IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

VM

Computer hardware, clock cycles and code ramblings

by

Modern computers have insane amounts of processing power compared to computers from 5 years ago. Computer memory and storage is cheap but that is no excuse to design and develop bloated webpages and apps. Consumers and customers are very impatient and there are loads of statistics on users abandoning an app or website because it takes more than three seconds to respond or load an app.

You can control the speed of software running on your home computer by upgrading it but you cannot guarantee the performance of apps that run on shared hosting platforms or web hosts.  You can buy a CPanel based web-host or a dedicated server from $5 a month, how can they make money? They do this by virtually hosting your service (web server etc) alongside other hosts and running multiple services on a single processor core. Shared servers are very economical but you are sharing the resources with other users.

If you want maximum performance you can always buy a dedicated server from a cloud server provider but each provider may secretly share the resource’s of that server (more information here: http://blog.cloudharmony.com/2014/07/comparing-cloud-compute-services.html ) and performance may be impacted. Dedicated servers can be very expensive and can run into thousands of dollars per month.

So what can I control?

Writing (or installing) good code is essential, try and optimize everything and know your server’s limitations and bottlenecks. To understand bottlenecks, you need to know about computer hardware. A few lines of code can trigger millions or billions of actions inside a processor.

A computer has the following major components:

  • Hard drive (HDD/SSD): This is where your operating system, software and files are stored when the computer is turned off. Hard drives store magnetic charges (0’s and 1’s) onto spinning round metal platters. A zero is a negative charge and a 1 is a positive charge. Hard drives spin at 5400~15,000 RPM. Data is written with a read/write needle that needs to be positioned over the data bit to read and write. Hard drives are very slow but reliable and each data bit can be read/written to tens of thousands of times. Faster solid-state drives don’t use spinning metal platters and work a bit like memory (see below). Solid-State drives have limited writes per sector though. Read More: https://en.wikipedia.org/wiki/Hard_disk_drive
  • Memory (RAM): Computer memory is basically a large array or very fast storage that the processor reads and writes data (0’s and 1’s). Memory is like a massive spreadsheet grid and accessing data from memory is 1000x faster than accessing data from a hard drive.  Memory stores data as static charges in silicon microchips and each storage bit can be changed millions of times. When a computer is turned off the memory is wiped. Read More: https://en.wikipedia.org/wiki/Computer_memory
  • Processor (CPU): This is the chip that does the primary calculations and controls just about everything. A processor can perform various predetermined functions and read and write to memory/hard drives or send data over a USB cable or network connection. Processors are quite dumb and it has to keep queues (pipelines) of things to do in it’s the internal cache (memory) between cycles.  A clock cycle is single step where the processor (and all of it’s cores) do one thing and get ready for the next clock cycle, all clock cycles in a software routine are linked and if one instruction fails all following linked instructions have to be cleared and dealt with or errors and blue screens can happen. A processors speed is a total of how may clock cycles it can perform in a second and a modern computer can process 3,500,000,000 (3.5 Ghz) cycles a second. A processor can calculate one complex instruction or multiple simple instructions in one cycle. Most processors have multiple cores that can each perform calculations in a clock cycle. But don’t be fooled many clock cycles are spent waiting for data to be read/written from memory/hard drive or loaded from the processor’s cache. A processors instruction pipeline has 4 main states for each possible action in a cycles execution pipeline (“Fetch”, “Decode”, “Execute” and “Write back”). (e.g The processor may be asked to add (fetch) variable1+variable2, the (decode) gets the values from memory, (execute) performs the calculation and “write back” writes the result back to memory. ) See a complete list of Intel instruction here and here ). Read More: https://en.wikipedia.org/wiki/Central_processing_unit

Processors are mostly waiting for data to be fetched to be processed.  There is no such thing as 100% efficient code.

If software needs to read a file from a spinning hard drive has a mandatory latency period (https://en.wikipedia.org/wiki/Hard_disk_drive_performance_characteristics ) where the hard drives read needle moves in or out and reads the data form the right sectors and returns the data.  A 3.5 Ghz computer has to wait for an approximate 19,460,000 clock cycles for a sector on a hard drive to be under the read head. The data still has to be moved from the hard drive through the processor and into memory.  Luckily processors have fantastic calculation branch prediction abilities ( https://en.wikipedia.org/wiki/Branch_predictor) and even though the software has asked for a file to be read the processor can work on 19 million other cycles before checking to see if the data has returned from the hard drive.

Caching content

One solution is to have software or servers cache certain files in memory to speed up the delivery of files. The latest DDR4 computer memory runs as blistering speeds of 2,400Mhz (2,400,000,000 cycles a second) so it should keep up with a 2.4Ghz computer? Memory is cheap and fast but computer memory has a huge limitation.  You can’t just ask memory to return the value of a memory cell and expect it in a few cycles. The processor has to essentially guide the memory module to activate the required electrical columns and rows to allow that that value to be read and return it to a processor. This is like a giving instruction to a driver over a phone, it takes time for the driver to listen, turn a corner, drive down a street and then turn another corner just to get to the destination.  The processor has to manage millions of memory read and writes a second. Memory can’t direct itself to the memory value, the processor has to do that.

Memory timings are called RAM timings and it is explained better here ( http://www.hardwaresecrets.com/understanding-ram-timings/ ).  It takes modern DDR4 memory module about 15 clock cycles to just enable the column circuit for a memory cell to be activated, then another 15 clock cycles to activate the row and a whole load of other cycles to read the data. Reading a 1 MB file from memory may take 100,000,000 clock cycles (and that is not factoring in the processor is working on other tasks. A computer process is a name given to software code that has been handed over to the processor, software code is loaded into the processor/memory as instructions and depending on the code and user interactions different parts of the software’s instructions are loaded into the processor. In any given second a computer program may enter and leave a processor over 1,000 times and processors internal memory is quite small.

Benchmarking

Choosing a good host to place your website/mobile app or API’s is very important, sometimes the biggest provider is not the fastest. You should benchmark how long actions take on your site and what the theoretical maximum limit is. Do you need more memory or cores? Hosts will always sell you more resources for money.

http://www.webpagetest.org/ is a great site to benchmark how long your website takes to deliver each part of your website to customers around the world.  You can minify (shrink) your code and images to reduce the processing time per page load.

If you are keen research PHP caching plugins like OpCache ( http://php.net/manual/en/book.opcache.php ), MemcahedD (https://www.digitalocean.com/community/tutorials/how-to-install-and-use-memcache-on-ubuntu-14-04) for PHP or MySQL  or WordPress WP-Total-Cache (https://wordpress.org/plugins/w3-total-cache/ ) plugin.

Placing your website or application databases close to your customers.  In Australia, it takes 1/5 of a second minimum for a server outside of Australia to respond.  A website that loads 30 resources would also add the delays between your server and customers (30×1/5 of a second add’s up).

Consider merging and minifying website resources ( http://www.minifyweb.com/ ) to lower the number of files and file sizes that you deliver to users. Most importantly monitor your website 24/7 to see if it is slowing down. I use http://monitis.com to monitor server performance remotely.

Summary

I hope I have not confused you too much. Try some videos below to learn more.

Good Videos: 

How a CPU Works:

How Processors are Made:

How a Hard Drive works in Slow Motion – The Slow Mo Guys

What’s Inside a CPU?

Zoom Into a Microchip (Narrated)

How computers work in less than 20 minutes

Read some of my other development-related guides here https://fearby.com/
Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

How to buy a new domain (dedicated server from digital ocean) and add a SSL certificate from namecheap.

by

This guide will show you how to buy a domain and and link it to a Digital Ocean VM.

Update (June 2018): I don’t use Digital Ocean anymore. I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.

Upcloud Site Speed in GTMetrix

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

This old post is available fyi,

1. How to buy a new website domain from namecheap.com

1.1 Create an account at namecheap.com then navigate to registrations

1.2 Search for your domain (don’t forget to click show more to see other domain extension types).

1.3 Select the domain you want.

1.4 I am going to opt for a free year of Free WhoisGuard – (WhoisGuard is a service that allows customers to keep their domain contact details hidden from spammers, marketing firms and online fraudsters. When purchased, the WhoisGuard subscription is permanently assigned to a domain and stays attached to it as long as the fee is paid).

1.5 I will also opt-in into the discounted PositiveSSL for $2.74 (bargain) (fyi: name cheap ssl types).

1.6 Check the name cheap coupons page and apply this months coupon for 10% off.

1.7 Confirmed the order for $11.05 USD.

1.8 Congratulations you have just ordered a domain and SSL certificate.

More details: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars

2. Create a http://www.c9.io account

This will give you a nice UI to manager your unmanaged server.

2.1 Upgrade from the free account to the “Micro $9.00 / monthly” at https://c9.io/account/billing (this will allow you to use the c9.io IDE to connect to as many Ubuntu VM’s as you wish).

3. Buy the hosting (droplet) from digital ocean

3.1 Go to https://wwww.digitalocean.com and create an account and log in.

Note: If you are adding an additional server (droplet) to a digital ocean account and you want the droplets to talk to each other make sure your existing servers have a private network setup.

3.2 Click Create Droplet

3.3 Enter a server name: e.g “yourdomainserver”

3.4 Select a Server Size (this can be upgraded later), Digital Ocean recommends a server with at least 30GB for a WordPress install (but you can upgrade later).

3.5 Select an Image (you can stick with a plain ubuntu image) but it may save you time to install an image with the LAMP stack already on it.

LAMP stack is a popular open-source web platform commonly used to run dynamic websites and servers. It includes Linux, Apache, MySQL, and PHP/Python/Perl and is considered by many the platform of choice for development of high-performance web applications which require a solid and reliable foundation.  I will select LAMP.

3.6 Tick “private networking” if you think you may add more servers later (growing business)?

3.7 Paste in your SSH key from your c9.io account at https://c9.io/account/ssh (this is important, don’t skip this).

3.8 Click Create Droplet

3.9 Congratulations you have just created an Ubuntu VM in the cloud.

3.10 If you type your droplets IP into a web browser it should load your pages from your web server.

3.11 You can view your ubuntu droplet details in the digital ocean portal.  You may need to reboot the server, make snapshots (backups) of reset passwords here.

3.12 You will need to change your droplets root password that was emailed to you from digital ocean (if you never received one you can reset a root password change in the digitalocean.com portal).  You can change your password by using the VNC window in the digital ocean portal https://cloud.digitalocean.com/droplets/ -> Access -> Console Access). If you had no luck changing you password with the VNC method you may use your Mac terminal and type: ssh [email protected] (where xx is your droplets IP) – then type yes, enter your password from the digital ocean email and change the password to a new/strong password (and write it down).

3.13 Now we will need to install the distro stable nodejs (for c9.io IDE) into the droplet by typing “sudo apt-get update” then “sudo apt-get install nodejs“.

4. Now we can link the digital ocean ubuntu server to the http://www.c9.io IDE.

4.1 Login to your c9.io account.

4.2 Click Create a new workspace.

4.3 Enter a Workspace name and description.

4.4 Click Remote SSH Workspace

4.5 Enter “root” as the username

4.6 Type in your new servers IP (obtained from viewing your droplet at digital ocean https://cloud.digitalocean.com/droplets ).

4.6 Set the initial path as: ./

4.7 Set the NodeJS path as: /user/bin/nodejs

4.7 Ensure your SSH key is the same one you entered ito the droplet.

4.8 Click Create Workspace.

Troubleshooting: If your workspace cannot login you may need to SSH back into your droplet (via Digital ocean VNC or telnet SSH and paste your c9.io SSH key into the ~/authorized_keys file and save it). I used the command “sudo nano ~/.ssh/authorized_keys”, pasted in my c9.io SSH key then pressed CTRL+0 then ENTER then CRRL+X

4.9 If all goes well you will see c9.io now has a workspace shortcut for you to launch your website.

4.10 You will be able to connect to your droplet from c9.io and edit files or upload files (without the hassle of using SFTP and CPanel).

5. No we will link the domain name to the IP based droplet.

5.1 Login to your name cheap account.

5.2 Click “Account” then  “Domain List“, turn off domain parking and then click  “Manage”  (next to the new domain) then click “Advanced DNS

5.3 Click “Edit” next to “Domain Nameserver Type” then choose “Custom“.

5.4 Add the following three name servers “ns1.digitalocean.com“, “ns2.digitalocean.com” and “ns3.digitalocean.com” and click “Save Changes“.

namecheapnameservers

5.5 Login to https://cloud.digitalocean.com/domains and select your droplet and type your domain name (e.g “yourdomain.com”) into the domain box and select your droplet

5.6 Configure the following DNS A Name records “@”-“XXX.XXX.XXX.XXX” where XXX is our server name and CName Records “www”-“www.yourdomain.com.” and “*”-“www.yourdomain.com.”

It can take from 24-48 hours for DNS to replicate around the world so I would suggest you goto bed at this stage: You can use https://www.whatsmydns.net/#A/yourdomain.com to check the DNS replication progress.

5.7 But if you are impatient check out the DNS replication around the world using this link: https://www.whatsmydns.net

fyi: The full name cheap DNS guide is here.

fyi: The Digital Ocean DNS guide is located here

Setup a SSL Certificate

You can skip section 6 to 6.17 and install a free SSL certificate if you wish (read this guide on using Lets Encrypt ).

Follow the rest of this guide if you want to buy an SSL cert from Namecheap (Comodo (Lets Encrypt is easier)).

6. Login to the Namecheap server.

6.1 Open your c9.io workspace to your domain

6.2 Click the Windows then New Terminal menu

6.3 Type: cd ~/.ssh/

6.4 openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr

6.2 Type the following to generate CSR files  (my server is “servername.com”, replace this with your server name ).

# cd ~/.ssh
.ssh#

openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr

Generating a 2048 bit RSA private key
.............................+++
............+++
writing new private key to 'servername.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fearby.com
Organizational Unit Name (eg, section) []:Developer
Common Name (e.g. server FQDN or YOUR name) []:servername.com
Email Address []: [email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:****************
string is too long, it needs to be less than  20 bytes long
A challenge password []:***************
An optional company name []:Your Nmae
~/.ssh# ls -al
total 20
drwx------ 2 root root 4096 Oct 17 10:20 .
drwx------ 7 root root 4096 Oct 17 10:17 ..
-rw------- 1 root root  399 Oct 17 08:06 authorized_keys
-rw-r--r-- 1 root root 1175 Oct 17 10:20 servername.csr
-rw-r--r-- 1 root root 1704 Oct 17 10:20 servername.key

6.3 Using the folder structure in c9.io browser to /root/.ssh/ and open the text file “servername.csr” and copy the file contents.

6.4 In a separate window go to https://ap.www.namecheap.com/ProductList/SslCertificates paste in the “” file contents and click Submit

6.5 Verify your details and click next

6.6 Next you will need to verify your domain by downloading and uploading a file to your server. Under “DCV Method” select “HTTP” and follow the prompts at name cheap to download the file.

6.7 Complete the Form (company contacts and click next).

6.8  Go to Certificate Details page to download the validation file. Or you can wait for the email with zip file attached.

fyi: the support forums for this certificate are https://support.comodo.com (but the site is rubbish, most pages load empty (e.g this one)).

6.9 Under “DCV Methods in Use” click ‘Edit Methods” then “Download File”

6.10 Using the c9.io interface upload the file to the /var/www/html folder (drag and drop)

6.11 Wait 1/2 hour and then go back to your name cheap dashboard and see if the certificate has been verified (it may take longer than that).

6.12 After a while a certificate will be issued, Unser See Details click Download Certificate.

6.13 Upload the certificate files (“weatherpanorama_link.ca-bundle”,”weatherpanorama_link.crt” and “servername.p7b” ) files using the c9.io IDE to /root/.ssh/

6.14 Add this “ServerName localhost” to “/etc/apache2/apache2.conf”.

6.16 In a c9.io terminal run this command “sudo nano /etc/hosts” and add this line “127.0.0.1 servername.com”

6.17 Run this command in a  c9.io terminal  ‘sudo a2enmod ssl”

fyi: Comodo support forums: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/1

fyi: Comodo apache certificate installation instructions: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache–mod_ssl

Don’t forget to cache content to optimise your Web server

Security

Having a server introduces risks, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
todo: SSL https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-to-activate-ssl-certificate

Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using my link and receive $10 in credit: https://wwww.digitalocean.com

end skip —

Seriously Lets Encrypt allows you to add an  SSL cert in minutes (over Comodo SSL certificates)

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.7 added some more.

Adding a commercial SSL certificate to a Digital Ocean VM

by

fyi: Consider reading this first (newer blog post):  How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

If you have read my quickest way to setup a scalable development ide and web server guide chances are you setup a www.c9.io development IDE connected and Digital Ocean Ubuntu VM in the cloud for about $5 a month.  It did not take me long to install an NGINX web server, PHP, MySQL and phpMyAdmin sites. The next logical step is to secure my site with an SSL certificate.

I have purchased commercial SSL certificate in the past for a CPanel sub domain and they cost about $150 a year.  I always thought the certificate was set in stone and if it was a weak certificate it would perform poorly in the essential https://www.ssllabs.com/ssltest/index.html certificate tester.

I ran a quick test over my previously purchased managed host provided certificate (lets just say it performs poorly).

Managed WebServices SSL
Managed WebServices SSL Report

Generating a $0 self signed SSL Certificate (Digital Ocean VM)

Digital Ocean have fantastic guides and I searched Google for “digital ocean how to create an ssl certificate” and read this guide. Within a few minutes I had generated a self signed certificate and added it to my NGINX config and had SSL enabled on my site.  The only problem the certificate said it was not trusted by a third party (this may be ok for a closed development box but it would not be good on a production environment).

Self Signed Certificates are not trusted
Self Signed Certificates are not trusted

Generating a $9 commercial SSL Certificate (Digital Ocean VM)

I googled and found this Digital Ocean guide How To Install an SSL Certificate from a Commercial Certificate Authority.

Without listing each step I performed I was able to generate a “key” and “csr” file (from the digital ocean guide, I ignored the Namecheap’s guide). These files are needed to seed the commercial SSL certificate.

I decided to buy a domain certificate from RapidSSL via Namecheap (as they responded to a Livechat support request where GoDaddy ignored the live chat). A Namecheap certificate for my subdomain was going to cost me $9 US a year (that is mega cheap compared to the $150 a CPanel host was going to charge me).  Maybe the $9 certificate will be crap?

I followed the digital ocean guide and to my surprise I had a valid certificate emailed to me within 15 minutes once I followed the process to purchase, verify activate the certificate. To Namecheap’s credit the live chat person (“Anastasia B”) stuck with me as answered frequent questions I had (I thought $9 was too good to be true).

Once I had the commercial keys I was able to generate the private/public keys that feed into the commercial certificate with this command (replace “thesubdomain” with your subdomain and the “the domain” with your domain, if you are not applying the certificate to a subdomain then exclude the sub domain.).

>cd /etc/nginx/ssl/

> openssl req -newkey rsa:2048 -nodes -keyout thesubdomain_thedomain_com.key -out thesubdomain_thedomain_com.csr

The contents of the locally generated certificates were then pasted into the Namecheap SSL pages based on the digital ocean guide. At the end of the Namecheap purchase and verification process I was emailed 4 files that make up the certificate. The Digital Ocean and Namecheap guides were a bit short on combining the certificated but this was the working command to merge the bits intone valid certificate.

> cd /etc/nginx/ssl/

>cat thesubdomain_thedomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> cert_chain.crt

Then all I had to do was configure NGINX to use the certificate.

> listen 443 ssl;
> server_name thesubdomain.thedomain.com;
> ssl_certificate /etc/nginx/ssl/cert_chain.crt;
> ssl_certificate_key /etc/nginx/ssl/thesubdomain.thedomain.key;

SSL Enabled

A quick restart of the NGINX server and the certificate was good to go, I now had trusted SSL certificate enabled on my site.

I ran a SSL labs test over the site and got a lame C ranking.  WTF, I though SSL was supposed to make sites secure. Maybe there is more I can do to make this secure.

SSL Test After Install
SSL Test After Install

Research and Lockdown Mode

I googled as much as I could find on NGINX and SSL security.

Essential reading:

To me the biggest failing point in the OpenSSL test was a weak PRIME in the Diffe-Hellman crypto,  I thought I could just disable these crypto algorithms but this was not the case.  The secret is to generate a new 2048 bit key on my digital ocean server for ssl to use in connections with browsers instead of the known 1024 bit key.  This was as simple as running this command (and waiting 10 mins):

>cd /etc/nginx/ssl/

> openssl dhparam -out dhparams.pem 2048
>Generating DH parameters, 2048 bit long safe prime, generator 2
>This is going to take a long time

Then when the key is generated you can add it to your NGINX config

>  ssl_dhparam /etc/nginx/path/dhparams.pem;

So after much trial and error this is the bulk of my NGINX configuration

listen 443 ssl;

# Change to your server
server_name thesubdomain.thedomain.com;
# Location of the private key and merged certificates
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/thesubdomain.thedomain.com.key;

# Here are the cyphers we are ignoring
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# Only use a small set of ciphers (may not work on older devices or browsers (but screw them)
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

# Force only allowing the ciphers above
ssl_prefer_server_ciphers on;

#use the 2048bit DH key
ssl_dhparam /etc/nginx/ssl/dhparams.pem;

# Don't allow old encryption methods like SSL3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# Set SSL caching and storage/timeout values: 
# More info: http://nginx.com/blog/improve-seo-https-nginx/
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
# Prevent Clickjacking
add_header X-Frame-Options DENY;

# Prevent MIME Sniffing
add_header X-Content-Type-Options nosniff;

# Disable session tickets
ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

# Use Google DNS
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# force https over http
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# No need to manually redirect all traffic to https as the header above does this
#rewrite ^/(.*) https://thesubdomain.thedomain.com/$1 permanent;

Conclusion

This is my result on SSLLabs SSL test now. Not bay for $9 and a few hours researching.

Final SSL Labs Score
Final SSL Labs Score

A big Thank You goes to “Anastasia B” on the Namecheap Livechat, they stuck with me while I jumped ahead and ignored the guides.

If you need an SSL certificate choose https://www.namecheap.com/ and don’t forget http://www.digitalocean.com for full access VM’s.

Also listen to this podcast of you an to understand how HTTPS and the internt works.

Also check out how to update your Open SSL and security: https://fearby.com/article/update-openssl-on-a-digital-ocean-vm/

Security

Having ssl may not be enough, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
Please signup for our newsletter
[mc4wp_form]

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

The quickest way to setup a scalable development ide and web server

by

fyi: Consider reading this first (newer blog post):  How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

Buying a Domain

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Why do I need a free Development IDE/VM

  • You already have heaps of sub domains/sites/blogs on one CPanel domain and you don’t want to slow down your server anymore.
  • You need a new collaboration web server setup in minutes.
  • You want a server where you have full control to install the latest widgets (NGNIX, NodeJS etc).
  • You want a single interface where you can deploy, develop and test online.
  • You want to save money
  • You want to access and edit your sites from anywhere.

The Solution

Cloud9 ( http://www.c9.io ) combines a powerful online code editor with a full Ubuntu server in the cloud. Simply pick your configuration, develop an app, invite others in to preview and help code.

Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Now there is no need to spend valuable development time on setting up hardware/software platform. You can create, build and run almost any development stack in minutes. Cloud9 maintain the server and you have full control it.

Signing up for a C9 account.

Cloud 9 offer a number of hosting plans (one free) with a range of hardware resources for when you want to scale up.  The free tier is great if you want to keep your development environment closed.  Use this link and get $19 free credit https://c9.io/c/DLtakOtNcba

c92016

Before you connect to your digital ocean VM connect to the server via the console in the digital ocdan admin pane (you may need to reset your root password) and then install NodeJS (Required by c9.io IDE).

Installing NodeJS

  • curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash –
  • sudo apt-get install -y nodejs
  • node -v

Now you will have node v6.3.0

Create a development Workspace.

Once you create a Cloud 9 account you can create a VM workspace. You can choose some common software packages to installed by default.  Don’t worry you can install anything you want later from the command line in the VM.

c92016b

How simple is that, a new development environment in minutes.

Development Workspace

You can edit new code, play with WordPress or NodeJS all from the one Cloud9 IDE. The Cloud 9 IDE allows you to open a “bash terminal” tab, folder list, web browser, code window and debug tools (all from the web).

Code on the left, WordPress on the right, terminal on the bottom 🙂

Edit and View Code Workspace
Edit and View Code Workspace

C9 IDE

You can Install what you want

Because you have access to the Linux bash terminal you can for example type the following to install an NGNIX web server.

  1. sudo apt-get update
  2. sudo apt-get install nginx
  3. sudo service nginx start

Full Bash Terminal

Full Bash Terminal

As usual installing stuff in Linux requires loads of googling and editing config files so beware.

What are the downsides of a c9.io Ubuntu server?

Your development environment (public of private) is mostly off limits to the outside world unless you invite people in who have a Cloud 9 account.  This is great if you want to develop a customers website off the grid and keep is secure or share the development with other developers.  Cloud 9 don’t really have a “goto production plan” so you will need to find a host to deploy to when you are ready.

Luckily this is where http://www.digitalocean.com comes in, Digital Ocean allow you to create a real/public VM (just like Cloud 9) and best of all you can connect it to the Cloud 9 IDE..

The only downside is you will need to move on from the free Cloud 9 account and pay $9 a month to allow you to connect securely (via SSH) to your new (Real) Digital Ocean VM.  On the up side the $19 month plan gives you twice the ram (1GB) and 10x the storage (10GB) and you can have 2 premium (private accounts).

Signing up for a Digital OceanAccount

The cheapest Digital Ocean Hosting plan is $5 a month. If you want $10 free credit at Digital Ocean (two months free) please use this link: https://www.digitalocean.com/?refcode=99a5082b6de5

Tip:

Granting SSH Access (before you create a server (droplet))

Tip: Add your Cloud 9 SSH key to your account before creating a droplet (VM). I added my SSH key when the VM/Droplet was create and I could not connect to it from Cloud 9. I then deleted the droplet, added the SSH key to my Digital Ocean account here then created the Droplet (VM) and all was ok.  You can find your SSH key on the front page of your cloud 9 desktop.

do2016b

This is the magic option, if you skip this you will be emailed a password to your VM and you will be on your own connecting to it with a secure terminal window. If you add your Cloud 9 SSH key ( found in your Cloud 9 IDE https://cloud.digitalocean.com/settings/security ) you can connect to and control your new Digital Ocean VM from the Cloud 9 UI.

Now you can create a server (droplet)

do2016

A digital ocean server can be setup in minutes. If you only use it for 2 weeks you will only be charged for 2 weeks. If you use my link your first 2 months are free (if you select a $5 server).

Your server should be created in well under 5 minutes. Write down your VM’s IP.

Digital Ocean Droplet (VM) Created
Digital Ocean Droplet (VM) Created

Connecting your C9 account to Digital Ocean Droplet

Now go back to Cloud 9 and login. Go here ( https://c9.io/account/ssh ) and add your SSH key from Digital Ocean.

Cloud 9 guide on setting up SSH on your server: https://docs.c9.io/docs/running-your-own-ssh-workspace

Advertisement:



fyi: Here is a more recent post of how to connect Cloud 9 with AWS.

Create a new workspace with these settings (but use your IP from digital ocean) to connect to your new Digital Ocean VM.

c92016c

Now you can develop like a pro. Cloud 9 will allow you to login to your development environment from anywhere and resume where you left off.

Traps and Tips

Connecting your new Cloud IP to a CPanel sub domain

If you have CPanel domain elsewhere you can link your new Digital Ocean Cloud VM IP to a new sub domain.

  1. Login to your CPanel domain UI.
  2. Click Simple DNS Zone Editor
  3. Type the sub domain name (swap my domain.com to your domain).
  4. Enter the IP for your Digital Ocean domain (you get this from the Digital Ocean account page).
  5. Click Add a record.

    DNS Zone
    DNS Zone
  6. Now when someone types http://newcloud.mydomain.com they get redirected to your new cloud domain but the URL stays the same (how professional is that).
  7. You can add multiple A name records pointing to the same IP.

Summary

$19 a month gives me a kick arse www.c9.io development environment and a few VMs.

$5 a month gives me my own real VM that I can scale up.

Coupon

You can easily deploy an SSD cloud server in 55 seconds for $5 a month. Sign up using my link and receive $10 in credit: https://www.digitalocean.com/?refcode=99a5082b6de5

Security

After a few weeks, do check your website with https://www.shodan.io and see if it has open software or is known to hackers.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
V1.6 security