx
Slide 80
Slide 80 text
// File /etc/php5/fpm/pool.d/www.conf
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = forge
group = forge
-rw-rw-rw
php-fpm
Slide 81
Slide 81 text
// File /etc/php5/fpm/pool.d/www.conf
listen = 127.0.0.1:9000
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = forge
group = forge
php-fpm
Slide 82
Slide 82 text
web files
there’s no place like
forge@host:~/store.helpspot.com/current$ ls -lAh
drwxrwxr-x 15 forge forge app
-rwxrwxr-x 1 forge forge artisan
drwxrwxr-x 3 forge forge bootstrap
-rw-rw-r-- 1 forge forge composer.json
-rw-rw-r-- 1 forge forge composer.lock
Slide 83
Slide 83 text
There’s More!
ACLs
Slide 84
Slide 84 text
ACL
Slide 85
Slide 85 text
ACL
ACL Defaults
Slide 86
Slide 86 text
$ sudo setfacl -Rm \
> g:www-data:rwx,d:g:www-data:rwx \
> /var/www/html
ACL
Slide 87
Slide 87 text
ACL
Owned by root
Group www-data:rwx
Slide 88
Slide 88 text
ACL
User-based!
Slide 89
Slide 89 text
Server Survival
thanks!
@fideloper
serversforhackers.com
Slide 90
Slide 90 text
pkg managers
1. searching
2. installing
Slide 91
Slide 91 text
pkg managers
apt-get & apt
sudo apt-get update
sudo apt update
sudo apt-get install whatever
sudo apt install whatever
Slide 92
Slide 92 text
pkg managers
search
sudo apt search mysql-server
ubuntu@host:~$ apt search mysql-server
mysql-server/trusty-updates,trusty-security 5.5.49-0…
mysql-server-5.5/trusty-updates,trusty-security
MySQL database server binaries and system database setup
mysql-server-5.6/trusty-updates,trusty-security
MySQL database server binaries and system database setup
Slide 93
Slide 93 text
pkg managers
show
sudo apt show -a \
mysql-server-5.6
Package: mysql-server-5.6
Version: 5.6.30-0ubuntu0.14.04.1
Package: mysql-server-5.6
Version: 5.6.16-1~exp1
Slide 94
Slide 94 text
pkg managers
policy
sudo apt-cache policy \
mysql-server-5.6
mysql-server-5.6:
Installed: (none)
Candidate: 5.6.30-0ubuntu0.14.04.1
Version table:
5.6.30-0ubuntu0.14.04.1 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
trusty-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu/
trusty-security/universe amd64 Packages
5.6.16-1~exp1 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
trusty/universe amd64 Packages
Slide 95
Slide 95 text
pkg managers
package=version
sudo apt-get install \
mysql-server-5.6=5.6.16-1~exp1
Slide 96
Slide 96 text
pkg managers
repositories
sudo add-apt-repository \
ppa:ondrej/php
Slide 97
Slide 97 text
pkg managers
ubuntu@host: /etc/apt/sources.list.d $ ls -lah
-rw-r--r-- 1 root root ondrej-ubuntu-php-xenial.list
ubuntu@host: /etc/apt/sources.list.d $ cat \
ondrej-ubuntu-php-xenial.list
deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
repositories
Slide 98
Slide 98 text
pkg managers
ubuntu@host: ~ sudo apt-key adv --recv-keys --keyserver \
hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
ubuntu@host: ~ echo 'deb http://ftp.utexas.edu/mariadb/
repo/10.1/ubuntu xenial main' \
| sudo tee /etc/apt/sources.list.d/mariadb.list
manual install
Slide 99
Slide 99 text
pkg managers
ubuntu@host: /etc/apt $ vim sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
# # Major bug fix updates produced after the final release of the
# # distribution.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main \
restricted
# # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
# # team. Also, please note that software in universe WILL NOT receive any
# # review or updates from the Ubuntu security team.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
included repositories
Slide 100
Slide 100 text
pkg managers
repositories
Slide 101
Slide 101 text
–@fideloper
“Am I done now?”
Slide 102
Slide 102 text
DNS & Domains
Slide 103
Slide 103 text
DNS: ¯\_(ツ)_/¯
~~ just *TRY* ~~
to coherently explain
controlling domains
to the average [non-tech-client-whoever]
challenge:
Slide 104
Slide 104 text
¯\_(ツ)_/¯
(we’ll ignore the seedy
secondary market of
domain-squatting asshats)
Slide 105
Slide 105 text
you bought a domain
DNS
Slide 106
Slide 106 text
…but you control it somewhere else
DNS
Slide 107
Slide 107 text
DNS
“somewhere else” points [sub]domains…
somewhere else…
Slide 108
Slide 108 text
this slide intentionally left blank
Slide 109
Slide 109 text
dig
Slide 110
Slide 110 text
dig
mx records
Slide 111
Slide 111 text
nslookup
mx records again
Slide 112
Slide 112 text
Domains + Web Server
Slide 113
Slide 113 text
Domains + Web Server
Slide 114
Slide 114 text
set host header
Slide 115
Slide 115 text
default_server
Slide 116
Slide 116 text
(set host header again)
Slide 117
Slide 117 text
meanwhile, fideloper.com
Slide 118
Slide 118 text
Logs
Slide 119
Slide 119 text
/var/log/*
Slide 120
Slide 120 text
wtf, Vagrant?
less
terrible.
Slide 121
Slide 121 text
fideloper@host ~ vagrant box
Usage: vagrant box []
Available subcommands:
add
list
outdated
remove
repackage
update
boxes (servers)
Slide 122
Slide 122 text
where’s my stuff?
~/.vagrant.d/boxes
~/.vagrant.d/tmp
C:/Users/[USER]/.vagrant.d/boxes
C:/Users/[USER]/.vagrant.d/tmp
Slide 123
Slide 123 text
• ssh by default
• can add your own (but we’ll do better)
port forwarding
SSH Default
Slide 124
Slide 124 text
port forwarding
$ vagrant ssh-config
Just like ~/.ssh/config
Slide 125
Slide 125 text
port forwarding
$ ssh \
> -i /Users/fideloper/…/virtualbox/private_key \
> -p 2222 \
> vagrant@localhost
Slide 126
Slide 126 text
port forwarding
Slide 127
Slide 127 text
port forwarding
(aside: It’s common to forward to port 80)
config.vm.network "forwarded_port", guest: 80, host: 8000
$> curl -I localhost:8000
HTTP/1.1 302 Found
Server: nginx/1.9.9
Content-Type: text/html; charset=UTF-8
Date: Sat, 02 Jul 2016 17:57:49 GMT
Location: http://localhost:8000/login
Slide 128
Slide 128 text
port forwarding
But, two boxes can’t forward to same port!
config.vm.network "forwarded_port", guest: 80, host: 8000
config.vm.network "forwarded_port", guest: 80, host: 8888 ✅
first box:
second box:
Slide 129
Slide 129 text
sequel pro
2.5 Ways to
Connect to MySQL
(without *any* MySQL configuration)
Slide 130
Slide 130 text
sequel pro
1 - Port Forward
config.vm.network "forwarded_port", guest: 3306, host: 33060
Slide 131
Slide 131 text
sequel pro
config.vm.network "forwarded_port", guest: 3306, host: 33060
Slide 132
Slide 132 text
sequel pro
2 - SSH Tunnel
$> ssh -p 2222 \
-i /Users/fideloper/…/virtualbox/private_key \
-L 3306:localhost:3306 vagrant@localhost
Slide 133
Slide 133 text
sequel pro
Slide 134
Slide 134 text
sequel pro
2.5 - SSH Tunnel
Slide 135
Slide 135 text
• 1. Port forwarding (homestead way - easy)
• 2. Manual SSH tunnel
• 3. Sequel Pro SSH Tunnel
Slide 136
Slide 136 text
sequel pro
Remember the SSH Tunnel!
You can use it in production to view a database.
Slide 137
Slide 137 text
file sharing
config.vm.synced_folder “~/Sites", "/home/vagrant/Sites"
default file share
slow with a large # files
Slide 138
Slide 138 text
file sharing
config.vm.synced_folder “~/Sites", "/home/vagrant/Sites",
id: "core",
:nfs => true,
:mount_options => [‘nolock,vers=3,udp,noatime,actimeo=2,fsc']
network file share
handles large # files better
Slide 139
Slide 139 text
file sharing
where to run build steps?
(especially ones that watch files)
Slide 140
Slide 140 text
file sharing
(I’ve actually used Docker for this instead)
docker run --rm \
-v ~/Sites/some-project:/opt \
some_node_img:latest \
gulp watch
Slide 141
Slide 141 text
adding projects
How I made adding a new project painless
(and stopped editing /etc/hosts)
Slide 142
Slide 142 text
adding projects
An annoying process:
Slide 143
Slide 143 text
adding projects
1. Share More Files:
config.vm.synced_folder "~/Sites/a", "/var/www/a"
config.vm.synced_folder "~/Sites/b", “/var/www/b"
Slide 144
Slide 144 text
adding projects
2. Create another server config
vagrant@vagrant:/etc/nginx/sites-available$ sudo cp \
laravel-a laravel-b
vagrant@vagrant:/etc/nginx/sites-available$ sudo vim \
laravel-b
server {
listen 80;
server_name laravel-b.dev;
…
Slide 145
Slide 145 text
adding projects
3. Edit /etc/hosts:
1 ##
2 # Host Database
3 #
4 # localhost is used to configure the loopback interface
5 # when the system is booting. Do not change this entry.
6 ##
7 127.0.0.1 localhost
8 255.255.255.255 broadcasthost
9 ::1 localhost
10
11 192.168.33.10 laravel-a.dev laravel-b.dev
Slide 146
Slide 146 text
adding projects
A better way:
Slide 147
Slide 147 text
adding projects
1. One File Share
config.vm.synced_folder "~/Sites", "/home/vagrant/Sites"
Slide 148
Slide 148 text
adding projects
2. Install DNSMasq
brew install dnsmasq
cd $(brew —prefix) # /usr/local
echo 'address=/.dev/192.168.33.10' > etc/dnsmasq.conf
sudo cp -v $(brew --prefix dnsmasq) \
homebrew.mxcl.dnsmasq.plist /Library/LaunchDaemons
sudo launchctl load -w /Library/LaunchDaemons/ \
homebrew.mxcl.dnsmasq.plist
sudo mkdir -p /etc/resolver
echo "nameserver 127.0.0.1" | sudo tee /etc/resolver/dev
Slide 149
Slide 149 text
adding projects
2. DNSMasq continued
fideloper@Christophers-iMac ~ dig whatever-i-want.dev \
@127.0.0.1
;; QUESTION SECTION:
;whatever-i-want.dev. IN A
;; ANSWER SECTION:
whatever-i-want.dev. 0 IN A 192.168.33.10
Slide 150
Slide 150 text
adding projects
3. Magic Nginx Config
server {
listen 80;
server_name ~^(.*)\.dev$;
set $file_path $1;
root /home/vagrant/Sites/$file_path/public;
index index.html index.htm index.php;
# And so on …
Slide 151
Slide 151 text
adding projects
cd ~/Sites
mkdir -p ~/mysite/public
echo “ mysite/public/index.php
Slide 152
Slide 152 text
[Bonus] Databases
• User/Network Security
• SSH Tunnel
• mysqldump / xtrabackup
Slide 153
Slide 153 text
[Bonus] Vagrant
• Port forwarding
• Configuration
• My Homestead config
• NFS cache
Slide 154
Slide 154 text
[Bonus] Philosophy
• Be ready to throw out a server (Ansible)
• Docker is not your first answer without ops people