Kim Stacks's questions

I have a SAAS application hosted on AWS EC2 and RDS. we use django and Postgres for the stack

What we did was we had the public schema holding the tenant info but the tenant specific data are held in individual schema in the same database

Recently we have requests that some customers want to host the software in their own premises because they want to have complete control over the data.

That means we lost control over the source code and plus it's harder to debug and deploy code hosted on premises rather than on cloud.

It's possible that they might be okay with us deploying it on their AWS account. So it's their ec2 and rds.

That gave us an idea.

Is it possible for us to deploy the source code on our AWS ec2 and their data will be in their AWS rds?

What we need to accomplish is that:

1. We have no way to read their data
2. They have no way to read our code
3. Yet we can easily make code changes and schema changes (probably via django migrations)

How can we accomplish this with AWS services? I need a rough plan.

So far my ideas are

A. Code on our ec2 data in their rds (Ensure 2 & 3 not 1)

B. Code on their ec2 and data in their rds (Ensure 1 not 3&2)

Or is there a solution involving tweaking A or B?

using

• raspbian 3 GUI with static ip 192.168.0.199
• and a DELL server running headless ubuntu 192.168.0.196
• and a RFID reader running on 192.168.0.68

All are static IP addresses

I have a python script that polls a RFID reader running on 192.168.0.68 and has pretty consistent connection. Once the python script polls and has a positive update, it will attempt to update the DELL server provided that the RFID request is not repeated for at least 5 seconds. This is to reduce too many requests sent to the server.

However, what happens is that there are intermittent loss of connection between the raspberry pi 3 and the DELL server.

The dell server also serves web pages.

When the loss of connection happens, I can still access the dell server web pages from other devices in the same network. Similarly, from the raspberry pi 3, I can also access other servers' web pages.

This is a client network setup so I don't really have much control though I can talk with the network admin.

He is sure there's no throttling involved.

However, the connection between the raspberry pi 3 and the DELL server can be intermittent sometimes.

While I am comfortable with server side scripting and linux in general, I am at a loss of how to narrow down the issue.

The network admin at the client site is now casting aspersions on the raspberry pi 3 which is newly bought.

I am unsure if that's the case.

How to narrow down the issue or replicate the problem?

All devices are running on LAN cable.

I have 2 cakephp applications: one is using cake 2 and the other is using cake 3.

This is my nginx config

server {
        listen 80;
        client_max_body_size 2M;
        server_name cake.dev;
        root /var/virtual/cake2app/webroot;
        location /cake3-app/ {
                alias /var/virtual/cake3app/webroot;
        }

        access_log /var/log/nginx/cakephpsite.com-access.log;
        include common.conf;
        include cakephp.conf;
}

This is common.conf

index index.html;

location ~ /\.ht {
        deny all;
}
sendfile off;

This is cakephp.conf

include php.conf;

location / {
        try_files $uri $uri/ /index.php?$uri&$args;
        expires max;
        access_log off;
}

This is php.conf

location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        include fastcgi_params;
}

index index.php;

the cake.dev is correctly pointing to my cake 2 app.

I cannot get cake.dev/cake3-app to point to the cake 3 app.

Inside my cake 3 app, I have a users/login action which works perfectly if I access the cake 3 from a separate domain.

But that is not what I want.

What have I done wrong in terms of the nginx config?

My error is consistently a 403 if I access cake.dev/cake3-app/ and I get a cake error message telling me there is no such controller when I access cake.dev/cake3-app.

Please advise.

EDIT:

I manage to use this trick. Inside my cakedev.conf

I wrote

server {
        listen 80;
        client_max_body_size 2M;
        server_name cake.dev;
        root /var/virtual/cake2/webroot;
        access_log /var/log/nginx/cakephpsite.com-access.log;
        include common.conf;
        include cakephp.conf;
        location /cake3-app/ {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header HOST $http_host;
                proxy_set_header X-NginX-Proxy true;

                proxy_pass http://127.0.0.1:83;
                proxy_redirect off;
                rewrite ^/cake3-app/(.*)$ /$1 break;
        }
}

Then I have a cake3.conf

server {
        listen 83;
        client_max_body_size 2M;
        server_name 127.0.0.1;
        root /var/virtual/cake3/webroot;
        include common.conf;
        include cakephp.conf;
}

The url redirect works for the web pages but NOT the various assets of the cake3 app.

Cake3App auto points to http://cake.dev/css/base.css when it should be pointing to http://cake.dev/cake3/css/base.css

Perhaps I need to write something different for the common.conf and the cakephp.conf for the cake3.conf?

Inside a corporate situation, the machines are largely controlled using Microsoft technology.

I have another server on the same network that is running Ubuntu 14.04 headless. No GUI.

I want to write a script inside the Ubuntu headless so that it can access the Windows shared drive.

I also have the username and password of a valid Windows user who can access the shared drive.

This set of credentials has been approved to be used exclusively for this Ubuntu machine.

I believe I should use smbclient to do that.

My two questions are:

1. what are the commands to access a shared drive?
2. how do I reset the password of the Windows user since there is a company policy of changing the password every 3 months?

Thank you.

I have the following configuration for php-fpm

[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = www-data
group = www-data
pm = dynamic
pm.max_children = 50
pm.start_servers = 25
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 2500
pm.status_path = /php-status

I read this documentation page.

Would appreciate a more human explanation of the pm related settings.

For exampel, what is pm = dynamic ? are there other possible settings for pm = ? pm.max_children sets the limit on the number of simultaneous requests that will be served.

so does that mean if I have 51 different visitors, the php-fpm cannot handle the 51st visitor to the website?

What happens then? Does the 51st visitor get a 404?

I am more dev than ops, so would appreciate a more human explanation.

I keep getting this message when I logged into my server in AWS EC2 via ssh

I think this is called MOTD

43 packages can be updated.
22 updates are security updates.

but I have already done

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

I have also restarted my instance.

Please advise.

I need to secure 2 different domains that are both on the same EC2 instance.

Reason: 1 is a sales website. the other is the webapp. Both need to access the same MySQL database.

EDIT

Sales website means the website where users look at my pricing plans, etc and sign up. The webapp is a SaaS web application they have access to AFTER they signed up.

END of EDIT

Problem: the webapp domain needs to be using a wildcard SSL certificate that is already purchased.

the sales website needs to use a standard SSL certificate that is also already purchased.

Someone told me that an EC2 instance can only have 1 Elastic IP address.

And I cannot have more than 1 SSL cert on the 1 IP address.

I found this article http://www.invokemedia.com/setting-up-multiple-ssl-domains-on-amazon-ec2-one-ipport/ on usinbg a UCC certificate to workaround this issue.

But I am not sure if

• a) that will work and I do not wish to unnecessarily spend money and waste it in the end.
• b) it will work with a wildcard cert and standard cert at the same time.
• c) using UCC will accidentally defeat the purposes of SSL access for users.
• d) how to install and use it.
• e) how to go about getting a UCC since I got both SSL certs from GoDaddy.

Another possible solution I can foresee is that I get the webapp hosted on 1 EC2 instance and the sales website hosted on another EC2 instance which of course will double my monthly hosting costs.

then the problem emerges where my programming assumes that both applications need to be on the same server accessing the same MySQL database.

What is the best way out for me - security-wise, reliability-wise, efforts-wise, costs-wise, in descending order of importance?

Things I have learned

• 1 SSL cert to 1 IP:Port not 1 SSL cert to 1 IP
• there is such a thing called UCC SSL cert, not too sure what that means other than it allows you to have SSL for multiple domains at the same time using just 1 IP:PORT
• there is something called ELB Elastic Load Balancer that allows you to overcome having IP on 1 EC2 instance

End of things I have learned

I have never set up ssl cert before.

I have 2 different domains hosted on the same instance in amazon ec2.

I need to set up ssl certs for both domains. I suspect the steps are the same for both.

http://www.curtis-lamasters.com/2008/07/30/apache2-on-ubuntu-openssl-csr-self-signed-cert/

I have finished sudo a2enmod ssl

I am stuck at the step at navigating to /etc/ssl/private because amazon only gave me a user called ubuntu and not root access.

Please write out for me detailed steps.

Thank you very much.