Holon Hackathon 2021

Hey all!

Wanted to invite you to a Hackathon I'm organising at the moment, sponsored by Filecoin and IPFS

Up to 55k in FIL to be won!

Check out this link for all the details https://taikai.network/en/holon/challenges/holon-innovate/ overview

https://redd.it/qfzfbt
@r_devops

Integrate GitHub with AWS SSO

I am trying to integrate GitHub into AWS SSO.

In the "Application Metadata" section that contains Application ACS URL and Application SAML audience. According to this link their values are different (I am taking AssertionConsumerService and EntityDescriptor) and when I upload the metadata file from AWS SSO page, it gives some different values.

​

When I copy values from that link, I get "Your request included an invalid SAML response" error.

When I upload the meta data file, I get "It's not you, it's us. We couldn't complete your request right now. Please try again later." error

​

I am confused about the attribute mapping part too, I have just mapped the default "Subject" to "${user:subject}".

I login on my github from email and on my aws with my username, I think attribute mapping is used for this but not really sure how to do it in console.

​

Not really sure what I am doing wrong here, need help.

Thanks!

https://redd.it/qg1vxz
@r_devops

Can some devOps people give me some advice regarding my SQL databases for a small project? (Microsoft SQL server)

Hi All,

I'm going to be developing a small Android application (by myself) for work and am wanting some advice or direction regarding the devOps side of things. The app should be relatively straight-forward and a separate.

This project will require an API + database with a few tables, nothing major. I'm quite experienced with SQL, however I'm not sure how to go about setting my development and production environments such that it doesn't wreck me later on.

I'm using Microsoft SQL server developer and SSMS for development, but will be using Microsoft SQL server Express for deployment.

I understand that I should use some SQL script, probably in source control, for creating the tables. It sounds like I should also have an easy way to push changes from the development database to production database, but I don't really know what that means or how to achieve it.

Some advice and direction would be very appreciated because I feel quite unsure about the how to proceed. I don't believe I require anything too fancy.

I'd be glad to answer questions in the chat if this isn't clear.

Thanks

https://redd.it/qg0iw9
@r_devops

Terraform & Makefiles - Better options?

Seeing a lot of people using Makefiles with Terraform for CI/CD integration and smoother deployments.

Does anyone have a better alternative or is this the current best practice?

Been using the AWS CDK extensively and just coming back to using Terraforming a new role after a long absence.

https://redd.it/qg8e36
@r_devops

Interview next week

I've a interview next week for a devops position(new grad). I've been told there will be coding challenges. Most of my experience are on docker, kubernetes, cicd and I've a basic understanding of python. So, I'm not sure if I will be making a fool out of myself at the interview. Is there anyway i can prepare myself in a week for python?

https://redd.it/qg9fxw
@r_devops

Add new package to poetry.lock file

I have an existing repository that already has a poetry.lock file and a pyproject.toml. I would like to add numpy to the list of packages. I tried using

>poetry add numpy

But it the doesn't work because I have to do this change locally and my local env doesn't have the python version required in the poetry.lock file. In the end I am running this code on a server so I don't want to install a different python version.

Is there any other way to add a new package ? I tried adding

>numpy = "1.21.1" # in the toml file

But when I build the project I get an error that there is no version matching numpy.

https://redd.it/qgf0ja
@r_devops

Looking to Automate AD User Administration

Hi. We maintain a sandboxed network (let's call it a training lab) that has a 2016 DC and a mix of Windows and RHEL (mostly 7) hosts. I'm looking to create a web page someplace to allow other admins/operators to administer general users in the domain, including such tasks as: adding, changing, removing. We're looking to do this for two reasons: 1) we're not satisfied with Active Directory Users and Computers (ASUC) tool is it lacks some UNIX integration functionality, and 2) we want to minimize potential for human error (e.g., picking the next unused uidnumber).

So...being that the network is air-gapped, and everything needs to be transferred in by DVD, can someone suggest native Windows/Linux tools that would be good for accomplishing this? We have IIS and apache, so the page could be hosted on either. Python and powershell are natively available to script in, but there are obviously other candidates. I'd be interested in hearing what others think/may have done in this regard.

https://redd.it/qgepkd
@r_devops

Free intro to Linux commandline/server course starting 1 November 2021


This free month-long course is re-starting again on the first Monday of next month.

This course has been running successfully now every month since February 2020 - more detail at: https://LinuxUpskillChallenge.org - daily lessons appear in the sub-reddit r/linuxupskillchallenge - which is also used for support/discussion.

Suitable whatever your background, and aims to provide that "base layer" of traditional Linux skills in a fun interactive way.

Any feedback very welcome.

https://redd.it/qgeibn
@r_devops

Github Enterprise Cloud Security Configuration

Hi Folks - is there any resource for recomemnded configuration of GitHub Enterprise Cloud security?

https://redd.it/qgj45f
@r_devops

Synapse Project Discussion K8S,Nomad Alternative

Hi guys, i want to start a discussion about my new pet project, Synapse it will be something like kubernetes or docker-swarm but easier and simpler to use, so here is the why first i am "reinventing the wheel" instead of using already made wheels.

Kubernetes: Too resource hungry, over bloated for small projects and homelab use.
Docker-Swarm: No new features, and i am having weird things happens in my cluster like images not updating correctly some services being auto deleted and no auto scale.
Nomad: The better of the three, light weight, nice UI, but i really really hate the allocation resource thingy, you have to specify the minimum ram and CPU mhz (i dunno why the fuck would someone allocate apps in mhz)

Ok the ranting is done, now i will explain how Synapse will do differently than the others.

First i will explain the concept, then i will explain the technical parts of the project.

Concept:

I want to make it a UI first, config file second approach, so everything will be available in the UI to manage and see the status of the nodes, servers and etc.
Master/server will handle container allocation, UI, ReverseProxy(With load balancing), Wireguard connection between nodes, basically an all in one package.
If nodes and master is not on the same lan network(which will be most cases) the communication between them will be made exclusively through the VPN connection, for example you can host the master on a VPS which has access to the public internet, and it will manage and route traffic through the vpn connection to the machines in your home.
When you create a Service/Job you will be able to specify if you want to prioritize RAM, Disk or CPU and the scheduler will try to find the machine in your cluster that has the best of the three options and deploy there, but if needed will use the other nodes as well.
Actively move services around to optimize the hardware usage, for example if in NodeA exists ProcessA which uses 30% of cpu, ProcessB which uses 1% and ProcessC which uses 5%, and NodeB has 4 process which are barely using cpu, Synapse will move ProcessB and ProcessC to NodeB so ProcessA can utilize the NodeA cpu to the maximum
I will try to implement all the parallel updating features, health check features that k8s,nomad,docker-swarm to synapse as well

OBS: I am a C# lover so the whole stack will be in C#

Technical aspect:

Server will be one project which will use Blazor server-side for the user interface, YARP for the reverse proxy and load balancer, LettuceEncrypt for the auto SSL goodness, Docket.Dotnet for the docker communication API.
It will only support containers, no binaries or anything the like.
Will use LiteDB to save configuration and stats.
Communication between server and nodes will be made through a custom tcp socket for bi directional communication.
Probably the server will not be able to ru on High Availabity mode, if someone disagrees please tell me why and how i can make it HA.

Please tell me your opinions, hate on me on creating another new "wheel", any kind of feedback will be welcome, this is the first pet project that got me excited so i want to make it as user friendly and as feature rich as i can for personal use and for the community as well.

I have no plans to monetize it, it will be open source and i will accept any contribution, for now it is too early in the development and i will make the repository public next week probably.

And please ask away if you didnt understand parts of the project, i will try to explain it better.

TLDR: I am making an alternative to K8S, Nomad and Docker-Swarm, which will be easier and pain free to use on small-medium scale projects and homelab use and i want to discuss it so i can better make the project.

https://redd.it/qgjzjc
@r_devops

Which CI tool do you use/prefer at your work ?

We have number of CI/CD tools available now. And they provide competitive features to attract customers. Which CI tool our DevOps community use/prefer at their work ?

View Poll

https://redd.it/qgndeq
@r_devops

How do you debug an issue between varnish and Apache?

centos@ip-172-35-25-65 ~$ varnishlog
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635280998 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281001 1.0
10 SessionOpen c 127.0.0.2 55870 127.0.0.2:80
10 ReqStart c 127.0.0.2 55870 894208400
10 RxRequest c GET
10 RxURL c /
10 RxProtocol c HTTP/1.0
10 RxHeader c X-Real-IP: 198.95.75.75
10 RxHeader c X-Forwarded-For: 198.95.75.75
10 RxHeader c X-Forwarded-Proto: https
10 RxHeader c X-Forwarded-Port: 80
10 RxHeader c Host: staging03.cherry.com
10 RxHeader c Connection: close
10 RxHeader c Cache-Control: max-age=0
10 RxHeader c Authorization: Basic aGc6am9objEyMw==
10 RxHeader c Upgrade-Insecure-Requests: 1
10 RxHeader c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
10 RxHeader c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
10 RxHeader c Accept-Encoding: gzip, deflate
10 RxHeader c Accept-Language: en-US,en;q=0.9,fr;q=0.8
10 RxHeader c Cookie: ajsanonymousid=%22424f4cd9-cbbc-4ead-83b1-273cb21cf453%22; fbp=fb.1.1630002144579.2012566540; qca=P0-1416512434-1630002144589; edwvts=708154457303700204; gid=GA1.2.1572498662.1635275261; ajsuserid=%224543534%40mimpi99.com%22; gclau=1.1.
10 VCLcall c recv pass
10 VCLcall c hash
10 Hash c /
10 Hash c staging03.cherry.com
10 Hash c 80
10 Hash c ajsanonymousid=%22424f4cd9-cbbc-4ead-83b1-273cb21cf453%22; fbp=fb.1.1630002144579.2012566540; qca=P0-1416512434-1630002144589; edwvts=708154457303700204; gid=GA1.2.1572498662.1635275261; ajsuserid=%224543534%40mimpi99.com%22; gclau=1.1.1880042
10 VCLreturn c hash
10 VCLcall c pass pass
10 FetchError c no backend connection
10 VCLcall c error deliver
10 VCLcall c deliver deliver
10 TxProtocol c HTTP/1.1
10 TxStatus c 503
10 TxResponse c Service Unavailable
10 TxHeader c Server: Varnish
10 TxHeader c Content-Type: text/html; charset=utf-8
10 TxHeader c Retry-After: 5
10 TxHeader c Content-Length: 392
10 TxHeader c Accept-Ranges: bytes
10 TxHeader c Date: Tue, 26 Oct 2021 20:43:23 GMT
10 TxHeader c X-Varnish: 894208400
10 TxHeader c Via: 1.1 varnish
10 TxHeader c Connection: close
10 TxHeader c X-Age: 0
10 TxHeader c X-Cache: MISS
10 Length c 392
10 ReqEnd c 894208400 1635281003.852778196 1635281003.852984428 0.000073195 0.000165701 0.000040531
10 SessionClose c error
10 StatSess c 127.0.0.2 55870 0 1 1 0 1 0 273 392
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281004 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281007 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281010 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281013 1.0


I tried to log what was happening when I got from the client side:


Error 503 Service Unavailable
Service Unavailable

Guru Meditation:
XID: 894208400

​

Now, I thought it was because of Apache not running, because when I close varnish I get a 502 gateway error from nginx. Anyway, I read the error

How do you debug an issue between varnish and Apache?

[centos@ip-172-35-25-65 ~]$ varnishlog
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635280998 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281001 1.0
10 SessionOpen c 127.0.0.2 55870 127.0.0.2:80
10 ReqStart c 127.0.0.2 55870 894208400
10 RxRequest c GET
10 RxURL c /
10 RxProtocol c HTTP/1.0
10 RxHeader c X-Real-IP: 198.95.75.75
10 RxHeader c X-Forwarded-For: 198.95.75.75
10 RxHeader c X-Forwarded-Proto: https
10 RxHeader c X-Forwarded-Port: 80
10 RxHeader c Host: staging03.cherry.com
10 RxHeader c Connection: close
10 RxHeader c Cache-Control: max-age=0
10 RxHeader c Authorization: Basic aGc6am9objEyMw==
10 RxHeader c Upgrade-Insecure-Requests: 1
10 RxHeader c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
10 RxHeader c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 RxHeader c Accept-Encoding: gzip, deflate
10 RxHeader c Accept-Language: en-US,en;q=0.9,fr;q=0.8
10 RxHeader c Cookie: ajs_anonymous_id=%22424f4cd9-cbbc-4ead-83b1-273cb21cf453%22; _fbp=fb.1.1630002144579.2012566540; __qca=P0-1416512434-1630002144589; _edwvts=708154457303700204; _gid=GA1.2.1572498662.1635275261; ajs_user_id=%224543534%40mimpi99.com%22; _gcl_au=1.1.
10 VCL_call c recv pass
10 VCL_call c hash
10 Hash c /
10 Hash c staging03.cherry.com
10 Hash c 80
10 Hash c ajs_anonymous_id=%22424f4cd9-cbbc-4ead-83b1-273cb21cf453%22; _fbp=fb.1.1630002144579.2012566540; __qca=P0-1416512434-1630002144589; _edwvts=708154457303700204; _gid=GA1.2.1572498662.1635275261; ajs_user_id=%224543534%40mimpi99.com%22; _gcl_au=1.1.1880042
10 VCL_return c hash
10 VCL_call c pass pass
10 FetchError c no backend connection
10 VCL_call c error deliver
10 VCL_call c deliver deliver
10 TxProtocol c HTTP/1.1
10 TxStatus c 503
10 TxResponse c Service Unavailable
10 TxHeader c Server: Varnish
10 TxHeader c Content-Type: text/html; charset=utf-8
10 TxHeader c Retry-After: 5
10 TxHeader c Content-Length: 392
10 TxHeader c Accept-Ranges: bytes
10 TxHeader c Date: Tue, 26 Oct 2021 20:43:23 GMT
10 TxHeader c X-Varnish: 894208400
10 TxHeader c Via: 1.1 varnish
10 TxHeader c Connection: close
10 TxHeader c X-Age: 0
10 TxHeader c X-Cache: MISS
10 Length c 392
10 ReqEnd c 894208400 1635281003.852778196 1635281003.852984428 0.000073195 0.000165701 0.000040531
10 SessionClose c error
10 StatSess c 127.0.0.2 55870 0 1 1 0 1 0 273 392
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281004 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281007 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281010 1.0
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1635281013 1.0


I tried to log what was happening when I got from the client side:


Error 503 Service Unavailable
Service Unavailable

Guru Meditation:
XID: 894208400

​

Now, I thought it was because of Apache not running, because when I close varnish I get a 502 gateway error from nginx. Anyway, I read the error

logs:

​

[Tue Oct 26 14:53:47 2021] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue Oct 26 14:53:47 2021] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Oct 26 14:53:47 2021] [notice] Digest: generating secret for digest authentication ...
[Tue Oct 26 14:53:47 2021] [notice] Digest: done
[Tue Oct 26 14:53:47 2021] [notice] FastCGI: process manager initialized (pid 23090)
[Tue Oct 26 14:53:47 2021] [notice] Apache/2.2.15 (Unix) DAV/2 mod_fastcgi/2.4.6 configured -- resuming normal operations
[Tue Oct 26 14:53:52 2021] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/html/
[Tue Oct 26 14:53:52 2021] [error] [client 127.0.0.1] File does not exist: /var/www/html/favicon.ico, referer: https://staging03.hgreg.com/
[Tue Oct 26 15:01:21 2021] [error] [client 127.0.0.1] Directory index forbidden by Options directive: /var/www/html/
[Tue Oct 26 15:01:42 2021] [notice] caught SIGTERM, shutting down
[Tue Oct 26 15:01:42 2021] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue Oct 26 15:01:42 2021] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Oct 26 15:01:42 2021] [notice] Digest: generating secret for digest authentication ...
[Tue Oct 26 15:01:42 2021] [notice] Digest: done
[Tue Oct 26 15:01:42 2021] [notice] FastCGI: process manager initialized (pid 23299)
[Tue Oct 26 15:01:42 2021] [notice] Apache/2.2.15 (Unix) DAV/2 mod_fastcgi/2.4.6 configured -- resuming normal operations
[Tue Oct 26 15:11:56 2021] [notice] caught SIGTERM, shutting down


I saw SIGTERM, shutting down, so I thought maybe I should restart Apache and I did, but I get the same error, and no new logs in the error\_log.

​

[centos@ip-172-35-25-65 ~]$ sudo service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[centos@ip-172-35-25-65 ~]$ date
Tue Oct 26 17:12:32 EDT 2021
[centos@ip-172-35-25-65 ~]$

​

Now, I run a puppet config, but it didn't completely run, but I have the same files. So I am wondering what might be the issue. One of the Apache config file which is loaded since all files with conf are loaded is like this:

​

​

​

<VirtualHost *>
ServerName preprod.staging03.cherry.com



ServerAlias betacherry.staging03.cherry.com staging03.cherry.com



DocumentRoot /home/staging03/version/preprod.staging03.cherry.com
ServerAdmin [email protected]

SetEnv environment preprod
SetEnv project staging03

UseCanonicalName Off
#CustomLog /var/log/httpd/preprod.staging03.cherry.com_log combined
#CustomLog /var/log/httpd/preprod.staging03.cherry.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."

## User cherry # Needed for Cpanel::ApacheConf
UserDir disabled
UserDir enabled staging03

#<IfModule mod_suphp.c>
# suPHP_UserGroup staging03 staging03
#</IfModule>

SuexecUserGroup staging03 staging03

<directory "/home/staging03/version">
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi-staging03
AllowOverride All


AuthType Basic
AuthName "staging03-preprod"
AuthUserFile "/etc/httpd/conf.d/htpasswd.staging03"
require valid-user

satisfy any
deny from all

Order deny,allow
SetEnvIf X-Hg-Internal-IP 1 HgInternalIP=1
Allow from

env=HgInternalIP

SetEnvIf User-Agent "Amazon CloudFront" AmazonCloudFront
Allow from env=AmazonCloudFront

SetEnvIf User-Agent "^(.*)Lighthouse(.*)$" Lighthouse=1
Allow from env=Lighthouse

</directory>
<IfModule concurrent_php.c>
php5_admin_value open_basedir "/home/staging03:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule !concurrent_php.c>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/staging03:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule sapi_apache2.c>
php_admin_value open_basedir "/home/staging03:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
</IfModule>
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup staging03 staging03
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid staging03 staging03
</IfModule>
<IfModule itk.c>
# For more information on MPM ITK, please read:
# https://mpm-itk.sesse.net/
AssignUserID staging03 staging03
</IfModule>
</VirtualHost>


So what files should I look at and how do I check it's not Apache that's the problem, because we have nginx routing to varnish and then routing to Apache, so I am thinking Apache is the problem, but I don't get any useful info from the log and Apache runs without any issue, it's just not servicing the page and Varnish can't reach Apache for some reason?

&#x200B;

I am running CENTOS 6, and I have another server with the same configurations that's running well, but when I diff the etc folder, I don't really see any significant difference.

&#x200B;

I am not sure what might be the problem here. I don't know if there's any other relevant log I can find and what I can do to test what might be wrong with Apache or varnish. I think it's not varnish the problem, because I got 503 errors before when Apache was not running properly. However, I am not sure how I can exactly find out since I don't see any error in the logs.

https://redd.it/qgn58m
@r_devops

Unpopular opinion: I was promised lightweight containers but I got yet another VM

So I started using Docker 2-3 years with the promise of replacing expensive VM with 'lightweight' containers that would not hog up my development machine by I just can't help it pointing out that every time I open up Activity Monitor or Task Manager, Docker is consistently eating 4-6 GB of RAM and consistently eating up my CPU and battery. Now I consider dropping Docker completely and just running the project from the IDE or CLI

What are your experiences?

https://redd.it/qgsg42
@r_devops

How far can you get with somebody else running sudo for you?

Hello,
we have this weird policy from global, where if we are using their VMs, they don't give us sudo permissions but if we need to run something as sudo, they will do it for us.

Of course I think its bullshit, but to my plan later, to comply with this and make sure I am not using sudo that much

1. can I run jenkins, docker, git under 1 service account, or only option is adding them to same user group?
2. I believe that for daemon scripts ran through systemctl, they need to be under system account and there is no way around it?
3. Is there anything else apart from yum installs where I will need heavily sudo on?

I will try to see how it goes, maybe they can give me part of the sudo permissions at least, but overall I want to annoy hell out of them with as reasonable sudo requests as possible. If that won't work, I can still go to my manager and ask for local VMs, but if possible we want to use global budget, not local.

&#x200B;

And who knows, maybe its possible to run in this restrained mode, after initial setup is done.

https://redd.it/qgqits
@r_devops

How do we switch from php-fpm to regular php in Apache?

How do we stop using php-fpm on Apache? I tried to get a server running problem is it's running on CENTOS 6 and puppet only works on CENTOS 6. I was trying to figure out why the server wasn't running after I copied the settings and then I did:


sudo netstat -plnt

&#x200B;

which showed me I was using php-fpm and on the server where it was working I wasn't running it. I was perplexed, because the httpd configs were the same last time I checked, so I am wondering how to switch from php-fpm to php to see if I can get Apache running on the new server. I turned it off:

&#x200B;

sudo service php-fpm stop

&#x200B;

But I am still getting 500 from varnish. I am not sure if I might have missed something in the httpd config, but the new and old server had pretty much the same configs.

&#x200B;

I have a php.conf:

&#x200B;

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php7module modules/libphp7.so
</IfModule>

<IfModule !prefork.c>
LoadModule php7module modules/libphp7-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php7-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

#
# Apache specific PHP configuration options
# those can be override in each configured vhost
#
phpvalue session.savehandler "files"
phpvalue session.savepath "/var/lib/php/session"
phpvalue soap.wsdlcachedir "/var/lib/php/wsdlcache"

&#x200B;

and a fast\cgi conf:

&#x200B;

# WARNING: this is a kludge:
## The User/Group for httpd need to be set before we can load modfastcgi,
## but /etc/httpd/conf.d/fastcgi.conf on RHEL gets loaded before
## /etc/httpd/conf/httpd.conf, so we need to set them here :(
## modfcgid does not have this bug,
## but it does not handle child PHP processes appropriately per
## https://serverfault.com/questions/303535/a-single-php-fastcgi-process-blocks-all-other-php-requests/305093#305093
User apache
Group apache

LoadModule fastcgimodule modules/modfastcgi.so

# dir for IPC socket files

FastCgiIpcDir /var/run/modfastcgi

# wrap all fastcgi script calls in suexec

FastCgiWrapper Off

# global FastCgiConfig can be overridden by FastCgiServer options in vhost config

FastCgiConfig -idle-timeout 120 -maxClassProcesses 1

# sample PHP config
# see /usr/share/doc/modfastcgi-2.4.6 for php-wrapper script
# don't forget to disable modphp in /etc/httpd/conf.d/php.conf!
#
# to enable privilege separation, add a "SuexecUserGroup" directive
# and chown the php-wrapper script and parent directory accordingly
# see also https://www.brandonturner.net/blog/2009/07/fastcgiwithphpopcodecache/
#
#FastCgiServer /var/www/cgi-bin/php-wrapper
#AddHandler php-fastcgi .php
#Action php-fastcgi /cgi-bin/php-wrapper
#AddType application/x-httpd-php .php
#DirectoryIndex index.php
#
#<Location /cgi-bin/php-wrapper>
# Order Deny,Allow
# Deny from All
# Allow from env=REDIRECTSTATUS
# Options ExecCGI
# SetHandler fastcgi-script
#</Location>


&#x200B;

and a fcgi conf:

&#x200B;

How do we switch from php-fpm to regular php in Apache?

How do we stop using php-fpm on Apache? I tried to get a server running problem is it's running on CENTOS 6 and puppet only works on CENTOS 6. I was trying to figure out why the server wasn't running after I copied the settings and then I did:


sudo netstat -plnt

&#x200B;

which showed me I was using php-fpm and on the server where it was working I wasn't running it. I was perplexed, because the httpd configs were the same last time I checked, so I am wondering how to switch from php-fpm to php to see if I can get Apache running on the new server. I turned it off:

&#x200B;

sudo service php-fpm stop

&#x200B;

But I am still getting 500 from varnish. I am not sure if I might have missed something in the httpd config, but the new and old server had pretty much the same configs.

&#x200B;

I have a php.conf:

&#x200B;

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php7_module modules/libphp7.so
</IfModule>

<IfModule !prefork.c>
LoadModule php7_module modules/libphp7-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php7-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

#
# Apache specific PHP configuration options
# those can be override in each configured vhost
#
php_value session.save_handler "files"
php_value session.save_path "/var/lib/php/session"
php_value soap.wsdl_cache_dir "/var/lib/php/wsdlcache"

&#x200B;

and a fast\_cgi conf:

&#x200B;

# WARNING: this is a kludge:
## The User/Group for httpd need to be set before we can load mod_fastcgi,
## but /etc/httpd/conf.d/fastcgi.conf on RHEL gets loaded before
## /etc/httpd/conf/httpd.conf, so we need to set them here :(
## mod_fcgid does not have this bug,
## but it does not handle child PHP processes appropriately per
## https://serverfault.com/questions/303535/a-single-php-fastcgi-process-blocks-all-other-php-requests/305093#305093
User apache
Group apache

LoadModule fastcgi_module modules/mod_fastcgi.so

# dir for IPC socket files

FastCgiIpcDir /var/run/mod_fastcgi

# wrap all fastcgi script calls in suexec

FastCgiWrapper Off

# global FastCgiConfig can be overridden by FastCgiServer options in vhost config

FastCgiConfig -idle-timeout 120 -maxClassProcesses 1

# sample PHP config
# see /usr/share/doc/mod_fastcgi-2.4.6 for php-wrapper script
# don't forget to disable mod_php in /etc/httpd/conf.d/php.conf!
#
# to enable privilege separation, add a "SuexecUserGroup" directive
# and chown the php-wrapper script and parent directory accordingly
# see also https://www.brandonturner.net/blog/2009/07/fastcgi_with_php_opcode_cache/
#
#FastCgiServer /var/www/cgi-bin/php-wrapper
#AddHandler php-fastcgi .php
#Action php-fastcgi /cgi-bin/php-wrapper
#AddType application/x-httpd-php .php
#DirectoryIndex index.php
#
#<Location /cgi-bin/php-wrapper>
# Order Deny,Allow
# Deny from All
# Allow from env=REDIRECT_STATUS
# Options ExecCGI
# SetHandler fastcgi-script
#</Location>


&#x200B;

and a fcgi conf:

&#x200B;

<IfModule mod_fastcgi.c>
Alias /php5-fcgi-staging03 /usr/lib/cgi-bin/php5-fcgi-staging03
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-staging03 -socket /var/run/php-fpm/php5-fcgi-staging03.sock -pass-header Authorization -idle-timeout 300
</IfModule>


Commenting out php5-fcgi-staging03 gives me:

&#x200B;

Not Found
The requested URL /php5-fcgi-staging03/index.php was not found on this server.

https://redd.it/qgz2l2
@r_devops

Can AWS or Cloudflare block traffic from URLs containing certain URL parameters?

We want to block a user if he's coming to our website from

example.com?referer=bar

We want to allow any other referrer to access our website, the only referer that should be blocked is "bar".

The user shouldn't even be able to see our website.

If we block the user from the frontend, he might be able to manipulate Javascript. We can't block from the backend, since we have a static react JS application, which would need to call a PHP API, so again a hacker can find that API call and manipulate it. We don't use server-side rendering.

Ideally, this should be done through a firewall, we use AWS and Cloudflare, do any of them have such capability?

https://redd.it/qgytlw
@r_devops