Practical Web Programming

Saturday, January 09, 2016

Deploying Rails Application for the First Time

I always forget these steps when deploying a Rails app for the first time. So I'm finally writing this in as a guide for the future.

This assumes that you already have a running Ubuntu server with Apache and Passenger installed (see Basic Security Installs for Ubuntu and How to Install Passenger + Apache in Ubuntu).
  1. Clone the git repo.
    git clone git@bitbucket.org:kabalweg/app_name.git
    cd app_name
    bundle install
    
    If you get a "bundle not yet installed" error, run the following comment:
    gem install bundle
    
  2. Go to /var/www/ type and this command to create a symbolic link.
    sudo ln -s /home/kabalweg/app_name/ ./app_name
    
  3. Go to /etc/apache2/sites-available and create a virtualhost file, app_name.conf, or copy and existing one and edit the appropriate values in that file and save.
    <VirtualHost *:80>
        ServerName app_name.net
        Redirect permanent / http://www.app_name.net/
    </VirtualHost>
    
    <VirtualHost *:80>
      ServerName www.app_name.net
      ServerAdmin kabalweg@gmail.com
    
      # Set the environment to production
      RailsEnv production
    
      <IfModule mod_passenger.c>
          # Set to on when debugging errors
          PassengerFriendlyErrorPages off
    
          #PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
          #PassengerDefaultRuby /home/kabalweg/.rvm/gems/ruby-2.2.1@rails4.2/wrappers/ruby
          PassengerMaxPoolSize 2
          PassengerPoolIdleTime 0
          PassengerMaxRequests 1000
        </IfModule>
    
        DocumentRoot /var/www/app_name/public
        <Directory /var/www/app_name/public>
          AllowOverride all
          Options -MultiViews
          #Require all granted
          Order deny,allow
          Allow from all
        </Directory>
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
    
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
  4. Disable the default virtualhost and enable the new virtualhost file and activate it.
    sudo a2dissite 000-default.conf
    
    sudo a2ensite app_name.conf
    sudo apachectl -k graceful
    
  5. Generate secret key and put the resulting key in the secret.yml file.
    rake secret RAILS_ENV=production
    
    Note: It's not a good and safe practice to put production config values in the repo. A good way is to ignore config files (*.yml) using git so it don't get save in the repo, then just manually create this files, with the correct values, in the production server.
  6. Pre-compile assets.
    rake assets:precompile RAILS_ENV=production
    
  7. Restart application by typing below in your application's root directory.
    touch tmp/restart.txt
    
    Create this folder (tmp) if you don't have this.

How to Install Passenger + Apache in Ubuntu 16.04 LTS

Note: This assumes that you already have a running Ubuntu server. To install basic security in Ubuntu, see Basic Security Installs for Ubuntu. This instructions was extracted from here.
  1. Install Apache Server
      sudo apt-get update
      sudo apt-get install apache2
      
  2. Set Global ServerName to Suppress Syntax Warnings: "AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message"
      sudo vim /etc/apache2/apache2.conf
      
    and enter at the end of the file:
      ServerName server_domain_or_IP
      
  3. Test config so far
      sudo apache2ctl configtest
      
  4. Restart Apache for the changes to take effect
      sudo systemctl restart apache2
      
  5. Install Passenger packages.
    # Install our PGP key and add HTTPS support for APT
    sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
    sudo apt-get install -y apt-transport-https ca-certificates
    
    # Add our APT repository
    sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger xenial main > /etc/apt/sources.list.d/passenger.list'
    sudo apt-get update
    
    # Install Passenger + Apache module
    sudo apt-get install -y libapache2-mod-passenger
    
    These commands will install Passenger + Apache module through Phusion's APT repository.
  6. Enable the Passenger Apache module and restart Apache
    sudo a2enmod passenger
    sudo apache2ctl restart
    
  7. Check installation
    sudo passenger-config validate-install
    
    All checks should pass. If any of the checks do not pass, please follow the suggestions on screen.
  8. Check whether Apache has started the Passenger core processes by running the following:
    sudo passenger-memory-stats
    

Friday, January 08, 2016

Creating a Skeleton Rails Application without Database and Test Unit

  1. 1. Create application without database access and test unit
        $ rails new [app_name] --skip-active-record --skip-test-unit
    
  2. Include Bootstrap
    • Download Bootstrap and extract content
    • Copy bootstrap.min.css and bootstrap.css to /app/assets/css folder
    • Copy bootstrap.min.js and bootstrap.js to /app/assets/js folder
    • Copy fonts folder to /app/assets folder
    Note: The reason why I put bootstrap.css in the main root of asset folder is so I can create a file (ex: custom.css) that will over ride the Bootstrap.css rules in case I want to.
  3. Create main controller that will serve as root file.
  4.     $ rails generate controller main_controller index --no-assets --no-helper
    
  5. Set the root route to main_controller#index
        root 'main_controller#index'
    

Monday, January 04, 2016

Basic Security Installs for Ubuntu

The original idea of this post was taken from My First 5 Minutes On A Server; Or, Essential Security for Linux Servers. As I build my server, I follow it but some of it's recommendation does not fit my requirements (ex: connecting via SSH only on certains IPs, which locked me out on several occasions). This post is my own "concoction". This assumes that you already have a fresh server running with only root as user.
  1. Login as root and set root password
    passwd
    
    It's always good to use a strong root password. I recommend Random Password Generator for this.
  2. Update Ubuntu
    apt-get update
    apt-get upgrade
    
  3. Install Fail2ban
    apt-get install fail2ban
    
    Fail2ban is a daemon that monitors login attempts to a server and blocks suspicious activity as it occurs. It’s well configured out of the box.
  4. Create user and set-up user folders
    useradd deploy
    mkdir /home/deploy
    mkdir /home/deploy/.ssh
    chmod 700 /home/deploy/.ssh
    
  5. Change deploy user's login shell with the 'chsh' command. This will make sure that deploy user will have a more interactive shell.
    sudo chsh -s /bin/bash deploy
    
  6. Require public key authentication for logging in
    vim /home/deploy/.ssh/authorized_keys
    
    Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.
  7. Lock down authorized_keys file and change owner of user folder
    chmod 400 /home/deploy/.ssh/authorized_keys
    chown deploy:deploy /home/deploy -R
    
  8. Test the new user (deploy) in a new terminal window and generate SSH key. This will be used when connecting to github or bitbucket
    ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
    
    Above code creates a new ssh key, using the provided email as a label.

    Logout user (deploy) and go back to the window where you are logged as root.
  9. Change deploy user password. This password will be used when doing sudo commands
    passwd deploy
    
  10. Change default text editor to your preference (I like Vim)
    update-alternatives --config editor
    
  11. Comment all existing user/group grant lines
    visudo
    
    Add the following line:
    root    ALL=(ALL) ALL
    deploy  ALL=(ALL) ALL
    
    This will grant sudo access to the deploy user when they enter the proper password.
  12. Set up a firewall to further secure the server using ufw.
    ufw allow 22
    ufw allow 80
    ufw allow 443
    ufw enable
    
  13. Enable automatic security updates
    apt-get install unattended-upgrades
    
    vim /etc/apt/apt.conf.d/10periodic
    
    Update the file to look like this:
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";
    
    One more config file to edit:
    vim /etc/apt/apt.conf.d/50unattended-upgrades
    
    Update the file to look like below. This will enable security updates only:
    Unattended-Upgrade::Allowed-Origins {
            "Ubuntu lucid-security";
    //      "Ubuntu lucid-updates";
    };
    
    or
    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}";
            "${distro_id}:${distro_codename}-security";
    //      "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };
    

Recent Post