Slides kho tài liệu bách khoa

Things you’ll learn● Learn how to use Node and Bash to create shell scripts ● Learn advanced Nginx configuration ● Common server vulnerabilities and how to mitigate them ● How to add HTT

Full Stack

for

Jem Young

Senior Software Engineer

Serious Business ● Slides ○ jemyoung.com/fsfe2

● Part 1

○ https://frontendmasters com/courses/full-stack/

○ jemyoung.com/fsfe

Things you’ll learn

● Learn how to use Node and Bash to create shell scripts

● Learn advanced Nginx configuration

● Common server vulnerabilities and how to mitigate them

● How to add HTTPS to your server

● Understand databases

● Containers and automating deployments

Full Stack For Frontend

Recap

● How the internet works

● How the internet works

● Command line basics

ping

traceroute

vi

● Command line basics

● How the internet works

● How to create and manage a web server

(your sweet new server)

● Build a basic web page

● Command line basics

● How the internet works

● How to create and manage a web server

● Create a deploy system for a Node app

Why full stack?

1 Create a new Ubuntu server

a Use Ubuntu 16.04.x

b Be sure to use an SSH key

2 Point domain to new server

3 Log into server as root

Create a server

Server setup

4 Update server

5 Add a new user ‘test’

6 Grant ‘test’ sudo access

7 Switch to ‘test’ user

Server setup - Node

$ curl -sL https://deb.nodesource.com/setup_6.x

| sudo E bash

-update apt repo for nodejs

https://explainshell.com/explain?cmd=curl+-sL

Server setup - Node

$ npm config get prefix check npm directory

$ sudo apt install nodejs install nodejs and npm

If the npm directory is not /usr/local,

follow instructions here

WARNING

Server setup - Node

https://docs.npmjs.com/getting-started/fixing-npm-permissions#option-2-change-npms-defau lt-directory-to-another-directory

Server setup - Node

$ npm i -g forever install forever module

Change working directory

Change working directory

Part 2

Server security

● Controlling access

● Securing applications

Secure your applications

- Keep software up to date

- Limit application use

Server security - add ssh key

$ mkdir -p ~/.ssh create a new directory

$ vi ~/.ssh/authorized_keys paste public key into

authorized_keys file

Be sure to test logging in with your

new user

WARNING

Server security

a use the passwd command

2 Disable root login

3 Disable password login

Server security - firewalls

nmap

$ nmap YOUR_SERVER_IP

Tales from real life

Server security - iptables

$ sudo iptables -A INPUT -p tcp dport 22 -j ACCEPT

-A append rule

-p protocol (tcp, icmp)

dport destination port

-j jump (DROP, REJECT, ACCEPT, LOG)

Creating iptable rules

Create an iptable rule to block all

outgoing HTTP connections

Creating iptable rules

iptables -A OUTPUT -p tcp dport 80 -j REJECT

Creating iptable rules

Create an iptable rule to only allow icmp connections on port 892 from the IP

address 192.0.0.1

Creating iptable rules

iptables -A INPUT -s 192.0.0.1 -p icmp dport 892 -j ACCEPT

There has to be a better

way!

Server security - ufw

$ sudo ufw allow ssh

$ sudo ufw enable

ufw - uncomplicated firewall

Create ufw rules

Create a ufw rule to block all outgoing

HTTP connections

Creating ufw rules

ufw reject out http

Server security - firewalls

Automatic Updates

Server security - update software

$ sudo apt install unattended-upgrades

Server security - update software

/etc/apt/apt.conf.d/20auto-upgrades

https://wiki.debian.org/UnattendedUpgrades

Server security - update software

/etc/apt/apt.conf.d/50unattended-upgrades

Fail2ban

$ sudo apt install fail2ban

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Copy jail file

$ sudo vi /etc/fail2ban/jail.local

Install fail2ban

If you misconfigure fail2ban, you can

lock yourself out of your server!

WARNING

find search file names

search file contents

Finding things

find directory option file/folder

Finding things

find

Find all log files in /var/log/

$ find /var/log/ -type f -name *.log

Find all empty files in /etc

$ find /etc -type f -empty

Find all directories with the word log

$ find / -type d -name log

Searching contents

grep

grep - global regular expression print

$ grep -i ‘jem’ /var/www

grep options search

expression

directory

$ zgrep FILE search inside gzip file

Find running node processes

ps aux | grep node

Redirection

Write to file

ps aux > foo

What does this do?

foo < bar > baz

Shells

What is a shell?

shell application kernel

$ echo $0 show current shell

Changing shells

Changing shells

$ cat /etc/shells list acceptable shells to

change to

$ chsh -s /bin/sh change shell to ‘sh’

$ su $USERNAME login into new shell to see the

change

$ chsh -s /bin/bash change shell to ‘bash’

Differences between shells

https://en.wikipedia.org/wiki/Comparison_of_command_shells

Shell scripting

- simple

- portable

Why shell scripting

Bash scripting

Shell scripting - bash

$ vi load.sh

#!/bin/sh

cat /proc/loadavg | awk '{print $1"-"$2"-"$3}'

load average

1 minute

5 minute

15 minutes

$ sudo chmod 755 /load.sh Make executable

https://isabelcastillo.com/linux-chmod-permissions-cheat-sheet

Creating a shell script with Node

Node shell scripting - setup

$ mkdir ~/workspace create a workspace folder

$ cd ~/workspace move into workspace folder

$ touch index.js create index.js

Node shell scripting - setup

$ npm init initialize project

$ vi package.json

add reference to script

Node shell scripting

$ vi index.js

#!/usr/bin/node

const exec = require('child_process').exec; const stat = exec(`cat /proc/loadavg | awk '{print $1"-"$2"-"$3}'`);

stat.stdout.on('data', function(data) {

console.log(data);

});

https://frontendmasters.com/courses/bash-vim-regex/

Nginx setup

1 Install nginx

2 Proxy traffic to node server

3 Add domain name

4 Open port 443

Nginx setup - adding domain name

sudo vi /etc/nginx/sites-available/default

server_name jem.party www.jem.party;

Add domain name to nginx conf

https://github.com/diafygi/acme-tiny

https://certbot.eff.org/

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt update

$ sudo apt install python-certbot-nginx

Add the certbot repository

Pull in new repository information

Install certbot with nginx plugin

$ sudo certbot nginx Use certbot to get certificate

$ sudo certbot renew dry-run Test auto renew

How to do we run periodic

tasks?

https://crontab.guru/

cron

Nginx - gzip

/etc/nginx/nginx.conf

Nginx - gzip

gzip_comp_level 6 increase compression level

http://nginx.org/en/docs/http/ngx_http_gzip_module.html

/var/etc/nginx/nginx.conf

Expires headers

Nginx - expires headers

location /static/ {

expires 30d;

proxy_pass http://127.0.0.1:3001/static/;}

expire static assets in 30 days

/etc/nginx/sites-available/default

Nginx - expires headers

caching

Nginx - cache

proxy_cache_path /tmp/nginx levels=1:2

keys_zone=slowfile_cache:10m inactive=60m use_temp_path=off;

proxy_cache_key "$request_uri";

/etc/nginx/sites-available/default

websockets

http/2

Nginx - http/2

listen 443 http2 ssl; # managed by Certbot

/etc/nginx/sites-available/default

https://http2.akamai.com/demo

Nginx - http/2

Redirect request to new url

location /help {

return 301 https://developer.mozilla.org/en-US/; }

/etc/nginx/sites-available/default

Part 6

databases

● Database types

● MySQL

Database types

MySQL

Database tips

1 Back up your database

2 Use a strong root password

3 Don’t expose the database outside the

network

4 Sanitize your SQL

5 Back up your database

https://github.com/mysqljs/mysql

Dedicated Server

the cloud

Containers

Installing Postgres on Docker

https://www.linux.com/news/8-open-source-CONTAIN ER-ORCHESTRATION-TOOLS-KNOW

Automating deployments

HOORAY!!