fogbound.net




Fri, 9 Jul 2021

Virtual Apache SSL Hosts in a Docker Container

— SjG @ 1:40 pm

You might want to “containerize” your development hosting environment so you can easily migrate it from machine to machine. As a Docker noob, I had a bunch of issues getting this set up the first time, and wanted to share a working configuration. This example assumes you have Docker installed and operating. You can also skip reading this, and just download the files at GitHub.

First, we’ll need to create some directories. I create one for the Apache configurations, and one for the code projects I’ll be working on.
mkdir apache-php
mkdir project

Within project, you can check out the code for your various projects into subdirectories. For simplicity, I’ve created project1 and project2 in the sample code. The Apache web server within the container will serve content from these directories.

We’re going to use a fictional top-level domain (TLD) for our development environment. This way, the URL you use to access your sites will be the same every time you spin up a new dev environment, without having to worry about name servers. You do, however, have to worry about your /etc/hosts file (or your platform’s equivalent). Choose a TLD that will be easy to remember. For my example, I’m using “mylocal”. One thing to avoid: start the TLD with a letter rather than a number. Don’t include characters like hyphens. Please learn from my mistakes.

Edit your /etc/hosts, and add the lines:
127.0.0.1 project1.mylocal
127.0.0.1 project2.mylocal

Next, we’ll want to create an SSL certificate for use in development. The easiest way to do this is with mkcert. Once you have mkcert installed and working, you’ll create a wildcard certificate for your TLD:
cd php-apache
mkcert -install mylocal "*.mylocal"

Next, we create a compose.yaml file:

version: "3.9"
services:
php:
container_name: ApachePHPVirtual
networks:
- apache
build:
context: .
dockerfile: PhpApacheDockerfile
volumes:
- "./project:/var/www"
ports:
- 80:80
- 443:443
extra_hosts:
- "project1.mylocal:127.0.0.1" # remember to add "127.0.0.1 project1.mylocal" to your /etc/hosts file or equivalent
- "project2.mylocal:127.0.0.1" # remember to add "127.0.0.1 project2.mylocal" to your /etc/hosts file or equivalent
hostname: project1.mylocal # default
domainname: mylocal
tty: true # if you want to debug
networks:
apache:

This is pretty straightforward. We’re creating a container which we’ll call “ApachePHPVirtual,” it will have a network we call “apache” if we want to connect using other containers, and it links our top level project directory to /var/www in the container. We map ports 80 and 443 on our host machine to those same ports in the container. The extra_hosts directive adds our project names to the container’s /etc/hosts. We set up the container’s hostname to match our first project, and set the default domain to our “mylocal” TLD.

We then want to create configurations for each of the Apache virtual hosts. In the php-apache directory, we create config files for each project. These are just standard virtual host declarations, e.g.:

<VirtualHost *:80>
    ServerName project1.mylocal
    Redirect permanent / https://project1.mylocal/
</VirtualHost>
<VirtualHost *:443>
    ServerName project1.mylocal
    DocumentRoot /var/www/project1
    ErrorLog ${APACHE_LOG_DIR}/project1-error.log
    CustomLog ${APACHE_LOG_DIR}/project1-access.log combined
    DirectoryIndex index.php

    <Directory "/var/www/project1">
        Options -Indexes +FollowSymLinks
        AllowOverride all
        Order allow,deny
        Allow from all
    </Directory>

    SSLEngine On
    SSLCertificateFile    /etc/apache2/ssl/cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/cert-key.pem
</VirtualHost>

You’ll need to create a similar configuration for each project. Note that the Document Root points at the mapped host directory. That means you won’t need to rebuild the container to see project changes.

The actual image for the Apache/PHP container is created and configured in our next file, “PhpApacheDockerfile”. So we create that:

FROM php:8.0.8-apache-buster

# add some packages
RUN docker-php-ext-install curl gd iconv pdo pdo_mysql soap zip

# Apache Config
COPY php-apache/project1.conf /etc/apache2/sites-available/project1.conf
COPY php-apache/project2.conf /etc/apache2/sites-available/project2.conf
COPY php-apache/mylocal+1-key.pem /etc/apache2/ssl/cert-key.pem
COPY php-apache/mylocal+1.pem /etc/apache2/ssl/cert.pem

# mod rewrite! SSL!
RUN a2enmod rewrite
RUN a2enmod ssl

# enable sites
RUN a2ensite project1.conf
RUN a2ensite project2.conf
RUN service apache2 restart

This pulls the php-8.0.8 image from DockerHub, adds in some PHP extensions, copies over our SSL certificate and key, copies our virtual host configuration files over, enables the projects, and restarts the Apache server.

Now, all that remains to do is build it and power it up:

docker-compose build && docker-compose up -d

You can now visit the project URls in your browser, e.g., https://project1.mylocal/


Sat, 12 Sep 2020

Those pesky /usr/local/include headers under MacOS Catalina

— SjG @ 11:04 am

Here’s another of those “system upgrade moves stuff around” problems. My work iMac seems to be suffering a slow disk failure. It gets slower and slower as it tries to run.

Queue restoring TimeMachine backups onto a new iMac. A lot of stuff just works. But things like building xsendfile for the Apache development server under Mac ports threw lots of errors. The compiler couldn’t find the headers:

mod_xsendfile.c fatal error: stdio.h: no such file or directory

There are lots of suggestions out there to run xcode-select --install, but I’d already done that.

Turns out that XCode has stopped storing the SDKs in /Library/Developer/CommandLineTools/SDKs and moved them to /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs. I spent a bit of time trying to figure out how to pass that path to the Mac Ports version of apxs2 to use the new include path, but eventualy gave up and just did the hacky thing:
ln -s /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs /Library/Developer/CommandLineTools/SDKs

Another issue, just so I rememebr next time, was that the web server and the command line were mysteriously running different versions of PHP. The key, of course, was that I had forgotten to run port select, e.g., for this project, I needed port select php php70.


Tue, 7 Apr 2020

One-liner to get a directory’s worth of video times

— SjG @ 10:58 am

The ffmpeg family of programs is incredibly arcane and powerful for handling video and video information. I needed to get the run times of a collection of videos. Here’s a handy one-liner that creates output suitable for import into a spreadsheet:

for i in *.mp4; do q=ffprobe -i "$i" -show_entries format=duration -v quiet -of csv="p=0";echo "$i, $q"; done

Sample run:
$ cd ~/work/training_videos
$ for i in *.mp4; do q=ffprobe -i "$i" -show_entries format=duration -v quiet -of csv="p=0";echo "$i, $q"; done
First_steps.mp4, 70.868000
Create_a_project.mp4, 134.320000
Loading_libraries.mp4, 45.442000
...


Fri, 27 Mar 2020

Fixing obsolete Karma test framework

— SjG @ 3:20 pm

Somewhere along the line, I did some software update on my MacBook machine that broke the Karma tests for an AngularJS 1.x application. I don’t know when this happened. I haven’t done work on this project on any computer except on my work desktop in a long, long time.

However, with Covid-19 and the work-from-home regimen, I need to make this work on the MacBook.

When I’d run the tests, I’d get a lovely crash:

27 03 2020 14:35:38.395:ERROR [reporter]: Can not load reporter "junit", it is not registered!
   Perhaps you are missing some plugin?
 27 03 2020 14:35:38.473:INFO [karma]: Karma v2.0.5 server started at http://0.0.0.0:9876/
 27 03 2020 14:35:38.474:INFO [launcher]: Launching browser PhantomJS with unlimited concurrency
 27 03 2020 14:35:38.475:ERROR [karma]: { inspect: [Function: inspect] }

Naturally, the first thing I’d do is make sure I’d installed the correct plugin: npm install karma-junit-reporter --save … Node happily reinstalled the plugin, and nothing changed. The source of the issue turned out to be a conflict between the project-installed karma-cli and bits and bobs of an old global install.

I had to clean up the globally-installed stuff that was lurking in /usr/local/bin and /usr/local/lib/node_modules (which is to say, deleted /usr/local/lib/node_modules/karma, /usr/local/lib/node_modules/karma-jasmine, and /usr/local/lib/node_modules/jasmine) leaving everything in the local project install with the exception of karma-cli, which is still globally installed.


Thu, 28 Mar 2019

Using openssl for AES-CBC-PKCS5Padding rather than mcrypt in PHP

— SjG @ 2:34 pm

Yeah, that’s quite an acronym soup.

Background: the mcrypt library for PHP has been deprecated for a long time now. However, in PHP we still have to process lots encrypted strings coming from a format like MCRYPT_RIJNDAEL_128 or stuff coming from Java (Android, I’m looking at you!), that was encrypted with a AES with Cipher Blocker Chaining and PKCS5Padding. These cipher algorithms are not explicitly included in openssl as such, although you can find stray references all over the web pointing you in the general direction.

I frequently have to integrate with third-party sites or services that are written in Java, and which provide sample PHP code for implementing my end. Because the ciphers in mcrypt are easier to identify, this provided source usually uses the deprecated library rather than openssl.

So, to save some time, here’s the equivalent openssl encryption/decryption commands:

openssl_encrypt($plaintext,'aes-128-cbc',$key,0,$iv)
openssl_decrypt($encrypted, 'aes-128-cbc',$key, 0, $iv)

For a more verbose proof-of-concept, a longer test program is included below. But before you look at that, consider the following warnings:

DO NOT USE A FIXED INITIALIZATION VECTOR!
DO NOT USE STUPID PASSWORDS!
DO NOT USE THIS CODE IN PRODUCTION!

<?php
// sooper-secret message
$src = array('don' => 'sleeper agent', 'mike' => 'coverup');
// ultra-seekrit key
$key = '1234567890123456';
// hard-coded initialization vector to prove we really know our stuff
$iv = '6543210987654321';

$original = json_encode($src);

// encrypt with mcrypt
$size = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$pad = $size - (strlen($original) % $size);
$plain = $original . str_repeat(chr($pad), $pad);
$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
mcrypt_generic_init($module, $key, $iv);
$data = mcrypt_generic($module, $plain);
mcrypt_generic_deinit($module);
mcrypt_module_close($module);
$mcrypted = base64_encode($data);

// encrypt with openssl
$ocrypted = openssl_encrypt($original, 'aes-128-cbc', $key, 0, $iv);

if (strcmp($mcrypted, $ocrypted))
{
echo "Uh-oh. Encrypted strings don't match up.\n";
echo "mcrypt encrypted string:\n$mcrypted\n";
echo "openssl encrypted string:\n$ocrypted\n";
}
else
{
// decrypt using mcrypt
$m_from_o_decrypt_padded = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($ocrypted), MCRYPT_MODE_CBC, $iv);
$dec_s = strlen($m_from_o_decrypt_padded);
$padding = ord($m_from_o_decrypt_padded[$dec_s - 1]);
$m_from_o_decrypt = substr($m_from_o_decrypt_padded, 0, -$padding);

// decrypt using openssl
$o_from_m_decrypt = openssl_decrypt($mcrypted, 'aes-128-cbc', $key, 0, $iv);

if (strcmp($o_from_m_decrypt, $m_from_o_decrypt))
{
echo "Uh-oh. Decrypted JSON strings don't match up.\n";
echo "openssl decrypting mcrypt encrypted string:\n$o_from_m_decrypt\n";
echo "mcrypt decrypting openssl encrypted string:\n$m_from_o_decrypt\n";
}
else
{
echo "Encrypted strings were the same, and each library decrypted the other's encrypted data\n.";
}
}