In this talk, Barney will be discussing and demonstrating how to: - Use nginx, Varnish and Apache together in a "SPDY sandwich" to support HTTP 2.0 - Setting up SSL properly to mitigate against attack vectors - Performance improvements with mod_pagespeed and nginx - Deploying Drupal sites with Docker containers Barney is a Technical Team Leader at Inviqa, a Drupal Association member and writes for Techportal on using technologies to improve website performance. He first started using PHP professionally in 2003, and has over seventeen years experience in software development. He is an advocate of Scrum methodology and has an interest in performance optimization, researching and speaking on various techniques to improve user experience through faster load times.

1. Dev Ops:
the next generation

2. Warning!
meme and star trek heavy

4. Who is this TREKKIE
Barney Hanlon
Technical Team Leader for Inviqa
@shrikeh

5. We’re hiring!

6. Dev ops
The story so far
(Yes I know that’s Star Wars)

7. Sysadmins
Developers
DevOps

8. “Get the code on the server”

9. FTP
CVS
Subversion
Git

10. What about all this
OTHER stuff?
•
Setting up Virtual hosts
•
User management
•
SSH access
•
File permissions
•
Log rotation
•
Firewall rules
•
Staging servers
•
Patching
•
Build pipelines
•
Concurrency
•
SSL certificates
•
Failover
•
Minification
•
Alerting

11. Developers need to know
more than how to push to
Github.

12. FIVE STAR DevOps

15. The Five Stars of DevOps

16. The Five Stars of DevOps
•
Monitoring

17. The Five Stars of DevOps
•
Monitoring
•
Security

18. The Five Stars of DevOps
•
Monitoring
•
Security
•
Performance

19. The Five Stars of DevOps
•
Monitoring
•
Security
•
Performance
•
Automation

20. The Five Stars of DevOps
•
Monitoring
•
Security
•
Performance
•
Automation
•
Scaleability

21. Am I doing something in my
application that is done better by
the infrastructure or an external
service?

22. Probably.

23. Got root?

24. Common reasons to
“just log onto the server quickly”
•
server logs in /var/log require privileges to
tail
•
setting permissions on directories
•
Processes require restarting

25. Monitoring

26. Monitoring
•
Log EVERYTHING
•
Drupal default visitor logging is heavy
•
Should you be writing to the database to
log visits?

27. NO.

28. Monitoring
•
Logging is only one part of monitoring
•
Send your Web logs to a remote service
•
Set error_log to syslog in php.ini

29. Logging Services
•
SplunkStorm
•
Loggly
•
Logentries
•
Papertrailapp

30. HOSTING YOUR OWN LOGGING
•
Splunk
•
GrayLog2
•
Sensu
•
Munin
•
Raven

31. Other monitoring
•
Nagios
•
Pingdom
•
New Relic
•
Piwik/Google Analytics

32. Profiling
•
Don’t be afraid to turn XHProf on in live
occasionally
•
Regularly check your browser HAR
•
Check APC and other caches for smells

33. Security

34. Where is the risk?
•
Application security
•
Infrastructure security
•
End user security

35. Repelling Unwelcome Guests

36. Tools to help
•
JumpCloud
•
DuoSecurity
•
Ubuntu ACL

37. Capturing Morpheus…
Not so bad.

38. Hardening SSL

39. Don’t bother
hardening SSL

40. SSL is Dead, Long Live TLS
•
No one should be using SSL any more.
•
Transport Layer Security (TLS)
•
Latest version 1.2

41. Vulnerabilities
•
BEAST Attack
•
CRIME Attack
•
Lucky Thirteen

42. HTTPS without proper ciphers gives
the illusion of security while
providing none

44. Default SSL implementations
Nginx
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
Open to Lucky Thirteen attack
Supporting SSLv3 is only required for IE6
Apache 2
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

46. “Today, only TLS 1.2 with GCM suites offer fully
robust security. All other suites suffer from one
problem or another (e.g, RC4, Lucky 13, BEAST),
but most are difficult to exploit in practice…”
–Ivan Ristic, Qualys

47. “…Because GCM suites are not yet widely
supported, most communication today is carried
out using one of the slightly flawed cipher
suites. It is not possible to do better if you're
running a public web site.”
–Ivan Ristic, Qualys

49. Diffie-Hellman Key
Exchange
•
Diffie-Hellman (DH) and Elliptic Curve
Diffie-Hellman (ECDH)
•
Allows Perfect Forward Secrecy
•
Slow :(

50. server {
…
!
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains";
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH
+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve secp521r1;
}
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

51. Test your strength!
https://www.ssllabs.com/ssltest/

52. “I don’t mind that the site is
slow, at least my data is safe.”
–No user ever

53. Performance

54. SPDY

55. SPDY
•
Draft HTTP 2.0
•
Allows multiplexing a single connection
•
Requires HTTPS
•
Do you need HTTP at all?

56. PageSpeed
•
Library for Apache and Nginx
•
Automatic minification of JavaScript, CSS
and HTML
•
On-the-fly optimisations based on chosen
filters

57. The “SPDY Sandwich”
Nginx
Varnish
Nginx
PHP-FPM

58. The “SPDY Sandwich”
Nginx
Varnish
Responsible for:
• SPDY / SSL Termination
• Serving static assets
• Gzipping
• Pagespeed is user agent-aware
Nginx
PHP-FPM

59. The “SPDY Sandwich”
Responsible for:
• Caching dynamic pages
• Cookie normalisation
Nginx
Varnish
Nginx
PHP-FPM

60. The “SPDY Sandwich”
Nginx
Varnish
Nginx
PHP-FPM
Responsible for:
• Serving dynamic pages
• Generic Pagespeed optimisations

61. The “SPDY Sandwich”
Responsible for:
• PHP interpreter
Nginx
Varnish
Nginx
PHP-FPM

62. Cookies

63. Cross Site Request Forgery
(CSRF)
•
OWASP recommendation
•
Requires a token in the form and a session
token
•
Breaks most reverse proxies without
configuration

64. Am I doing something in my
application that is done better by
the infrastructure or an external
service?

65. OpenResty
•
Nginx bundle
•
Has modules for connecting to Redis,
Drizzle, memcached and many more
•
Has Lua to allow pre and post processing
on requests and responses

66. Time for a
Simplified Example

67. <?php
!
namespace InviqaDrupalCampAccess;
!
class OpenRestyTokenGenerator implements
CsrfTokenGeneratorInterface
{
private $token;
!
public function __construct($csrfToken)
{
$this->token = $csrfToken;
}
!
public function get($value = '') {
return $this->token;
}
}

68. <?php
namespace InviqaDrupalCampForm;
!
use DrupalCoreFormFormBuilder as CoreFormBuilder;
!
class FormBuilder extends CoreFormBuilder
{
public function __construct(
ModuleHandlerInterface $module_handler,
KeyValueExpirableFactoryInterface
$key_value_expirable_factory,
EventDispatcherInterface $event_dispatcher,
UrlGeneratorInterface $url_generator,
TranslationInterface $translation_manager,
CsrfTokenGeneratorInterface $csrf_token = NULL,
HttpKernel $http_kernel = NULL
) {
…

69. FIXING CSRF WITH LUA
X-CSRF-Tokenize: “[[CSRF Here]]”
OpenResty
Redis
Varnish
Nginx
PHP-FPM

70. FIXING CSRF WITH LUA
Header cached in Varnish
OpenResty
Redis
Varnish
Nginx
PHP-FPM

71. FIXING CSRF WITH LUA
•
•
•
OpenResty
Redis
Parses response (regex)!
Finds token placeholder!
Replaces with real token
Varnish
Nginx
PHP-FPM

72. !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
header_filter_by_lua!
'!
if ngx.var.upstream_http_x_csrf_tokenize then!
! -- the backend requested a CSRF token be set!
! local csrf_cookie_token = nil!
! if ngx.var.cookie_csrf then!
! ! -- they have a cookie, just re-use it!
! ! local csrf_cookie_token = ngx.var.cookie_csrf!
! end!
! ! local resty_random = require "resty.random"!
! ! local str = require "resty.string"!
!
!
!
!
!
!
!
!
if not csrf_cookie_token then!
! -- no valid csrf cookie found, let us make one!
! !
! local cookie_random = resty_random.bytes(16,true)!
! ! !
! ! !
!
!
!
!
! ! !
while cookie_random == nil do!
! -- attempt to generate 16 bytes of!
! -- cryptographically strong (enough) random data!
! cookie_random = resty_random.bytes(16,true)!
end!

73. FIXING CSRF WITH LUA
OpenResty
Varnish
•
Redis
•
Nginx
PHP-FPM
Stores HMAC as value in Redis with
random key “csrf_”
Generates cookie with Redis key as
value

74. !
! ! -- we are about to mess around with the content of the page!
! ! -- so we need to clear this as it will be wrong!
! ! ngx.header.Content_Length = ""! ! ! !
! ! -- set the Cookie for the CSRF token!
! ! ngx.header.Set_Cookie = "csrf=" .. ngx.var.csrf_cookie_token!
! ! ngx.header.tokenize = ngx.var.upstream_http_x_csrf_tokenize!
!
! ! -- now generate one for the form token!
! ! while form_random == nil do!
!
! form_random = resty_random.bytes(16,true)!
!
! ! end!
!
! ! ngx.var.csrf_form_token = str.to_hex(form_random)!
!
! ! local redis = require "redis"!
! ! local client = redis.connect("127.0.0.1", 6379)! !
! ! client:set("csrf_" .. ngx.var.csrf_cookie_token,
ngx.var.csrf_form_token)!
! ! end!

75. FIXING CSRF WITH LUA
Check token on way back in
OpenResty
Redis
Varnish
Nginx
PHP-FPM

76. location @backend {!
! ! # You can't set variables in nginx dynamically, !
# so set this up as empty first!
! ! set $csrf_validate "";!
! ! access_by_lua !
! ! '!
if ngx.req.get_method() == "POST" then!
! -- set up forbidden as default!
! ngx.var.csrf_validate = ngx.HTTP_FORBIDDEN!
! if ngx.var.cookie_csrf then!
! ! ! ! local res = ngx.location.capture("/validate-csrf")!
! ! ! ! if ngx.HTTP_OK == res.status then!
!
! ! ! ngx.req.read_body()!
!
! ! local args = ngx.req.get_post_args()!
!
!
! ! local posted_token = tostring(args["csrf"])!
!
!
! ! if posted_token == res.body then!
!
!
! ! ! ngx.var.csrf_validate = ngx.HTTP_OK!
!
!
! ! end!
!
!
! end!
!
!
!
end!
!
end!
!
';

77. Full gist:
https://gist.github.com/shrikeh/4722427

78. Automation

79. Tooling
•
Bash scripts (!)
•
Chef/Puppet (retro)
•
Ansible!

80. Ansible
•
Requires no agent!
•
Pure SSH
•
Modules
•
YAML-based configuration
•
Playbooks (and playbooks of playbooks)

81. Ansible PLAYBOOK
!
- name: ensure SSH key exists
digital_ocean: >
state=present
command=ssh
name=case
- name: ensure droplet exists
digital_ocean: >
state=present
ssh_key_ids=57705
name={{ inventory_hostname }}
size_id=66
region_id=4
image_id=1505699
wait_timeout=500
private_networking=yes
virtio=yes
wait=yes
unique_name=yes
wait_timeout=500
register: launched
- debug: msg="IP is {{ launched.droplet.id }}"
- debug: msg="IP is {{ launched.droplet.ip_address }}"

82. Ansible
ansible-playbook base.yml -vvv -i "hosts/production"

85. Configuring Your Application

86. <?php
# /sites/default/settings.php
...
$databases['default']['default'] = array(
'driver'
=> 'mysql',
'database' => 'drupal',
'username' => 'testuser',
'password' => '123secure',
'host'
=> 'localhost',
'prefix'
=> '',
);

87. “A litmus test for whether an app has all
config correctly factored out of the code is
whether the codebase could be made open
source at any moment, without
compromising any credentials”
–The Twelve Factor App

88. “The twelve-factor app stores config in
environment variables (often shortened to
env vars or env). Env vars are easy to
change between deploys without changing
any code”
–The Twelve Factor App

89. Put your variables in PHP-FPM
/etc/php/fpm/pools/live.conf
env[db_name]
env[db_host]
env[db_user]
env[db_pass]
env[db_prefix]
=
=
=
=
=
drupal_live
192.168.0.2
liveuser
verysecurepass
drupalcamp_

90. <?php
# /sites/default/settings.php
...
$databases['default']['default'] = array(
'driver'
=> 'mysql',
'database' => getenv('db_name'),
'username' => getenv('db_user'),
'password' => getenv('db_pass'),
'host'
=> getenv('db_host'),
'prefix'
=> getenv('db_prefix'),
);

91. Provisioning
•
Idempotent deployments
•
Provision every environment the same way
•
Resist the urge to do something manually
•
Get into a workflow of automation

92. Docker

93. Docker - AN OVERVIEW
•
Lightweight Linux
Container
•
Portable environment
•
Install all your PECL
dependencies into a
container
•
Ship it

94. Problems

95. Problems
!
•
Still heavily in development, no “right way”
yet
•
Hard to set up syslog inside a container
•
Runs as root on the box

97. That’s being fixed though

99. We’re Done!

100. With thanks to
Paramount Pictures
and
startrek.wikia.com
for not suing me

101. Questions

102. Thank You!

103. My first official talk!
•
Special thanks to Lorna Mitchell, Ian
Barber and Rowan Merewood for all the
coaching
•
All feedback welcome!