SyntaxHighlighter

Tuesday, August 23, 2016

nginx ubuntu and letsencrypt.org and name.com

nginx, Ubuntu 14.04, letsencrypt.org and name.com

recently i needed to setup a secure domain on an EC2 instance (need to use the Google Maps Javascript API and it requires HTTPS domains).   the application architecture was;
  • angularjs (front-end)
  • NodeJS (front-end server) http://:3000
  • spring-boot (data server) http://:8080
to get this working on EC2, nginx was added to help act as a HTTPS terminator and router for the NodeJS instance.  

domain routing --> name.com

this is not a permanent solution, just a demo, so I used and A record at name.com to point to my Elastic IP address.  the trick here is to add 2 A records; [blank].example.com --> [elastic IP] and *.example.com --> [elastic IP].  this needs to be done to support https://letsencrypt.org

letsencrypt.org

the steps to follow (on ubuntu) are
  1. sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  2. sudo apt-get install nginx
  3. sudo vi /etc/nginx/sites-available/default
  4. add     location ~/.well-known { allow all; }
  5. sudo ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com
  6. (go through the on screen prompts)
  7. sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  8. add ssl to the nginx default
  9. add redirect on port 80 to 443 (HTTP 301)
below is an example of the nginx default file

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;

    server_name sexample.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    location ~ /.well-known {
        allow all;
    }

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Sunday, July 17, 2016

nodejs expressjs http-proxy and the hanging POST

here's one i came across recently with using http-proxy and expressjs.  using the body-parser seems to mess with the way the object is sent to the backend (in this case, Spring Data REST).  to resolve this, on the proxy part, i had to remove all the body-parser listeners (thanks to this issue solution https://github.com/nodejitsu/node-http-proxy/issues/180#issuecomment-215773710)

a very quick and simple solution, although maybe not optimal, it works.

Monday, January 25, 2016

Eclipse Che and Spring Boot

Eclipse Che and Spring Boot


so, in playing around with Spring Boot on Eclipse Che,  here's a couple points;
  • when using the spring-boot-maven-plugin, you can run mvn spring-boot:run from the browser IDE
  • to view the application, use the link given from the docker app, but remove the app-name (so http://[your-ip]:[port-mapped-to-spring-boot]/[maven-name], should actually be http://[your-ip]:[port-mapped-to-spring-boot]/ )

Eclipse Che - Some Startup Notes

Eclipse Che - Some Startup Notes

so Eclipse Che is a really cool idea to create "cloud-based" workspaces and a browser based IDE.  It uses docker as a corner stone to the development lifecycle for workspaces and, in initial playing around, is pretty cool.

Some quick notes
  • don't try and run it under root - create a new user, make sure they're a part of the docker group, and you're good
  • doesn't "look" nice in safari (there's a couple challenges with fonts and css sheets)
  • be patient with the workspace kick off, it pulls a docker image and that can take time - good candidate for "cacheing" on you server
  • when creating a Java class, create it as a full package resolution (so not "MyClass" but "io.example.MyClass" otherwise it will give you errors
Some links that helped

Sunday, January 24, 2016

Apache Geode (GemFire) in a Docker container

Apache Geode (GemFire) in a Docker container


If you want to play around with geode in docker, try this...

docker run -it apache geode/geode:1.0.0-incubating.M1.RC1 gosh


Sunday, January 17, 2016

weave + marathon - network

weave + marathon - network

quick note, if you're using weave on marathon with docker, make sure NETWORK is set to BRIDGE ("network":"bridge")


Friday, January 15, 2016

mesos + marathon + docker - installing via the packages

mesos + marathon + docker - installing via the packages

a little trick to installing via the packages; if you follow https://open.mesosphere.com/getting-started/install/, make sure you either proceed to the next steps and docker stuff, or add the following to /usr/lib/systemd/system/mesos-slave.service (centos 7)

Environment=MESOS_CONTAINERIZERS=docker,mess

under the [Service] bracket.

without these steps, mesos won't know how to call docker to start the marathon submitted docker jobs.

(a key indicator of this problem is...)

failed to start: None of the enabled containerizers (mesos) could create a container for the provided TaskInfo/ExecutorInfo message

Sunday, January 3, 2016

docker on centos 7 and "cgroupsfs" error

docker on centos 7 and "cgroupsfs" error


here's a workaround on centos 7 for that very annoying "[8] System error: open /sys/fs/cgroup..." error...

Random "Cannot start container" Errors on 1.9.0-rc5 CentOS7


Monday, December 21, 2015

trick for marathon for running docker + weave

weave DNS trick

a little trick with weave and marathon is the specification of the hostname.  unlike raw docker+weave, the hostname in weave DNS can be picked up by --name or --hostname.  But with the marathon json, hostname must have .weave.local as a suffix.  so, to deploy postgres via marathon and give it a weave DNS entry of postgres-server, the entry needs to be postures-server.weave.local


Tuesday, December 15, 2015

mesos + marathon + docker + weave

mesos + marathon + docker + weave

so here's a little configuration set of links for standing up a PaaS leveraging mesos, marathon, docker and weave (am using centos 7 on a VM);

  1. follow the install of the base platform here --> https://open.mesosphere.com/getting-started/install/
  2. install docker from here --> https://docs.docker.com/engine/installation/centos/
  3. use this weave script from here --> https://github.com/weaveworks/guides/blob/master/mesos-marathon/centos/weave
  4. use these service scripts in here --> https://github.com/weaveworks/guides/tree/master/mesos-marathon/centos
  5. but most importantly, add the following to /usr/lib/systemd/system/mesos-slave.service
Environment=MESOS_CONTAINERIZERS=docker,mesos
Environment=MESOS_DOCKER_SOCKET=/var/run/weave/weave.sock

now you can deploy normally with marathon and have your containers picked up in weave (and mapped)