There’s 3 kinds of https cerfiticate: DV(Domain validated), OV(Organization validated), EV(Organization validated).
DV
Most widely used SSL certificate, they only validate the domain name.
OV
Require more validation than DV certificate, there’s detail organization informations on certificate.
EV
Highest level of SSL/TLS certificate, browser will display organization’s name.
We build deployment pipeline by Jenkins, Git, Maven, Docker, JFrog, Kubernetes, Slack, below is overall process:
develop -> create branch -> push code -> git hook -> jenkins build -> code check -> unit test -> docker build -> push docker image -> deploy -> notificationa
For every project we generate pipeline scripts by JHipster like this:
ci contains docker related scripts, cd contains kubernetes related scripts.
We configured Jenkins to scan projects from git automatically which followed naming rule, if any changes on git, Jenkins will pull the code and start building.
There are 3 ways to expose your service: NodePort, LoadBalancer, Ingress, next I will introduce about how to use ingress.
1.Deploy ingress controller
You need deploy ingress controller at first which will start nginx pods, then nginx will bind domains and listen to the requests.
I built a common ingress chart for different service, I only need change values-<service>.yaml and deploy script if any changes.
Another key point is that you must be clear about ingress-class, different service use different ingress-class, it will be quite messy if you mistake them.
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --ingress-class={{ .Values.server.namespace }}
- --sort-backends=true
2.Configure service ingress
Next we need configure service ingress which will append nginx server configuration dynamically.
I also built a service chart which include environment configurations, Jenkins & Helm will use different values-<env>.yaml when execute pipeline deployment.
Ingress example:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .Values.app.name }}{{ .Values.deploy.subfix }}
namespace: {{ .Values.app.namespace }}
annotations:
kubernetes.io/ingress.class: "{{ .Values.ingress.class }}"
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/enable-cors: "false"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-body-size: 10m
spec:
rules:
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: {{ .Values.ingress.path }}
backend:
serviceName: {{ .Values.app.name }}{{ .Values.deploy.subfix }}
servicePort: {{ .Values.container.port }}
Today I received alert email suddenly which said my blog site went down…😂😂😂
So I logged in server and checked containers’s status, everything looked fine
[root@blog xiaowang]# docker stack ps blog
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
qwsjjol3jk2f blog_mysql.1 mysql:5.7 blog Running Running 15 days ago
n9gbil4zcavy blog_nginx.1 nginx:1.13.8 blog Running Running 15 days ago
hg778gcc35vz blog_wordpress.1 wordpress:4.9.1 blog Running Running 15 days ago
When I checked the port, everything also looked fine
[root@blog xiaowang]# netstat -tuapn | egrep '80|443'
tcp6 4 0 :::80 :::* LISTEN 12146/dockerd
tcp6 2 0 :::443 :::* LISTEN 12146/dockerd
tcp6 74 0 ::1:80 ::1:47352 CLOSE_WAIT -
tcp6 3 0 ::1:80 ::1:47348 CLOSE_WAIT -
tcp6 74 0 ::1:80 ::1:47402 CLOSE_WAIT -
tcp6 78 0 ::1:443 ::1:56994 CLOSE_WAIT -
tcp6 78 0 ::1:443 ::1:56944 CLOSE_WAIT -
tcp6 74 0 ::1:80 ::1:47350 CLOSE_WAIT -
But when I executed “curl http://localhost“, it was blocked, so I guess something wrong with local network.
After checking I executed “sysctl -w net.ipv4.ip_forward=1” to enable ip forward, and I finally could access the port. So I executed “echo “net.ipv4.ip_forward=1″ >> /etc/sysctl.conf” to make it permanent.
I’m using google cloud, I guess maybe they have reset the network which I didn’t make it permanent before.
After applying certification on Let’s Encrypt, I tested the certification and generated the report.
I registed my domain “wanghongmeng.com” on Aliyun, and applied free EC2 server for one year on AWS.
After building my blog on AWS, I set A parse to the server’s IP of AWS.
But yesterday I received email from Aliyun which said that my server was not in Aliyun after they checking, it was not allowed, I have to miggrate my blog server to Aliyun, otherwise they will undo my authority number.
After thinking about this, for saving money(Aliyun is not free for one year), I solved it by the way below:
1.Set A parse to my friend’s server ip which was bought in Aliyun
2.Add a piece of configuration in his nginx.conf:
server {
listen 80;
server_name wanghongmeng.com www.wanghongmeng.com;
location / {
rewrite ^/(.*)$ https://$server_name/$1 permanent;
}
}
server {
listen 443;
server_name wanghongmeng.com www.wanghongmeng.com;
ssl on;
ssl_certificate "Location of Pem File";
ssl_certificate_key "Location of Key File";
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "Your Algorithm";
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://AWS's IP:443/;
}
}
3.Expose 443 port on my AWS, and only accept requests from my friend’s server IP:
server {
listen 443;
set $flag 0;
if ($host = 'www.wanghongmeng.com') {
set $flag 1;
}
if ($host = 'wanghongmeng.com') {
set $flag 1;
}
if ($flag = 0){
return 403;
}
location / {
allow "My Friend's Server IP";
proxy_pass http://blog-ip;
}
}
Things done! 😀😀
I thought something before, when I check nginx’s log, I found a wired hostname.
After checking, I think our website was mirrored.
I think they parsed their domain by CNAME to our domain, and we don’t do any host check at that time.
To prevent being mirrored again, I add host check configuration in nginx.conf
set $flag 0;
if ($host = 'www.wanghongmeng.com') {
set $flag 1;
}
if ($host = 'wanghongmeng.com') {
set $flag 1;
}
if ($flag = 0){
return 403;
}
By adding this, nginx will check every request to see if it’s from our domain, if not, return 403 response code.
After this, our website was no longer mirrored again.
Nginx Version: 1.9.12
Wang's Tech Blog 
Reply