Tagged: domain Toggle Comment Threads | Keyboard Shortcuts

  • Wang 22:37 on 2019-04-10 Permalink | Reply
    Tags: domain, ,   

    Https certificate 

    There’s 3 kinds of https cerfiticate: DV(Domain validated), OV(Organization validated), EV(Organization validated).

    DV

    Most widely used SSL certificate, they only validate the domain name.

    OV

    Require more validation than DV certificate, there’s detail organization informations on certificate.

    EV

    Highest level of SSL/TLS certificate, browser will display organization’s name.

     
  • Wang 22:30 on 2018-10-15 Permalink | Reply
    Tags: , , , domain,   

    Jenkins pipeline & kubernetes 

    We build deployment pipeline by Jenkins, Git, Maven, Docker, JFrog, Kubernetes, Slack, below is overall process:

    develop -> create branch -> push code -> git hook -> jenkins build -> code check -> unit test -> docker build -> push docker image -> deploy -> notificationa
    

    For every project we generate pipeline scripts by JHipster like this:

    ci contains docker related scripts, cd contains kubernetes related scripts.

    We configured Jenkins to scan projects from git automatically which followed naming rule, if any changes on git, Jenkins will pull the code and start building.

     
  • Wang 22:43 on 2018-10-08 Permalink | Reply
    Tags: , , , , domain, , ,   

    Nginx ingress in kubernetes 

    There are 3 ways to expose your service: NodePort, LoadBalancer, Ingress, next I will introduce about how to use ingress.

    1.Deploy ingress controller

    You need deploy ingress controller at first which will start nginx pods, then nginx will bind domains and listen to the requests.

    I built a common ingress chart for different service, I only need change values-<service>.yaml and deploy script if any changes.

    Another key point is that you must be clear about ingress-class, different service use different ingress-class, it will be quite messy if you mistake them.

    args:
      - /nginx-ingress-controller
      - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
      - --configmap=$(POD_NAMESPACE)/nginx-configuration
      - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
      - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
      - --ingress-class={{ .Values.server.namespace }}
      - --sort-backends=true
    

    2.Configure service ingress

    Next we need configure service ingress which will append nginx server configuration dynamically.

    I also built a service chart which include environment configurations, Jenkins & Helm will use different values-<env>.yaml when execute pipeline deployment.

    Ingress example:

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: {{ .Values.app.name }}{{ .Values.deploy.subfix }}
      namespace: {{ .Values.app.namespace }}
      annotations:
        kubernetes.io/ingress.class: "{{ .Values.ingress.class }}"
        kubernetes.io/tls-acme: "true"
        nginx.ingress.kubernetes.io/enable-cors: "false"
        nginx.ingress.kubernetes.io/rewrite-target: /
        nginx.ingress.kubernetes.io/proxy-body-size: 10m
    spec:
      rules:
      - host: {{ .Values.ingress.hostname }}
        http:
          paths:
          - path: {{ .Values.ingress.path }}
            backend:
              serviceName: {{ .Values.app.name }}{{ .Values.deploy.subfix }}
              servicePort: {{ .Values.container.port }}
    
    
     
  • Wang 23:42 on 2018-05-11 Permalink | Reply
    Tags: , , , domain,   

    Website down 

    Today I received alert email suddenly which said my blog site went down…😂😂😂

    So I logged in server and checked containers’s status, everything looked fine

    [root@blog xiaowang]# docker stack ps blog
    ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE            ERROR               PORTS
    qwsjjol3jk2f        blog_mysql.1        mysql:5.7           blog                Running             Running 15 days ago                       
    n9gbil4zcavy        blog_nginx.1        nginx:1.13.8        blog                Running             Running 15 days ago                       
    hg778gcc35vz        blog_wordpress.1    wordpress:4.9.1     blog                Running             Running 15 days ago
    

    When I checked the port, everything also looked fine

    [root@blog xiaowang]# netstat -tuapn | egrep '80|443'
    tcp6       4      0 :::80                   :::*                    LISTEN      12146/dockerd       
    tcp6       2      0 :::443                  :::*                    LISTEN      12146/dockerd       
    tcp6      74      0 ::1:80                  ::1:47352               CLOSE_WAIT  -                   
    tcp6       3      0 ::1:80                  ::1:47348               CLOSE_WAIT  -                   
    tcp6      74      0 ::1:80                  ::1:47402               CLOSE_WAIT  -                   
    tcp6      78      0 ::1:443                 ::1:56994               CLOSE_WAIT  -                   
    tcp6      78      0 ::1:443                 ::1:56944               CLOSE_WAIT  -                   
    tcp6      74      0 ::1:80                  ::1:47350               CLOSE_WAIT  -
    

    But when I executed “curl http://localhost, it was blocked, so I guess something wrong with local network.

    After checking I executed “sysctl -w net.ipv4.ip_forward=1” to enable ip forward, and I finally could access the port. So I executed “echo “net.ipv4.ip_forward=1″ >> /etc/sysctl.conf” to make it permanent.

    I’m using google cloud, I guess maybe they have reset the network which I didn’t make it permanent before.

     
  • Wang 22:12 on 2018-04-05 Permalink | Reply
    Tags: , domain, ,   

    Test https on blog 

    After applying certification on Let’s Encrypt, I tested the certification and generated the report.

     
  • Wang 19:05 on 2018-01-20 Permalink | Reply
    Tags: aliyun, , domain, ,   

    Proxy Aliyun’s domain to AWS’s server 

    I registed my domain “wanghongmeng.com” on Aliyun, and applied free EC2 server for one year on AWS.

    After building my blog on AWS, I set A parse to the server’s IP of AWS.

    But yesterday I received email from Aliyun which said that my server was not in Aliyun after they checking, it was not allowed, I have to miggrate my blog server to Aliyun, otherwise they will undo my authority number.

    After thinking about this, for saving money(Aliyun is not free for one year), I solved it by the way below:

    1.Set A parse to my friend’s server ip which was bought in Aliyun

    2.Add a piece of configuration in his nginx.conf:

    server {
        listen  80;
        server_name  wanghongmeng.com www.wanghongmeng.com;
    
        location / {
            rewrite ^/(.*)$ https://$server_name/$1 permanent;
        }
    }
    
    server {
        listen 443;
        server_name wanghongmeng.com www.wanghongmeng.com;
        ssl on;
        ssl_certificate "Location of Pem File";
        ssl_certificate_key "Location of Key File";
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "Your Algorithm";
        ssl_session_cache shared:SSL:50m;
        ssl_prefer_server_ciphers on;
    
        location / {
            proxy_pass  http://AWS's IP:443/;
        }
    }
    

    3.Expose 443 port on my AWS, and only accept requests from my friend’s server IP:

    server {
        listen  443;
        
        set $flag 0;
        if ($host = 'www.wanghongmeng.com') {
            set $flag 1;
        }
        if ($host = 'wanghongmeng.com') {
            set $flag 1;
        }
        if ($flag = 0){
            return 403;
        }    
        
        location / {
            allow "My Friend's Server IP";
            proxy_pass  http://blog-ip;
        }
    }
    

    Things done! 😀😀

     
  • Wang 18:29 on 2018-01-13 Permalink | Reply
    Tags: domain, ,   

    Prevent web site being mirrored 

    I thought something before, when I check nginx’s log, I found a wired hostname.

    After checking, I think our website was mirrored.

    I think they parsed their domain by CNAME to our domain, and we don’t do any host check at that time.

    To prevent being mirrored again, I add host check configuration in nginx.conf

    set $flag 0;
    if ($host = 'www.wanghongmeng.com') {
        set $flag 1;
    }
    if ($host = 'wanghongmeng.com') {
        set $flag 1;
    }
    if ($flag = 0){
        return 403;
    }
    

    By adding this, nginx will check every request to see if it’s from our domain, if not, return 403 response code.

    After this, our website was no longer mirrored again.

    Nginx Version: 1.9.12

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: