Local Development: Secure Docker Sites.

This article targets Debian docker containers running on MacOS.

HTTP (hypertext transfer protocol) is a set of rules by which your browser retrieves web pages from the internet. HTTP is the same as HTTPS whit the difference being it retrieves pages from the internet in a secure way through a private communication channel.

In our modern age, most sites have this on by default.

When we are developing sites, specifically eCommerce sites, we assume that this would be turned on in the production environment. This post is an attempt to get your development environment even closer to production.

Step 1 – Generate Certificates

For your browser to recognize a site as trusted and secure, it needs to validate the site’s SSL certificate. We will start by creating certs locally. To do this, you need to have OpenSSL installed.

To confirm, type this into your terminal:

openssl version

You should get the currently installed version as a reply. If not in you will first need to install it. See google for further instructions on this.

Next, change to the root directory of your project, where your docker-compose.yml is. There enter:

openssl genrsa -des3 -out rootCA.key 2048.

You will be prompted for a password, make sure you remember what he is to avoid recreation. This rootCA.key file will be used to create a new root SSL certificate.

To create a new root SSL certificate, valid for 1024 days, type the following command into the terminal. Feel free to change the number of days.

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

You will be prompted for the password that you set earlier and then some details about your address. Make sure you fill in the qualified hostname as the domain you’re using for testing.

To confirm that all is in order type: ls | grep root. You should now see two files:

rootCA.key
rootCA.pem

Step 2 – Trust the Certificates Root

The files you’ve just created are certificate generator. Before we can trust the certificates we need to trust the generators. For us to trust the certificates generated by these files, we need to tell MacOS to trust the root files.

To trust the root files, open Keychain Access on your Mac. Press CMD+SPACE and type Keychain Access to open the program that allows you to manage your certificates. Click on the Certificates category in the bottom left sidebar. Now, import the rootCA.pem using `File > Import Items` from the top MacOS menu bar.

After the import, double click the imported certificate and under the “When using this certificate:” dropdown select “Always Trust”.

Step 3 – Generate Server Files

Create a file named server.csr.cnf. Edit this file and add the following content to it, be sure to change your domain name. This will help you avoid entering all the details manually:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
emailAddress=hello@example.com
CN = localhost

Next, create a v3.ext file with the following content, in order to create a X509 v3 certificate. Notice how we’re specifying subjectAltName here. Also, make sure to change your domain name accordingly.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost

Next, create a certificate signing request and sever key file for your domain using the configuration settings stored in server.csr.cnf. The command below will output server.csr and server.key:

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )

Next,  create the certificate file called server.crt. The .key and .crt files will both be used by the server. server.key is the private part. sever.crt will be shared with browsers and other clients. Remember the password from step one:

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.pem -days 500 -sha256 -extfile v3.ext

Step 4 – Add to your server

Apache

Apache comes with default SSL certificates. The aim is to find out where they are and replace them with your newly created files. We are not going to update configs as this is more complicated.

SSH into the machine. For me the command to do so is. You can find the image name where your server runs in the docker-compose.yml file

docker-compose exec --user root php bash

Next, there should be a list of sites enabled by default. Let’s look at the contents of the SSL specific config:

cat /etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		DocumentRoot /var/www/html
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined
		SSLEngine on
		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>

We are interested in these two files. They may be called differently on your system.

  • SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
  • SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now we must figure out how to get our files in these directories. If your docker container is mapped to your local file system you can simply navigate to these and copy them over and then renaming your files to match these names( overwriting theses files)

Lastly, after overwriting these files with your own you can restart apache and then load up your sit at it’s HTTP address.

  /etc/init.d/apache2 restart 

If you’re still not getting this to work, try this post: https://www.linode.com/docs/security/ssl/ssl-apache2-debian-ubuntu/

Nginx

For Nginx let us find out which config file is used:

docker container exec <containern> nginx -t

If you are able to ssh into the container run: nginx -t.

Now let’s view the contents of the config file:

docker container exec woocommerce2test_nginx_1 cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

We are after the following lines:

ssl_certificate
ssl_certificate_key

In the conf file above you will see that there are no ssl_certificates, but towards the bottom of the output, you will see include /etc/nginx/conf.d/*.conf;. Looking inside this directory we will see: /etc/nginx/conf.d/default.conf;

Now looking at the output of default you will see the location of the default SSL certificates.

ssl_certificate /etc/nginx/certs/localhost.crt;
ssl_certificate_key /etc/nginx/certs/localhost.key;

Now you need to figure out a way to get your certs into that directory. In my case, this was mapped already but you can also manually map it by adding these locations to your docker-compose.yml file.

After adding and renaming your files to match the names above you can reload Nginx with this command:

docker container exec <container> nginx -s reload

In closing

I wrote it mainly for my future self, but I hope you benefit from it as well. Please leave comments if I’ve missed a step or if anything is unclear.

References

One liner for importing multiple SQL files using WP CLI DB command

In some cases, SQL backups break exports into multiple files, usualy by table name.

I wanted to import all the files in one go and figured googled my way to this “one liner”:

Continue reading “One liner for importing multiple SQL files using WP CLI DB command”

WP Docker Curl Error

If you are using Docker for WordPress development you may have discovered an issue while trying to connect to your installation from the CLI.

Trying to do any internal API calls normally result in a curl call. In my case I had this annoying error:

cURL error 7: Failed to connect to local.test port 80 Connection refused

Continue reading “WP Docker Curl Error”

Tribe of Mentors: Quick Review

The book contains 100+ interviews with highly successful people, the mentors. These people share their best advice and struggles.

If you don’t like reading, this is the perfect book for you. You can start at any point and stop where you like.

In this book Tim Ferris asks all mentors the same set of questions. Some people chose to only answer a subset of the question and others used their creativity to see the questions from a different perspective, which I found most interesting.

Tribe of Mentors contains various interpretations of the word “success”: Financial, professional and health to name a few. You will find that, not all the interviews appeal to you, but there are quite a few pearls of wisdom.

There were so many commonalities between the answers. One of the more noticeable things were Meditation, they all practice some form of it.  It was also interesting to see lots of repeating advice, which shows that there are only a hand full of fundamentals that you need to practice in order to become successful.

One thing I really don’t like about this book is that it consists primarily of Americans, to truly be a tribe you need people from the African continent. Well not really, but you know what I mean. I would have loved a more global approach.

The most Important habits that almost all the mentors practice are:

  1. Reading
  2. Meditating
  3. Exercising

I also learnt about a few interesting products:

 

I have taken some more notes that I will share with you going forward. This will cover the top quotes, best advice and top interviews from my perspective.

My favourite. quote from this book, which really bring everything together is:

“It is the quality of your relationships that determine the quality of your life” – Esther Perel

Blog First

We all use a lot of social / content sharing services where we share a lot of personal data. Sometimes we forget those platforms can shut down overnight leaving you with no way to get back the data. 

From today on I’m blogging and then sharing data with other services. My blog becomes the central source of truth.

WordPress gives me peace of mind. I know my content belongs to me and that I can move it to others service should I need to.

Hey Developer, Welcome to WordPress

Some time ago, a friend of mine wanted to start doing WordPress development. I created this resource for him and thought that many of you may also want to see this, so here it is:

Hey Friend,

There is a lot to cover here so I’ll break it down into: 

  • WordPress Community,
  • WordPress Development
  • My recommended talks

It will take some time for you to go through all the links, but there’s no rush, remember it is important that you follow your interests here as this is the best way to learn.

WordPress Community

WordPress Development

The most important thing to note is that you never, ever change any of the files that come with WordPress. You are welcome to read all the files from top to bottom, but if you wish to change WordPress you can do it via a plugin and if you want to change the look of your website you do this via a theme. That is the only options you have, but in combination, there is no limit to what you can do with WordPress (see these cool examples: http://pressbooks.com/ and  http://www.happytables.com/ )

Here is a great list of how you can get started with Plugin / Theme development

Awesome Talks

You can read all you like but nothing gets you up to speed like a video. Here are some really nice videos you can watch that will help you become a better developer in general:

Finally, my friendWordPress is continually changing, therefore:

Follow these WP focused twitter accounts as a start:

I hope these resources have helped you. If you know of any great resources please pop them in the comments below.

Abandonware as a WordPress plugin

I have a littles secret to confess. In the days when I was still building client websites I would instal and reinstall at least 5 similar plugins before finding the perfect one.  In majority cases I would never let the developer know if there was a bug as I simply didn’t have the luxury of time.

This got me thinking about the code I write today. How many people do that and never let me know what broke and if there was a reason for not selecting my plugin.

I still haven’t figured this out but I take this away from it. If it doesn’t work people walk away. If I don’t get there attention and give them what they need fast. It’s a done deal.

WordPress loves PHPStorm, so should you!

I’ve fallen in love with another text editor. Its been since a while since I’ve last opened SublimeText and Coda.  It has also been a little bit challenging to adjust at times but there’s no looking back when it comes to building WordPress based products. My workflow is even better than ever. Now let me tell you why you should love PHPStorm.

PHPStorm understands WordPress

As the the tools name implies, it understands PHP, so what? That’s not all. It actually understand WordPress. It can pick up when you’re running a WordPress specific project and it can make suggestions to enhance your project settings to give you the best setup for getting work done.

Its a purpose built tool

Theres no need for plugins. PHPStorm comes with all the tools  you need. If you need more tools it has an ad on system through which you can add more plugins.

Project specific terminal

Every project comes with a localised terminal window so you can start bashing out terminal commands from the get go. All this without leaving PHPStorm. If you love using git from the command line this will be one of your favourite features as it easily buys you a few hours extra per month.

Predefined styling Rules

PHPStorm has the WordPress style guide built in so you can get your project inline with core’s coding standards right from the start.

Never forget that TODO comment

If you like making inline comments to leave yourself notes and then forget where you’ve place the todo items you’ll be thrilled to know that PHPStorm remembers this for you. You can filter this by the entire project scope or just a specific file. With this you can track all your todo items across the project without the need for an external system.

Debugging made super easy

No more need for var_dump and echo to find bugs. All you need is to turn on xDebug on your server and link it to PHPStorm. From this point further I guarantee that you’ll speed up finding bugs in your code. This is the main reason for switching over. If you’re still figuring out where your bugs originate without reloading the page and checking the var_dump. Switch over today.

More resources:

How to add a subtask in Asana:

 

 

 

The project management system that I love and use for every project has just got added a much requested feature. Now you can create sub tasks inside existing tasks to break them them up even further. The nice thing about this is that subtasks are full tasks that can be assigned to a team member and receive comments.

Image

How to create a Sub Task In ASANA:

There are two ways to do this.

1. Click on the Subtask Icon next to the due date

2.  Click the downwards arrow above the tasks name and select  “Add Subtask”

You can find out more about this on the official  Asana: blog http://blog.asana.com/2012/10/introducing-asana-subtasks/

Enjoy!