X509: Certificate Signed by Unknown Authority & Go Docker & EKS

 If you encountered an issue below, your go application on EKS failed to send an HTTP request to other services.

Problem:x509: certificate signed by unknown authority

This is due to fact that your HTTP library failed to read the CA certificate in setting up SSL communication with other services. Then we can suspect missing or incorrect CA certificate is the cause of this problem.

Debug Step:

• Check your ca-certificates are packed to the Docker image or not.
• If not, you can install ca-certificates as below in the DockerFile.

RUN apk add --update --no-cache ca-certificates

If you use multiple-stage to build go application to reduce the size of the docker image, remember to add the whole folder /etc/ssl/certs to your docker image as below.

FROM scratch

WORKDIR /COPY --from=builder /etc/ssl/certs./etc/ssl/certs

How to build a lightweight go application with CA certificates in DockerFile for EKS?

ref:

https://tyricwei.medium.com/x509-certificate-signed-by-unknown-authority-go-docker-eks-f508a49d86f6

How to make TURN Server for high availability?

If you want to keep your WebRTC video streaming services online without any downtime, you must pay attention to the availability of TURN Server. Because TURN Server plays an important to help two parties to connect to each other with Video or Audio streaming in different NAT networks.

The following instructions show how to automatically monitor your TURM server and restart it during the downtime.


1. Install pexpect lib in Python 

sudo pip install pexpect --upgrade



2. Edit MonitorStun.py 
- Telnet your TURN Serer 
- If it is down, ssh to your server and restart it  

#!/usr/bin/env python

import socket

import subprocess

import sys

from datetime import datetime

from pexpect import pxssh

# SSH TO TURN SERVER and restart it

def connect_turn_server():

  s = pxssh.pxssh()

  if not s.login ('TURN Server IP', 'SERVER PORT', 'ACCOUNT', 'PASSWORD'):

    print "SSH session failed on login."

    print str(s)

  else:

    print "SSH session login TURN successful"

    s.sendline ('sudo turnserver -c /usr/local/etc/turnserver.conf --daemo')

    s.prompt()         # match the prompt

    print s.before     # print everything before the prompt.

    s.logout()

# Telnet TURN Server to check it is alive or not on PORT 3478 or 3479

# Clear the screen

subprocess.call('clear', shell=True)

# Ask for input

remoteServer    = 'SERVER IP'

remoteServerIP  = socket.gethostbyname(remoteServer)

# Print a nice banner with information on which host we are about to scan

print "-" * 60

print "Please wait, scanning remote host", remoteServerIP

print "-" * 60

# Check what time the scan started

t1 = datetime.now()

# Using the range function to specify ports (here it will scans all ports between 1 and 1024)

# We also put in some error handling for catching errors

try:

    for port in range(3478,3479):

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

        result = sock.connect_ex((remoteServerIP, port))

        if result == 0:

            print "Port {}:      Open".format(port)

        else:

             print "TURN Server is down"

             connect_turn_server()

             print "restart TURN Server OK"

        sock.close()

except KeyboardInterrupt:

 print "You pressed Ctrl+C"

    sys.exit()

except socket.error:

    print "Couldn't connect to server"

    sys.exit()

                                        

3. Add MonitorStun.py to con job to check TURN Server in every 1 min.

*/1 * * * * /your_path/monitorStun.py

Of course, you can apply this technique to monitor any services such as SIP Proxy with port 5060, Apache with port 80, or Tomcat with port 8080.

How to setup a load balancing and failover back-end RDS for WordPress ?

WordPress is widely used to develop webs for multiple platforms. 
It is necessary to set up WordPress to deploy on a load balancing and failover backend RDS if you want to provide a service without any downtime for your customers.

How to get this  done ?

1. Create a Master and Slave database on RDS.

2.Import HyperDB Plugin into WordPress folder.

HyperDB can be download at below.
https://wordpress.org/plugins/hyperdb/


3. Setup the Master and Salve URL at HyperDB`s config file.


4. Performance Test 

The following info shows the test result on AWS.

EC2         Current session                RDS                                           

t2.micro            110 / s                     single master        

t2.medium         210 /s                       one master and one slave    


To conclude, using WordPress framework to develop the website can achieve a high performance at 210 current requests per second on EC2 with t2.medium spec; with t2.micro of EC2, the best throughput can also achieve 110 current requests per second. Thus, I think WordPress is good enough to build a high-performance website by PHP on AWS.

How to Automatically Scale Up Your Application on AWS ?

This basic rule is you have to make your application servers and databases to be independent of each other. The application servers are only responsible for processing game or business logic without saving any cache data at local. The databases are used for saving game or user data. In front of the application servers, it is necessary to set up a load balancer - while there is any problem occurring to make a server become unavailable - to redirect the user traffic to available servers.  

Moreover, if you want to reduce the overhead of MYSQL such as the number of current connections to improve performance, you can use shared memory servers like Redis or Memcached to save user sessions to decrease the number of SQL queries on MYSQL.

In addition, NoSQL database, Couchbase or MongoDB, would be a better alternative to replace MYSQL database. It can dramatically improve the performance of web applications.

As the user traffic grows, you can easily add one EC2 application server on AWS or  improve MYSQL/NoSQL database specs to meet this need.  

The proposed methods below will teach you how to set up an auto-scale
infrastructure for your applications. 

1.Create StartApp Script for Java Application/Tomcat  at startup time

Initial an EC2 instance and deploy your Java Application on this EC2 and set up a startApp script below at startup time. 
vim startapp

#!/bin/bash
cd /home/weishihhsun/app/
nohup java -jar p2pServer.jar &

sudo cp startapp /etc/init.d
sudo chmod +x /etc/init.d/startapp
sudo update-rc.d startapp defaults 98 02

98 and 02 are the start and stop sequence numbers respectively.
Both are numbers between 00 and 99 and specify how early or late a service is started or killed

By doing so, your Java or Tomcat application would be booted up at startup time.

2. Create an image of EC2 instance on AWS

You need to create an image of EC instance - a clone of this server - by AWS Control UI.    

3. Setup Auto-Scaling Group

You need to add an image of EC2 instance to the auto-scaling group and set up some thresholds to trigger different types of alarms, such as the usage of CPU, hard disk, and internet traffic. 

The usage of CPU, for example, is more than 80%, then automatically increase the EC2 instance of a server; if it is below 10%, then decrease the EC2 instance of  a server.

To conclude, you have learned how to build a high availability and scalability infrastructure for your applications. By making use of the proposed methods, you can automatically scale up your application servers developed by PHP, Java, C# or C/C++ on AWS, as long as you make your applications independent of the database.

How to secure your Linux ?

Get Started

There are four common and useful methods for you to secure and check your Linux.

• Port Scan
• Firewall
• Update Security package
• Antivirus

Port Scan

You can check your system by scanning your port number. Once you find out some ports that are open and not used, remember to close them and stop their related services accordingly.

• Install port scan tool
  sudo install nmap
  
• Execute Port Scan command to scan Port from 1 to 65535
  nmap -p 1-65535 -T4 -A -v [Target IP]
  

Firewall

The fundamental rule to improve the security of your Linux is your system merely opens necessary and required ports for your services. I strongly recommend you to set up restrictions on port 22 to avoid being attacked by SSH Brute Force. Hopefully, DenyHost is a smart firewall that can automatically parse SSH Log and detect malicious IPs to setup block rules for you. 

• Install DenyHost

Update Security package

Update your system with latest security packages automatically.

Install this package if it isn't already installed using
sudo apt-get install unattended-upgrades

To enable it type
sudo dpkg-reconfigure unattended-upgrades

and select "yes".

AntiVirus

Scan and check your system regularly with the following antivirus software.

• Install Virus
  sudo apt-get install clamav
  
• Update Virus code
  sudo freshclam
  
• Scan system
  sudo clamscan --remove=yes -i -r ./
  

Enable root user password to login EC2 on Ubuntu

Edit your SSHd config to allow password based logins:

    sudo nano -w /etc/ssh/sshd_config

Add the following line to /etc/ssh/sshd_config:

    PasswordAuthentication yes

Copy your authorized SSH keys if you want to log in via keys as well:

    sudo mkdir /root/.ssh

    sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/

Reload your SSHd config:

    sudo reload ssh

Now you can login as root!

How to clear browser cache with S3 on AWS ?

If you use S3 CDN on AWS to speed up website`s performance, your updated files will not take effect immediately.  The cause of this problem is the browser usually tries to save and read downloaded files like SWF at local cache.

How do you  tell the browser to clear its cache while updating files ?
You can add the following header to solve this problem.

Add Cache Clear header manually with S3 UI

1. Upload files to S3 

2.  Select your uploaded files and Add "Cache-Control" header to enforce the browser not to cache any files and to read the latest ones.

header : Cache-Control
value:     max-age=0, no-cache, no-store, must-revalidate
 
3. Push a button to make your uploaded files public 

Upload files to S3 and add Cache Clear header automatically

1. Install aws and s3cmd
// Install aws
apt-get install aws
// Download and install s3cmd
http://s3tools.org/repositories

// Install
tar xvfz s3cmd-1.0.0-rc1.tar.gz
cd s3cmd-1.0.0-rc1/
python setup.py install

// Set up s3cmd
./s3cmd --configure

 

2.Deployment 

Copy the following commands in your script file. Then you can execute this task automatically while updating files.

// Upload Files to s3
aws s3 sync /var/www/html/yourproject/client s3://yourbucket/client --cache-control max-age=0 --acl public-read

// Add Cache Clear header
s3cmd --recursive modify --add-header="Cache-Control:max-age=0, no-cache, no-store, must-revalidate" s3://yourbucket/client

// Make files Public
s3cmd setacl s3://yourbucket/client --acl-public --recursive

Using Amazon route 53 to create DNS failover for MYSQL

AWS Route 53 allows you to set a timer to periodically check the connection status of MYSQL via TCP or HTTP protocol. There are many approaches to achieve this, such as LAMP (PHP + Apache), Java + Tomcat, and C/C++ Sock Programming.
I used LAMP method to save time and efforts in terms of development and testing.

Create a health check  trigger by the following settings. 

IP Address : 192.168.0.1

Port  :  80

Site :  testdb.php

domain name: test.com

Create a testdb.php to check mysql connection.
If the connection is fine, then respond 200 OK.
Otherwise respond 500 error code to AWS Route 53. 

testdb.php 

<?php

/**

 * Description of Connection

 */

class Connection {

/** Instance */

private  static $_singleton = null;

// DB Settings

    private $db;

private $dbHost;

private $dbName;

private $dbUserName;

private $dbPassword;

private $dbPort = "3306";

/**

*　DB Instance

*/

public static function getInstance() {

if(self::$_singleton == null) {

self::$_singleton = new Connection();

}

return self::$_singleton;

}

private function __construct(){

}

  

public function createConnection($host, $dbname, $username, $password, $port = '3306')

{

$this->dbHost = $host;

$this->dbName = $dbname;

$this->dbUserName = $username;

$this->dbPassword = $password;

try

        {

            $this->db = new PDO('mysql:host='.$this->dbHost.';port='.$this->dbPort.';dbname='.$this->dbName.'', $this->dbUserName, $this->dbPassword);

$this->db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);

$sql = "SELECT host from user LIMIT 1";

$result = $this->db->query($sql);

foreach ($result as $row) {

echo "SUCC";

break;

}

 

$this->db = null; // close the database connection

        }

        catch (PDOException $e)

        {

            throw new Exception("Connection to database  failed. (".$e->getMessage().")");

die();

        }

    

}

}

/**

 * Initial Database Connection

 *DbManager::getInstance()->dbConnection($DBi, $db1, $DBu, $DBp)

* @param $DBi  Database server IP

* @param $db1  Database name

* @param $DBu  user name

* @param $DBp  user passwoard

*/

// DEV 

$DBi   = '127.0.0.1';

$db1   = 'mysql';

$DBu   = 'account';

$DBp   = 'password';

// Initial DB Connection

Connection::getInstance()->createConnection($DBi, $db1, $DBu, $DBp);

?>

Create a Primary hosted zone for test.com.

Now, in the Edit Record Set panel on the right side of the page, do the following:

1. Set the TTL to 60 seconds. This limits the amount of time this DNS record will be cached within the Internets DNS system, which means that there will be a shorter delay between the time failover occurs and the time that end users begin to be routed to your backup site.
2. Set the Routing Policy to Failover.
3. Select Primary as the Failover Record Type.
4. Select Yes for Associate Record Set with Health Check.
5. Select the health check to associate with this record. In the drop-down that appears, you should see the health check we just created. Select this health check.
6. Click Save Record Set.

Create a Slave Record Set. 

1. Set the TTL to 60 seconds. This limits the amount of time this DNS record will be cached within the Internets DNS system, which means that there will be a shorter delay between the time failover occurs and the time that end users begin to be routed to your backup site.
2. Set the Routing Policy to Failover.
3. Select Slave as the Failover Record Type.
4. Select NO for Associate Record Set with Health Check.
5. Select NO for health check to associate with this record. 
6. Click Save Record Set.

The switching time between MYSQL Master DB and Slave DB details as below.

test.com -> DB Master IP Address

DB Master  or Appache is down

test.com  --> DB Slave  IP Address

time : 30 sec 

DB Master is UP.

test.com  --> DB Master  IP Address

time : 60 sec    

DNS failover approach is not a perfect solution for MYSQL HA, because it will take at
least 60 sec to switch database. It means the system will have 60 sec of down time.
An architecture of  a load balancer and a MYSQL cluster in sync mode might be superior to this.