Category Archives: server

SSL for your local development server

So, some of you may have gotten MAMP to work happily with self-generated SSL certificates. It’s a bit tricky and I’ll assume you’ve got that working.

… a quick tip on getting OS X to shut down the default installed apache so Mamp can run on port 80 and 443:
(found here… https://gist.github.com/jfloff/5138826 )

First of all you need to be able to run MAMP in port 80. This is a “heat check” if you don’t have any process jamming http ports. You can check it like this:

sudo lsof | grep LISTEN

If you do happen to have any process with something like this *:http (LISTEN), you are in trouble. Before with adventure check if it isn’t MAMP itself (yeah, you should close that beforehand)

ps If you don't see MAMP, you are in good hands, I have just the thing for you:
# I've forced the removal of the job
$ launchctl remove org.apache.httpd

# and load it again
$ launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

# and unload it again
$ launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

Now you should be able to use port 80 (and almost any other) in MAMP. Just go to MAMP > Preferences > Ports Tab and click the Set to default Apache and MySQL ports.

….now back to SSL certs

However, there’s a new wrinkle. Chrome and FF both have decided that self-signed certificates need to be of the Version 3 variety, rather than the plain old ones generated by MAMP. I ran into an issue where chrome was complaining about a missing subjectAltName in the certificate that I had set up.

So, here’s the article I used to get my stuff sort of working:

https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/

Here’s another version of that:

How to Create Your Own SSL Certificate Authority for Local HTTPS Development

OMG, you say, that’s like waaaaaaa? No worries, I’ll help break it down here and do it a little differently.

They have you create all sorts of scripts. I’m not sure why, probably because it’s the right way to do it, but here’s the straight forward way to set up.

What you are doing is creating your own CA certificate (aka a certificate authority), then using that to create a certificate for your site that needs ssl.

In the following directions, you need to replace YOURLOCALSITEDOMAIN with the domain your are setting up on your MAMP server. You know, like mysite.dev, or sams-site.dev, etc…

Go to the directory, where you store your ssl certificates for MAMP and do the following:

STEP 1
On the command line type out the following:

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

– this sets your server up to be a CA certificate issuer
– it’s going to ask you a bunch of questions about the country, state, city, and other things. Just answer them with your own info 🙂 The questions will be similar to the parameters you see in the [dn] section in the code below.

STEP 2
Create a file called YOURLOCALSITEDOMAIN.csr.cnf with the following:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = YOURLOCALSITEDOMAIN

– This is a configuration file that will be used when generating your specific site certificates. Change the ST, L, email parameters to whatever you want. I’d go ahead and use your own email.

STEP 3
Then, create a file called v3.ext with the following:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = YOURLOCALSITEDOMAIN

– This is the file that is used by the CA issuer to ensure your cert is version 3 and offers up the named domain as you see in the parameter DNS.2.

STEP 4
Then generate the certificates with this!!! On the command line type out the following (don’t forget to replace the YOURLOCALSITEDOMAIN with whatever development domain you are using:

openssl req -new -sha256 -nodes -out YOURLOCALSITEDOMAIN.csr -newkey rsa:2048 -keyout YOURLOCALSITEDOMAIN.key -config <( cat YOURLOCALSITEDOMAIN.csr.cnf )

openssl x509 -req -in YOURLOCALSITEDOMAIN.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out YOURLOCALSITEDOMAIN.crt -days 5000 -sha256 -extfile v3.ext

Now, when you need to get a second site working, you'll repeat steps 2 through 4. HOWEVER, you won't recreate the v3.ext file. You'll just add a new DNS parameter with your new domain. So, in the above example, I'd be adding DNS.3 = NEWSITEDOMAIN. You'd add a new DNS parameter for each new secure site you do.

STEP 5
Now, open your keychain access app in OS X and add your new certs, then set them to always be trusted. That way your mac will stop throwing warnings. Also, if you are looking at your site in the CodeKit Bonjour URL, then you'll need to add the Temp SSL certificate Codekit creates. You'll find that in the My Certificates section of the Keychain Access app.

I also ran into a thing with iThemes Security. The .htaccess rules were causing redirect loops for the SSL. You could get to the home page, but no secondary pages. Secondary pages resulted in a 500 error. Replacing the iThemes Security SSL feature with the plugin, 'really simple ssl', then clearing out the config that iThemes put in the .htaccess file cleared that right up.

OMG, that made your brain hurt, right? It made mine hurt for a bit too, but hopefully all is working for you now.

WordPress and their premature attempt to move us forward on MYSQL

Ok, so on April 1, 2015…no kidding…Wordpress announced they are officially supporting the newer charset utf8mb4 in WP version 4.2. This charset is available in mySQL servers version 5.5.3 and higher (I think). This is cool and all, rather hipster, and up to date with best security practices and all that. However, what they completely missed was the fact that a huge portion of the shared server world is running mySQL versions 5.0 and 5.1. If you try to migrate a WordPress site from a server (or local box) that is appropriately running something remotely current to a shared hosting account with the older database, your migration will fail.

Here’s the article where they describe the changes and the beginning of the conversation about how it’s an issue…

https://make.wordpress.org/core/2015/04/02/the-utf8mb4-upgrade/

I’m sure there are thousands of developers wasting time figuring out how to fix this issue. I’ve not found an ‘easy’ fix. Here’s mine clunky version of migrating from development to staging/production…

  1. From phpmyadmin, or your favorite tool, do a full SQL dump.
  2. Run a script or manually change, the URL of the dev site to the new one.
  3. Run a script or manually change ‘utf8mb4_unicode_ci’ to ‘utf8_general_ci’
  4. Run a script or manually change ‘utf8mb4’ to ‘utf8’
  5. Import your new SQL dump into the new database.

This process assumes you’ve migrated the source code of WordPress already.

You can blame ISPs for not getting current, but I think trying to upgrade these older mySQL servers to something more current is an enormous headache for clients and ISPs a like. WordPress should really have paid attention to the reality of this situation and taken measures to mitigate the issue.

Happy hunting for an easier solution, but if you need, the above will work.

Grep find xargs regex and other great tools

This is a little dumping ground for me to use to store useful recipes.

Find a file that was created between two ranges, say on the same day…

touch -t 201608200000 start
touch -t 201608202359 stop
find . -newer start \! -newer stop


Find all files with a particular name or extension and delete if you want

find . -name "*.bak" -type f -delete

Just run without -delete to review before you do it

Find files or directories with a certain permissions set, or without a certain permissions set

find files that don’t have permissions of 644
find /path/to/dir/ -type f ! -perm 0644 -print0

find files that don’t have permissions of 644 and change them
find /path/to/dir/ -type f ! -perm 0644 -print0 | xargs -0 chmod 644

counts all .php and .html files from the current directory that aren’t under the “includes” or “forum” directories.
wc runs wordcount on each file that matches. the “tr” through “bc” takes those numbers and adds them up.

find . -not \( -path ./includes -prune \) -not \( -path ./forum -prune \) -regex ‘.*/.*\(php\|html\)’ -exec wc -l \{\} \; | tr -s ‘ ‘ ‘ ‘ | cut -d ‘ ‘ -f 2 | paste -sd+ – | bc

Tips for setting up your own LAMP stack in Mac OSX

Hey, this is NOT a comprehensive guide to setting up your own development environment, but I thought I’d post a few pitfalls I’ve discovered.

Most macs are set up out of the box to run apache found in /etc/apache2/. Normally, the system user and group for apache is _www. If you try to set up sites in /usr/HOMEDIR/Sites, it’ll likely give the files there the ownsership:group of YOURUSER:staff (or something else than staff). It either needs to be _www:_www OR YOURUSER:_www (and then you change the httpd.conf file to reflect YOURUSER for the User variable).

Also to edit any system files like that, be sure to edit as a super user or sudo.

when ssh is not available

As a web developer, I often encounter clients who have a hosting package that is limited, or ‘secured’ by the hosting provider.  That means I sometimes am forced to use the dreaded FTP for file transfers rather than SCP.

This is ok when it’s just a few files here or there.  In fact, using the GUI can sometimes be convenient.  However, if I’m doing large scale development, I’d rather copy the site over to my development server rather than work locally and fill up my hard drive.

If the client’s hosting provider does not allow SSH access, then you can use FTP from the commandline 🙂

ftp ftp.example.com will get you there.  Then depending upon your flavor of linux, you can use MGET to pull files.  Sometimes you are even offered the awesomeness of RECURSIVE MGET *.

When you are not afforded that goodness, I’ve discovered that WGET does the trick even better 🙂

wget -r “ftp://user:[email protected]/somedirectory”

That’ll recursively get it all for you 🙂  Better yet…mirror

wget -m “ftp://user:[email protected]/somedirectory”

That initiates recursive and gives you infinite depths on directories…and…gives you the same timestamps as exists on the remote server.

Nice stuff.

 

Just a quick note about WordPress Optimization

I’ve been struggling with a clients site for a few weeks now that has an enormous lag on all page loads.  8 – 10 seconds…yeah, right?  Turns out the real issue is a conflict between the PHP and PHP cURL versions and…wait for it…I’m sure you’d never guess…a…plugin. I know you are stunned at that news.  That’s not why I’ve brought you here today.

I discovered that if you add a trailing slash ‘/’ after the URL to any given page in wordpress, you can avoid a 301 redirect.  For example, http://www.example.com/test-page, really gets redirecteed to http://www.example.com/test-page/.

Depending upon your server situation, you can save up to a second or two just by eliminating those redirects.

🙂