Hardening Your CI/CD: Terraform, Docker, and Kubernetes Security

As I continue this series on CI/CD pipeline security, it is time to now work on securely building and deploying our application. This post picks up where my Build Secure Python Pipelines: Adding Tests and Hooks in Action post left off. In this post, we’ll continue our pipeline development by adding a container build and deployment to Kubernetes. In addition to this, we’ll add some security components to the build and deployment process. ...

March 1, 2024 · 11 min · Scott

Deploy a Nanobus Web Server

After Trying Out Nanobus, I figured it was time to go a little deeper and try to deploy a Nanobus web server. As noted in my previous post, I hadn’t setup any transports for my hello world instance so I couldn’t interact with it when deployed as a container. I also realized that a <a href="https://hub.docker.com/r/nanobus/nanobus" rel="noreferrer noopener" target="_blank">nanobus/nanobus</a> docker image exists so there’s no need for me to roll my own either. ...

February 23, 2023 · 6 min · Scott

Using Github Actions To Test Before You Deploy

I’ve been using DigitalOcean for quite some time now and had recently setup their App Platform to run my website. Their platform is great in that I’m able to build a docker container running Openresty and it handles all of my needs. The platform does a great job of catching docker build failures and stops attempting a deployment when this happens. A few weeks ago, I had a concerning thought in that they don’t catch problems with my Openresty configuration until it’s too late. The moment their platform executes openresty inside the container, everything pukes and my site goes offline. ...

October 23, 2022 · 5 min · Scott

Adding Nginx in Front of WordPress

There are a few drawbacks to the 1-Click install. I’m planning to tinker with something really cool down the road to fix one of those problems (I know the future again). Luckily, I’m going to address my first initial concern in this post. What is that concern you ask? Protecting my WordPress admin of course! Sure, there are a number of WordPress vulnerabilities roaming around and talks of zero days and the sort. I make life easier on any attacker if I just leave my WordPress admin open to anyone. In this post, we look at taking my custom nginx and deploying it in front of my WordPress site to enforce IP access control to the admin page. ...

January 7, 2021 · 8 min · Scott

Testing Out the Digital Ocean Container Registry

Disclosure: I have included some affiliate / referral links in this post. There’s no cost to you for accessing these links but I do indeed receive some incentive for it if you buy through them. Building the Custom Nginx This part was pretty easy. I simply created a Dockerfile for the build. FROM ubuntu ENV DEBIAN_FRONTEND noninteractive MAINTAINER Scott Algatt RUN apt-get update \ && apt-get install -y libjansson-dev libcurl4-openssl-dev libapr1-dev libaprutil1-dev libssl-dev build-essential devscripts libtool m4 automake pkg-config libpcre3-dev zlib1g-dev\ && apt -y upgrade \ && apt -y autoremove \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ && curl -o /tmp/nginx.tgz http://nginx.org/download/nginx-1.18.0.tar.gz WORKDIR /tmp RUN tar zxf nginx.tgz \ && cd nginx-1.18.0 \ && ./configure --with-http_realip_module\ && make \ && make install EXPOSE 80 CMD ["/usr/local/nginx/sbin/nginx"] As you can see from the Dockerfile, this is a really super simple build. It is also not very custom aside from my compile command where I’ve added –with-http_realip_module. This little addition is something that I will use later in a future post (I know everything will be in the future) but you can see what it does by visiting the nginx documentation. Anyhow, there you go. Aside from the configure command, I’m just setting up ubuntu to compile code and I download nginx and compile it. Then expose port 80 and run nginx. ...

December 30, 2020 · 3 min · Scott