Development News

Dcycle: Letsencrypt HTTPS for Drupal on Docker

Main Drupal Feed - Tue, 10/03/2017 - 00:00

This article is about serving your Drupal Docker container, and/or any other container, via https with a valid Let’s encrypt SSL certificate.

Step one: make sure you have a public VM

To follow along, create a new virtual machine (VM) with Docker, for example using the “Docker” distribution in the “One-click apps” section of Digital Ocean.

This will not work on localhost, because in order to use Let’s Encrypt, you need to demonstrate ownership over your domain(s) to the outside world.

In this tutorial we will serve two different sites, one simple HTML site and one Drupal site, each using standard ports, on the same Docker host, using a reverse proxy, a container which sits in front of your other containers and directs traffic.

Step two: Set up two domains or subdomains you own and point them to your server

Start by making sure you have two domains which point to your server, in this example we’ll use:

  • test-one.example.com will be a simple HTML site.
  • test-two.example.com will be a Drupal site.
Step three: create your sites

We do not want to map our containers’ ports directly to our host ports using -p 80:80 -p 443:443 because we will have more than one app using the same port (the secure 443). Port mapping will be the responsibility of the reverse proxy (more on that later). Replace example.com with your own domain:

DOMAIN=example.com docker run -d \ -e "VIRTUAL_HOST=test-one.$DOMAIN" \ -e "LETSENCRYPT_HOST=test-one.$DOMAIN" \ -e "LETSENCRYPT_EMAIL=my-email@$DOMAIN" \ --expose 80 --name test-one \ httpd docker run -d \ -e "VIRTUAL_HOST=test-two.$DOMAIN" \ -e "LETSENCRYPT_HOST=test-two.$DOMAIN" \ -e "LETSENCRYPT_EMAIL=my-email@$DOMAIN" \ --expose 80 --name test-two \ drupal

Now you have two running sites, but they’re not yet accessible to the outside world.

Step three: a reverse proxy and Let’s encrypt

The term “proxy” means something which represents something else. In our case we want to have a webserver container which represents our Drupal and html containers. The Drupal and html containers are effectively hidden in front of a proxy. Why “reverse”? The term “proxy” is already used and means that the web user is hidden from the server. If it is the web servers that are hidden (in this case Drupal or the html containers), we use the term “reverse proxy”.

Let’s encrypt is a free certificate authority which certifies that you are the owner of your domain.

We will use nginx-proxy as our reverse proxy. Because that does not take care of certificates, we will use LetsEncrypt companion container for nginx-proxy to set up and maintain Let’s Encrypt certificates.

Let’s start by creating an empty directory which will contain our certificates:

mkdir "$HOME"/certs

Now, following the instructions of the LetsEncrypt companion project, we can set up our reverse proxy:

docker run -d -p 80:80 -p 443:443 \ --name nginx-proxy \ -v "$HOME"/certs:/etc/nginx/certs:ro \ -v /etc/nginx/vhost.d \ -v /usr/share/nginx/html \ -v /var/run/docker.sock:/tmp/docker.sock:ro \ --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \ jwilder/nginx-proxy

And, finally, start the LetEncrypt companion:

docker run -d \ --name nginx-letsencrypt \ -v "$HOME"/certs:/etc/nginx/certs:rw \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --volumes-from nginx-proxy \ jrcs/letsencrypt-nginx-proxy-companion

Wait a few minutes for "$HOME"/certs to be populated with your certificate files, and you should now be able to access your sites:

  • https://test-two.example.com/ should show the Drupal installer (setting up a MySQL container to actually install Drupal is outside the scope of this article);
  • https://test-one.example.com should show the “It works!” page.
  • In both cases, the certificate should be valid and you should get no error message.
  • http://test-one.example.com should redirect to https://test-one.example.com
  • http://test-two.example.com should redirect to https://test-two.example.com
A note about renewals

Let’s Encrypt certificates last 3 months, so we generally want to renew every two months. LetsEncrypt companion container for nginx-proxy states that it automatically renews certificates which are set to expire in less than a month, and it checks this hourly, although there are some renewal-related issues in the issue queue.

It seems to also be possible to force renewals by running:

docker exec nginx-letsencrypt /app/force_renew

So it might be worth considering to be on the lookout for failed renewals and force them if necessary.

Enjoy!

You can now bask in the knowledge that your cooking blog will not be man-in-the-middled.

This article is about serving your Drupal Docker container, and/or any other container, via https with a valid Let’s encrypt SSL certificate.

WPTavern: Regenerate Thumbnails Plugin Passes 5 Million Downloads, Rewrite in the Works

Wordpress Planet - Mon, 10/02/2017 - 21:53

Regenerate Thumbnails, written by prolific plugin developer Alex Mills, has passed 5 million downloads. The plugin was first released nearly a decade ago in August 2008 during the days of WordPress 2.6. Regenerate Thumbnails is used to retroactively generate new thumbnail sizes for past uploads. It has become an indispensable utility over the years, helping millions of users successfully transition between WordPress themes that have different featured image sizes.

Regenerate Thumbnails version 1.0.0

“I was freelancing at the time and according to an ancient post on my blog, I apparently wrote it as a client needed the functionality,” Mills said. “I don’t remember that though and I certainly never figured it’d be installed and activated on over a million sites like it is today!”

Regenerate Thumbnails is downloaded thousands of times every day, and, fortunately, it is the type of plugin that doesn’t generate too many support issues. Mills said he is thankful for the many volunteers on the WordPress.org support forums who have also helped manage the load. Despite the continued and widespread use of the plugin, Mills has never considered cashing in on it.

“I’d never monetize any of my plugins,” he said. “I write them for fun not profit. It would be a conflict of interest anyway due to my employment at Automattic.”

Regenerate Thumbnails is a fairly straightforward plugin that rarely requires updating, but this year Mills said he has tried to give it a lot more love and will soon be releasing a complete rewrite.

“The rewrite is currently taking place on GitHub and is a complete rethink of the plugin, both in terms of the interface and underlying technologies,” Mills said. “The interface is powered by Vue.js, which I’m learning and using for the first time, and the WordPress REST API. I also have a full suite of unit tests for PHPUnit to verify that the plugin code is working as intended, both now and into the future. Those have been incredibly useful while writing the plugin and I highly recommend other plugin authors make use of them too. WP-CLI makes it very easy to set up.”

After nine years of supporting Regenerate Thumbnails, and many other plugins, Mills said he doesn’t consider himself the best example when it comes to maintaining plugins. His advice to other developers is “try to make sure to write your plugins to be future-proof.”

“Outside of some updates last month, the last real changes to the plugin were made in 2012!” Mills said. “I wrote the plugin well the first time around and it’s just worked mostly fine ever since because it uses built-in WordPress code to do the work.”

This is the reason why Regenerate Thumbnails has already blazed past its major milestone at 5,762,713 downloads and is well on its way to 6 million before the end of the year. Users still find the plugin to work as reliably as it did in 2008.

Have loved this plugin for years, just used it to relaunch a website with 50000 images and 30 image sizes.

— Scott Fennell (@scottfennell123) August 14, 2017

Mills said that making a plugin future proof is key if you write code all day for a living and then find it difficult to write more in the evenings and weekends for WordPress.org plugins. However, due to his current illness, he hasn’t worked in nearly a year since October 2016.

“While I’m still battling the leukemia, I’m at least feeling better than I was at the beginning of the year so I’ve gotten the itch to code again,” Mills said. “Working on personal projects such as Regenerate Thumbnails has been a good way to brush off my coding skills in anticipation of returning to work. Plus it’s just fun to code again!”

Palantir: Drupal 8 is Great for Easy Publishing

Main Drupal Feed - Mon, 10/02/2017 - 19:19
Drupal 8 is Great for Easy Publishing brandt Mon, 10/02/2017 - 14:19 Alex Brandt Oct 2, 2017

The #D8isGr8 blog series will focus on why we love Drupal 8 and how it provides solutions for our clients. This post in the series comes from Alex Brandt, Marketing Lead.

In this post we will cover...
  • What changes Drupal 8 has made to the editing experience
  • How Drupal 8 promotes accessibility
  • One way we use Drupal 8 to connect with our audience

Stay connected with the latest news on web strategy, design, and development.

Sign up for our newsletter.

Oh Drupal 8, how do I love thee? Let me count the ways… As a content editor on a small team, I welcome every chance I get to publish something easier, quicker, and more effectively. My first experience publishing content in Drupal was in Drupal 7, and without having previous HTML experience, it was a time-consuming endeavor. Although there is a plethora of different reasons why I love publishing content in Drupal 8, I’ll narrow it down to my top three.

1.) WYSIWYG FTW!

This little bar is my best friend:

A quick WYSIWYG editor (CKEditor) is now standard in Drupal 8 core, which means there’s no need to look up the HTML every time I want to include a link, stylize a heading, or insert an image. The amount of time I save when publishing is awesome, but it also prevents me from using sloppy code that could become an issue later down the line if we migrate content.

2.) Keeping Things Accessible with Alt Text

Drupal 8 now flags when you need alternative text (alt text), and it doesn’t allow you to publish a post without providing these descriptions. We always strive to make our corner of the web equally accessible for all users, and this is a safeguard to make sure we continue doing so. You can read more about why alt text is important in our recent post on accessibility.

This red asterisk prompt displays every time you insert an image.3.) Customization

Just like most institutions, our website is one of the most important marketing tools for our agency. Not only does it provide us with a place to share knowledge with our audience, it provides different ways for our audience to engage with us.

One of the easiest ways we are able to connect with our clients, partners, and community is by creating customizable call-to-action buttons to display in various places on our site. These buttons allow our site visitors to sign up for our newsletter, schedule a time to chat with us, register for a webinar, or any other action we hope they take. By having the ability to customize each button (opposed to only having a generic contact us button), we can make sure the call-to-action buttons fits the content where they are displayed. Drupal 8 makes these buttons easy to create (once we set up our desired fields).

Different options for customizing CTA buttons.Easy Publishing in Drupal 8

All of these features in Drupal 8 allow me to share tailored content with our audience, without becoming bogged down by the technology. And because I know you were wondering, the time it took me to take this blog post from google doc to published? 3 minutes, 17 seconds.

We want to make your project a success.

Let's Chat.

WPTavern: New WP-CLI Project Aims to Extend Checksum Verification to Plugins and Themes

Wordpress Planet - Mon, 10/02/2017 - 18:37

The WP-CLI team is initiating a new project that aims to bring checksum verification to plugins and themes. Checksums are a method of verifying the integrity of files. Three years ago, WP-CLI added the capability of verifying WordPress core checksums using the MD5 algorithm. This is a useful security feature that allows developers to easily see if any files have been modified or compromised.

The core checksums are handled via WordPress’ official API (https://api.wordpress.org/core/checksums/) and WP-CLI contributors are planning to extend this infrastructure to plugins and themes hosted on WordPress.org.

“Having this kind of functionality for plugins and themes as well would be a huge security benefit,” WP-CLI co-maintainer Alain Schlesser said. “It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.”

Contributors are currently exploring different options for implementation in a discussion on GitHub, inspired by an existing wp-checksum project by Erik Torsner.

“The simplest possible infrastructure to go with would be flat files (no database),” WP-CLI maintainer Daniel Bachhuber said. “I’ve chatted with the corresponding WordPress.org folks about hosting. If our middleware application can generate flat files served by some API, then it will be fine to sync those flat files to a WordPress.org server (with rsync or similar).”

The team is considering building the API under a separate URL for testing and iteration and then incorporating it back into WordPress.org’s infrastructure once it is ready. However, the sheer size of the SVN checkouts and the CPU required to sync the files makes it an interesting challenge. DreamHost has volunteered a server for the team to run its checksum generator on while the infrastructure is being developed.

Torsner’s WP-CLI subcommand to verify checksums for themes and plugins currently only works with those hosted on WordPress.org, but he is also experimenting with mechanisms for getting checksums from some commercial vendors, including Gravity Forms and Easy Digital Downloads. He said he hopes the project would be capable of keeping these capabilities for commercial plugins after it is incorporated back into WordPress.org.

The Plugin and Themes Checksums project is currently in the initiation stage and will have an official kickofff during the next WP-CLI meeting on Tuesday, October 3, 2017, at 11:00 AM CDT. Anyone who would like to volunteer is encouraged to attend, especially those with an interest in security, systems administration, and the technology required to get this project off the ground.

“This project will have a huge impact on the perceived and effective security of WordPress installations,” Schlesser said. “It can greatly reduce the amount of malware-infested sites plaguing the internet, and through the substantial market share of WordPress, improve the general browsing experience for all net citizens.”

Pages