Nginx sub URL based routing?

URLs
Locatoins
/R1/v1/dev should redirect to 10.10.10.10/v1/dev
so here /v1/dev will be part of the request that should be considered as a part of proxy_pass's URL
/v1/dev is not static value but whatever comes after R1 in location, that will be considered as proxy_pass's end URL.

/R1/v1/test should redirect to **20.20.20.20/v1/test**

is it possible to have this king of configuration of single nginx server ?

https://redd.it/m0zfon
@r_devops

New project: Event-Based Serverless Container Workflows with Direktiv

G'day DevOps!

Apologies if this is the wrong group - we posted this is r/serverless and asked for advice on other groups - someone dm'ed and suggested r/devops. Apologies if this is the wrong group! We wanted to share with you the latest creation from our team!

Direktiv is an open-source event-driven serverless container workflow engine.

Event-driven because we support the CloudEvents standard (also scheduled execution & API driven). Serverless because workflows and execution are instantiated when needed using containers or vorteil. Workflow engine because that's at its core what Direktiv is.

Direktiv was created to address 4 problems faced with workflow engines we faced:

1. Cloud agnostic: we wanted Direktiv to run on any platform, support any code and NOT be dependent on the cloud provider's services
2. Simplicity: the configuration of the workflow components should be simple more than anything else (only YAML and jq to express all states, transitions, evaluations and actions). We've modelled Direktiv's specification after the CNCF Serverless Workflow Specification with the ultimate goal to make it feature-complete and easy to implement
3. Reusable: should have the ability to reuse/standardise containerised code across workflows
4. Multi-tenanted/secure: we want to use Direktiv in a multi-tenant service provider space, which means all workflow executions have to be isolated; data access secured and isolated, and all workflows and actions are truly ephemeral.

The workflow language is VERY simple YAML primitives expressions. We're pretty confident in the engine now, so we're now focused on building standard containers to be used. You can see the progress (for now) on Docker Hub (https://hub.docker.com/search?q=vorteil&type=image)

Direktiv Github: https://github.com/vorteil/direktiv as open source

Documentation: https://docs.direktiv.io/

Beta front-end: https://wf.direktiv.io/ \- we hope to make this a commercial component of the product.

Please let us know what you think about the idea, the implementation, use-cases for it (we have a couple in mind) or some real-world examples (this is what we need help with).

I promised James (of the team members who talks a lot) that I would end the HN introduction with the lines below:

\# The Prime Direktiv:

Captain's log, stardate 47634.44. Cloud bills are high, we're dependent on dinosaur companies and we still have no standards. Forget about boldly changing anything, we just want to change SOMETHING

https://redd.it/m1jdf1
@r_devops

Git vulnerability update your versions

git vulnerability with code execution issue https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm update now

https://redd.it/m1j6v9
@r_devops

Best place to find AWS SRE contractors?

I'm looking to contract with a SRE that has experience setting up EKS clusters on AWS with full CI/CD (from Github), wildcard SSL, etc. I'd like to setup the ability to spin up ephemeral test environments based on PR creation as well. Would someone here be available for a contract? Or is there a better place to look?

https://redd.it/m1ihon
@r_devops

How common is it for a company to use SAAS products and the security to just object to every single external connection that SAAS provider requests?

It's a rant. But my company is trying to have a digital transformation. They have paid for every single tool in the world. But when it comes to working with SAAS products the security will simply put roadblocks for everything that the provider asks. For eg. A monitoring SAAS product we use is requesting access to our AWS account to pull metrics. However Security needs to review that request essentially delaying the work for unforeseeable future. How common is it in other companies? The previous companies I have worked in never had these issues and now I am pissed of due to these hurdles every single day.

https://redd.it/m1idgk
@r_devops

Securing deployment of NGINX config via git push with hooks

Hi All,

Let me know if this question would make more sense in r/nginx \- but this is less about NGINX and more about deployment of config to a server via git push.

Currently I have our nginx config in a git repo on my local machine, with a remote origin shared by the team in bitbucket.

On our primary NGINX server, I have setup a bare git repo at /nginx.git, with a post-receive hook something like :

#!/bin/bash
WORKTREE="/etc/nginx"
GITDIR="/nginx.git"
TARGETBRANCH="DEV"

while read oldrev newrev ref
do
if [ -n "$ref"] && [ "$ref" == "refs/heads/$TARGETBRANCH" ]; then
git --work-tree=$WORKTREE --git-dir=$GITDIR checkout $TARGETBRANCH -f
  sudo nginx -t && sudo nginx -s reload
else
echo "ERROR : this server is only for $TARGETBRANCH"
fi
done

On my local repo, I have a git remote setup pointing to our DEV,QA amd PROD NGINX primary servers:

dev nginxadmin@devnginx01:/nginx.git
qa nginxadmin@devnginx01:/nginx.git
prod nginxadmin@devnginx01:/nginx.git

this allows me to do a git push of branch DEV,QA or PROD to the remote NGINX server:

git push dev DEV

the hook will run, the config will be checked out to /etc/nginx, if the config check is successful, then the config is reloaded with sudo nginx -t && sudo nginx -s reload

There are multiple NGINX servers in each environment, the config is synced between each of them using nginx-sync.

This setup is working well and is how the team has been managing the deployment for some time.

I have a few issues with this setup in regards to security and am hoping for some advice on how to secure it further.

To start, the git checkout to /etc/nginx requires permission to overwrite those files - so we all use the same user for the git remote - nginxadmin, then nginxadmin owns all files in /etc/nginx instead of root.

The sudo nginx -t && sudo nginx -s reload requires nginxadmin being added to the suders file and allowed to run those commands without password.

nginxadmin ALL = NOPASSWD: /usr/sbin/nginx -t, /usr/sbin/nginx -s reload

nginx-sync runs as root and requires PermitRootLogin without-password to be added to sshd_config.

I can look at trying to run nginx-sync as nginxadmin and change ownership of /etc/nginx on all servers to nginxadmin - But is nginxadmin owning the /etc/nginx secure in the first place?

Is there any other way to check config and reload of successful after a config deployment?

Any other suggestions?

https://redd.it/m1nhq5
@r_devops

Nessus vulnerability scans

Why are some devices coming back with "Weak MAC algorithm supported" ?
I have sorted this with all other devices by editing the sshd.config file. But these still persist.

Any advice?

https://redd.it/m1jnjb
@r_devops

Looking for Zap automation with c# guide

Any recommendations? It’s my best language but every zap scanner guide is for some other programming language and i cant get it to work, which i Chuck up to me suckyness in Said language.
Ive been looking for a c# automation of ZAP but so far no luck :(

https://redd.it/m1id4b
@r_devops

DevOps Career Advice

**alt account**

I have kind of a weird background when it comes to IT and "DevOps" and am looking for advice.

Background:

\-Have a non-technology bachelor's degree and got a low-level job at a company a few years ago.

\-Through luck I moved from a non-tech job at this company to the Tech Manager role.

In the past 1-1.5yrs this company has changed a lot and is moving toward a technology focus including building out a new app. With my being the IT Manager role, I have bounced between the Ops and Engineering (IT) world (mainly doing lower-level IT things) but recently (the past 7-8 months) have overseen rebuilding our AWS environment to facilitate a secure and highly available infrastructure for the application.

Without having a dedicated DevOps person, I have also taken on a semi-split role in it (DevSecOps) along with Cloud “architecting” and my normal IT duties for which I usually have my IT Specialist take care of. (this is a small company of about 60)

Dilemma:

My dilemma makes me feel kind of greedy in that I feel I should be making more, but not sure how much more since I do not have a long history of experience and no degree. The only certificates I have are CompTIA Sec+ and AWS CCP (though studying for the AWS CSA; kind of on the back burner). When I bring up possibly making more money due to the responsibilities I have taken and the amount of progress in building out and managing our AWS Infrastructure, I usually get a “you have limited experience” or “most cloud architects/devops that make good money also know how to code”. I agree and understand, but I am also doing the work, besides coding…and now taking on a split DevOps'ish role I feel like I am basically doing higher level work for moderate pay.

More info:

When I took over the IT role:

Normal IT duties which migrated to compliance/audit proofing for a bit and eventually moved to implementation of SIEM, MDM, AWS maintenance (couple EC2’s, ECS, S3, VPC, Route53).

Past 8-9 months:

Working with RDS, ECS, EC2s, Beanstalk, S3, R53, Redshift, Jfrog, Neo4j (debugging and setup on ec2), lambda, Cloudwatch, Guardduty, etc. When this started, most of the infrastructure was built out as a 50/50 split between myself and the engineering team, but over the past 5-6 months I have built out a whole new Dev/Staging and Prod AWS Account/Env for which I did by myself, including migrating our CI.

​

Sorry for the randomness of thoughts...kind of in a weird spot

https://redd.it/m1c1cj
@r_devops

I get 401 Unauthorized when I run mvn deploy

Hello,I just installed Sonatype Nexus Repository Manager v3.30.0-01 on AWS EC2 ubuntu instance and I successfully access to the GUI.

Now my problem is when I execute `mvn deploy` on my local project it get rejected with 401 unauthorized

`[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project social-carpooling-commons: Failed to deploy artifacts: Could not transfer artifact io.social.carpooling:social-carpooling-commons:jar:0.0.1-20210309.180217-1 from/to snapshots (`[`https://myIpAddress:8081/repository/maven-snapshots`](https://3.235.192.194:8081/repository/maven-snapshots)`): Transfer failed for` [`https://`](https://3.235.192.194:8081/repository/maven-snapshots/io/social/carpooling/social-carpooling-commons/0.0.1-SNAPSHOT/social-carpooling-commons-0.0.1-20210309.180217-1.jar)[`myIpAddress`](https://3.235.192.194:8081/repository/maven-snapshots)[`:8081/repository/maven-snapshots/io/social/carpooling/social-carpooling-commons/0.0.1-SNAPSHOT/social-carpooling-commons-0.0.1-20210309.180217-1.jar`](https://3.235.192.194:8081/repository/maven-snapshots/io/social/carpooling/social-carpooling-commons/0.0.1-SNAPSHOT/social-carpooling-commons-0.0.1-20210309.180217-1.jar) `401 Unauthorized`

Here is my pom.xml config :

<distributionManagement>
<repository>
<id>releases</id>
<name>Nexus Releases</name>
<url>https://ipAddress:8081/repository/maven-releases</url>
</repository>
<snapshotRepository>
<id>snapshots</id>
<name>Nexus Snapshots</name>
<url>https://ipAddress:8081/repository/maven-snapshots</url>
</snapshotRepository>
</distributionManagement>

and my maven settings.xml :

&#x200B;

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="https://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
<!-- localRepository
| The path to the local repository maven will use to store artifacts.
|
| Default: ${user.home}/.m2/repository
<localRepository>/path/to/local/repo</localRepository>
-->

<proxies>
</proxies>

<servers>
<server>
<id>snapshots</id>
<username>admin</username>
<password>nexus-admin</password>
</server>
<server>
<id>releases</id>
<username>admin</username>
<password>nexus-admin</password>
</server>
<server>
<id>thirdparty</id>
<username>admin</username>
<password>nexus-admin</password>
</server>
</servers>

<mirrors>
<mirror>
<!-- This sends everything else to /public -->
<id>nexus</id>
<mirrorOf>*</mirrorOf>
<url>https://ipAddress:8081/nexus/content/groups/public</url>
</mirror>
</mirrors>

<profiles>
<profile>
<id>nexus</id>
<repositories>
<repository>
<id>central</id>
<url>https://central</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>central</id>
<url>https://central</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>

<activeProfiles>
<activeProfile>nexus</activeProfile>
</activeProfiles>

</settings>

https://redd.it/m1ckpi
@r_devops

Is NoSQL irrelevant for data engineering?

In this article, we’ll investigate use cases for which data engineers may need to interact with NoSQL data stores.

Read more: https://dashbird.io/blog/nosql-database-data-engineering/

https://redd.it/m20jd1
@r_devops

Do you prohibit containers which could POTENTIALLY be run as root?

Hi. If a container had the ability to run as root, but included clear documentation on how to run it as a non-root user and stated that was the best practice, would that be sufficient for your organization? Or, do you prohibit containers which even have the possibility that they can be run as root? Or, put another way; Does your security policies prohibit containers which have the ability to run as root (even though you don't deploy them that way).

Just curious... because I am being impacted by a prohibition like this. Is this typical across the devops landscape now? Sorry if I am out of touch.

https://redd.it/m1y2z3
@r_devops

PromQL assistance with holtwinters

Hi all, I'm new to PromQL (and time series dbs in general) and I'm trying to figure out the below without much of a dev background.

Problem:

\-a count, let's call it "login\count"

\-it's seasonal (repeating after 7 days)

\-it has labels, let's say country

I'd like to set alerts so if the ratio drops below x (let's say 75%).

&#x200B;

Here is what I have so far, but if I remove the label I run into all kinds of issues:

sum(increase(login_count{country="DE"}[10m])) / holt_winters(sum(increase(login_count{country="DE"}[10m]))[7d:],.005,.005)

Here is what I thought I had to do:

sum(increase(login_count[10m])) by country / holt_winters(sum(increase(login_count[10m]))[7d:],.005,.005)

&#x200B;

I'm also not sure that I'm using holt_winters + subqueries correctly, however I seem to be getting the correct results.

https://redd.it/m27cw2
@r_devops

Redis single node to cluster migration

Hello, I have a question. I have a single instance redis (V3.2.12) running. It has now more then 15M+ key value pair. I didn't see it coming in the first place.

&#x200B;

Now I will deploy a 6 node redis cluster (same version, 3 master, 3 slave). My question is how can I migrate to the cluster. For example can I read first 1000 key value pair then dump it into the cluster then again read 1000 pair and so on. Is it possible to do with any redis client? I can develop if required.

&#x200B;

Thanks.

https://redd.it/m1vstw
@r_devops

Question So... what's DevOps?

Hello there,

I'm struggling on the definition of DevOps. For me, it is a combination of support versions systems, CI/CD, containers, microservices, logging and testing. Is that right? What am I missing? If you were to teach someone DevOps, what would be the "core" parts?

https://redd.it/m1zwh9
@r_devops

computer science concepts

Hello,

As a self-taught DevOps guy/Cloud developer, I find myself a little weak on some computer science concepts that your average CS student knows. There are great best practices in DevOps but I think I could benefit from getting familiar with some of the more important concepts out there. Are there any books you'd recommend that might introduce some of those concepts? Even if I don't end up using them, at least I'd be able to relate better to other developers in the organization.

I do want to take Harvard's CS50 but I have too much on my plate now and I am looking for something a little less in terms of time commitment. Something like, CS Fundamentals for Dummies type of book.

Thanks!

https://redd.it/m28tev
@r_devops

Survey - Consequences for staff of data privacy breaches?

Quick survey: who knows of devs that have been at a company where there was a data breach or other data privacy incident? What was the consequences for devs at that company?

- Adam, Head of Developer Relations at dataprotocol.com (US data privacy edtech)

https://redd.it/m29b46
@r_devops

Store encrypted secret in Hashicorp Vault

Right now we're storing secrets as plaintext key value pairs. We got a suggestion about using Transit keys and encrypting our secrets. I'm evaluating this approach right now and although it's more secure, it'll be really troublesome when we have to rotate the Transit keys. I'm afraid it might lead to data corruption in some weird rare cases. We also lose the ability to view the secrets from a GUI but I suppose that can be a good thing as well.

I'm interested to know if others are encrypting their secrets or uploading as plaintext.

https://redd.it/m28qza
@r_devops

How do you synchronize files across repos?

Hey,

I am looking for a smart solution to the following problem: We heavily use GitHub and some features that are dependent on availability of certain files like CONTRIBUTING.md, SECURITY.md, pull request templates and others. Those files are very important for us to have a healthy repository.

Those files should be the same across all of our team repos. As we own about 70 repos a manual solution is not feasible. I have thought about writing a custom script but maybe there is a good solution out there that helps me - similar to a database migration runner.

What it should be able to do:

- synchronize files from a central location to multiple repos (templated or not does not matter)
- integratable in a CI pipeline

https://redd.it/m27j0p
@r_devops

good way to practice AWS and Terraform

Hi,

I'd love to evaluate Terraform and AWS, but my company currently does not use them due to the cost matter.

is there any way I can practice them like creating an infrastructure using Terraform?

https://redd.it/m2d6zb
@r_devops