Thursday, January 9, 2020

Add alias for apache virtualhost with proxypass

If you are hosting an html or php website using apache, you can add DocumentRoot (path of the project Directory) in your virtualhost with ServerName and your web application can be accessed in browser easily. If you want to add Alias for such virtualhost, you can easily add Alias attribute in same virtualhost and you can show content of desired directory if alias is used in the web application url.

But suppose you have created a virtualhost to show the content of another web server like Python, Ruby or Node. You must have used proxypass to achieve this. Adding proxypass and proxypassreverse you can open content of another server through port 80 in apache.

The real issue with proxypass websites are, it is hard to create Alias for the web application urls.
Suppose you want to open content of folder images-2019 when /myimages is typed after domain. If you would use php, you could define. 
Alias /myimages /path/of/images-2019
But this will not work here with proxypass virtualhost because it is already showing content of a webserver which is running on another port. This alias can not work with added configuration. To achieve this, you need to add alias in following way

Suppose you want to show robots.txt in a proxypass server(Ex- Django). Your url will be http://your-servername/robots.txt
Django will not show content of robots.txt as robots.txt path should be added in urls.py. Django only serves those content which is defined in it.
To open this url, you need to add in your virtualhost 
ProxyPass /robots.txt !
Alias /robots.txt /path/of/robots.txt
Make sure you have added this above proxypass and proxypassrevese parameters, something like this. 
<VirtualHost *:80>
ServerName subdomain.domain.com
ProxyPass /robots.txt !
Alias /robots.txt /path/of/robots.txt
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
</VirtualHost>
Now your servername can open robots.txt using http://subdomain.domain.com/robots.txt
Author : Pavitr Kanetkar | No comments:
Labels: , , , , , ,

Connect to Docker Mysql remotely using public IP

You want to connect to mysql server which is installed and configured inside docker container, from host or from remote server. To achieve this you need to make sure your host system has public IP. Docker container is a virtual machine. The system where docker is installed known as Host Machine. You can connect from Host Machine to Docker container Mysql server using private IP and public IP both.

Here I am going to show how to connect docker container mysql server using public IP.

1. Your docker container mysql server port (default 3306) should be mapped with one of the port of host system. If no mysql server is running on host system then you can map the same port i.e. 3306 but if a mysql server is running on host system, you need to map docker container mysql server with another port of host system. Suppose it is 3500. When you launch the container using docker run command, you can pass attribute -p with it to map ports between container and host system.

2. Now next thing is, your docker container mysql server config should not be binded to local host or 127.0.0.1 only. It means, this mysql server can be connected from localhost only. As we are connecting mysql server remotely, this option should be commented.
 
#bind-address = 127.0.0.1
Once you comment it in mysql config, restart the mysql server.

3. Now you need to give global access permission to mysql user. It is your mysql user, you are going to connect into mysql server using this username.
To give global access to mysql user, Host should be % in user table and db table both for the mysql user.
Make sure you have updated Host as % for same combination of user and database in db table.

4. Now make sure port 3500 is opened in your firewall and it can be accessed remotely

5. Now try to connect docker mysql using public ip
 
mysql -u mysqlusername -p -h 209.45.xx.xx -P 3500
As 3500 is the port where we mapped docker mysql port to Host system port, we will pass this in command to connect to docker mysql server through host system.

Now you should be able to conenct to docker mysql server remotely.
Author : Pavitr Kanetkar | No comments:
Labels: , ,

Tuesday, December 17, 2019

AWS RDS - Update Your Amazon RDS SSL/TLS Certificates by February 5, 2020

If you got the mail from AWS about updating your client side certificate for RDS connection, this is a very simple explanation about what you need to do. Your first concern is functionality of your application should not be affected and everything should be working as smoothly as now.

 When you connect to database, either you connect to it securely or non-securely. If you connect to database non-securely, you do not need to worry about the mail you received as it affects only those connection which are made securely. Suppose your RDS is mysql or postgres and you connect to it from php framework or Python, you need to check the database connection code and if ssl/tls parameter is defined with client certificate file, it means you are using secured method to connect to RDS. You need to download latest client side certificate file from here or here and replace with existing one.

 Another way of checking it, you need to check the parameter rds.force_ssl in parameter groups settings of your RDS instance. If its value is set to 0, it means insecure RDS conenction can also be made but if its value is 1 then no insecure connection can be made. Your code must have used client side certificate file to make it working successfully.

 Similarly if force ssl is on, you can not connect to database on command line without addressing client side certificate file.
Here is an example to connect Postgresql RDS server on comamnd line
psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"

 Secure Mysql connection on RDS
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
If you enable set rds.force_ssl and restart your instance, non-SSL connections are refused with the following message for postgresql
psql: FATAL: no pg_hba.conf entry for host "host.ip", user "someuser", database "postgres", SSL off
and similar message will be displayed for mysql and other RDS database types.
Author : Pavitr Kanetkar | No comments:
Labels: , ,