In this episode I get the Basic Authentication NGINX configuration working using the envsubst tool to replace environment variables in the config file.
Question you want answered in a future video? Pair on a problem? Constructive feedback? DM me or email ask@saturdaymp.com.
UPDATE: The service is accessible by its domain (#Ingress) as soon as I set the DNS server of my client machine to my PiHole. For other systems not using my local DNS (so outside my network), the domain remains unreachable. My suspicion is an issue with the Port Forwards, but idk what's wrong w em as it is.
Note: this may not be in the exact order. If the order to any of this is important, feel free to point that out.
I've added to #Cloudflare, to my zone (domain), the hostname foo pointing to my network's public IP.
I've deployed everything you'd need including #MetalLB (which determines the dedicated Ingress private IP), #nginx-ingress (type set to LoadBalancer instead of NodePort), and #cert-manager (with both HTTP/DNS clusterissuers). If you want to take a peek at how I've deployed/configured them, more details are on here: https://github.com/irfanhakim-as/orked.
I've added foo.domain to the closest thing resembling to a DNS server that I have, #PiHole, pointing to the dedicated Ingress private IP.
I've set my router's only DNS server to the PiHole's IP.
I've set all my Kubernetes nodes' (Masters and Workers) DNS1 to the Router's IP (DNS2 set to Cloudflare's, 1.1.1.1).
I've created a port forwarding rule for HTTP on my router with 1) WAN Start/End ports set to 80, 2) Virtual Host port set to its nodePort (acquired from kubectl get svc -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.spec.ports[0].nodePort}' i.e. 3XXXX), 3) Protocol set to TCP, and 4) LAN Host address set to the dedicated Ingress private IP.
I've created a port forwarding rule for HTTPS on my router with 1) WAN Start/End ports set to 443, 2) Virtual Host port set to its nodePort (acquired from kubectl get svc -n ingress-nginx ingress-nginx-controller -o=jsonpath='{.spec.ports[1].nodePort}' i.e. 3XXXX), 3) Protocol set to TCP, and 4) LAN Host address set to the dedicated Ingress private IP.
I've deployed a container service, and an Ingress for it, using #LetsEncrypt's DNS validation clusterissuer.
Current result:
Cert-manager creates a certificate automatically and is in a Ready: True state as expected.
The subdomain (foo.domain) however remains unreachable, no 404 errors, no nothing. Just "The connection has timed out" error.
Describing the container service's ingress (foo.domain), shows that it's stuck at "Scheduled for sync".
#Kubernetes and #Networking experts - please tell me what I've done in any of this that were either wrong or unnecessary, or what I'm currently missing here for me to reach my goal of being able to get my container accessible via foo.domain through that Ingress. I suspect that I might be doing something wrong with this whole DNS mess I literally cannot fathom. I feel like I'm insanely close to getting this thing to work, but I fear I'm also insanely close of blowing up my brain.
cc: @telnetlocalhost (thanks for bearing w me and getting me this far)
Which web server is the fastest and most suitable for you if it has to distribute the network requests to different services located in virtual operating systems. It should also be relatively easy to configure 🤔 :BoostOK:
However, I'd first consider looking at PSGI/Plack (https://plackperl.org/). If you can switch to that, your Perl code is pretty-much server-agnostic at that point. Makes it much easier to switch servers if you need to.
@miyagawa could probably answer questions about that, too (he wrote PSGI/Plack)
Ich hab's getan. 🫣 feuerfis.ch ist seit letzter Nacht online. 😀
Überzeugt habe ich mich dann damit, dass ich sowieso mal einen "richtigen" Server haben wollte, auf dem ich mich völlig frei austoben kann. Und die sind inzwischen echt durchaus erschwinglich geworden!
Beeindruckt war ich, wie leicht sich #FireFish installieren lässt! 😳
Einfach einen Ubuntu VPS ordern, curl, wget und git installieren und dann ein Installationskript starten, dessen Parameter man noch leicht anpassen muss.
Das Skript installiert und konfiguriert alles nötige, wenn man will. Sogar #Nginx und alle anderen benötigten Services, wenn sie noch nicht vorhanden sind. Nginx und PostreSQL hatte ich sogar vorher installiert, weil ich nicht sicher war, wie weit das Skript geht. Es kam auch mit vorheriger "Teilinstallation" klar.
Man braucht dann ein wenig Zeit und vor allem darf man bei dem Skript nicht nervös werden 😀, es gab 2 Stellen, an dem es echt sehr lange ohne Meldung "hing". Aber lief dann total ohne Probleme durch.
It's been a rocket ship adventure, for sure. We tried a few things, but It turns out that 0-vulnerability open-source container images are a big deal.
Somehow in 2023, we are still at the point where projects like #NodeJS, #nginx & #PHP publish container images with hundreds of CVEs. We minimize, harden, and remove vulns from these images, and our customers love it.
Hey #nginx ninjas, I need your input. I want to run a Python script on my VPS that will have access to nginx access.log. The script belongs to my user, the access.log belongs to www-data. What is the safest way to allow the script to have read access to that log? I'm thinking of doing a cron job that will every X minutes copy the file to my homefolder and change its owner. But that cron job would require extended permissions. How to do it safely?
It'll be announced at midday UTC today (10th Oct 2023).
If there isn't an update you can deploy quickly for your affected services immediately (there should be for the better known software, they've had advance notice) then you should consider disabling the affected element until there is.
Can't share more right now but it's important so don't forget (& tell your friends!).