Dev Ops Crash Course - Day One
- Bandwidth: capacity to receive information
- Bitrate: speed of sending information (bits per second)
- Latency: drag / delay when sending information
Internet is a design philosophy expressed through agreed upon protocols:
- IPv4 - current protocol (32bit)
- IPv6 - new protocol to provide more IP addresses (128bit)
IP addresses have A, B, and C classes.
How DNS works: https://howdns.works/
In local network settings, DNS is set to Google Public DNS.
- better performance
- better security
Anatomy of a URL: https://doepud.co.uk/blog/anatomy-of-a-url
- A record: address, maps hostname to physical IP address
- PTR record: pointer, maps IP to name (helpful when scanning logs)
- CNAME record: alias, map domain name to another domain name
Can use multiple records for redundancy strategy. For example, you want multiple MX records for mail servers. Config priority on each record.
$ dig learn.co ; <<>> DiG 9.8.3-P1 <<>> learn.co ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60914 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;learn.co. IN A ;; ANSWER SECTION: learn.co. 212 IN A 220.127.116.11 ;; Query time: 29 msec ;; SERVER: 18.104.22.168#53(22.214.171.124) ;; WHEN: Mon Mar 20 12:06:16 2017 ;; MSG SIZE rcvd: 42
$ whois 126.96.36.199 # # Query terms are ambiguous. The query is assumed to be: # "n 188.8.131.52" # # Use "?" to get help. # # # The following results may also be obtained via: # https://whois.arin.net/rest/nets;q=184.108.40.206?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2 # NetRange: 220.127.116.11 - 18.104.22.168 CIDR: 22.214.171.124/16 NetName: DIGITALOCEAN-9 NetHandle: NET-104-131-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: AS46652, AS14061, AS393406, AS62567 Organization: Digital Ocean, Inc. (DO-13) RegDate: 2014-06-02 Updated: 2014-06-02 Comment: http://www.digitalocean.com Comment: Simple Cloud Hosting Ref: https://whois.arin.net/rest/net/NET-104-131-0-0-1 OrgName: Digital Ocean, Inc. OrgId: DO-13 Address: 101 Ave of the Americas Address: 10th Floor City: New York StateProv: NY PostalCode: 10013 Country: US RegDate: 2012-05-14 Updated: 2017-01-28 Comment: http://www.digitalocean.com Comment: Simple Cloud Hosting Ref: https://whois.arin.net/rest/org/DO-13 OrgNOCHandle: NOC32014-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-347-875-6044 OrgNOCEmail: firstname.lastname@example.org OrgNOCRef: https://whois.arin.net/rest/poc/NOC32014-ARIN OrgTechHandle: NOC32014-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-347-875-6044 OrgTechEmail: email@example.com OrgTechRef: https://whois.arin.net/rest/poc/NOC32014-ARIN OrgAbuseHandle: ABUSE5232-ARIN OrgAbuseName: Abuse, DigitalOcean OrgAbusePhone: +1-347-875-6044 OrgAbuseEmail: firstname.lastname@example.org OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE5232-ARIN
Open localhost file:
Add spoofed DNS entries (IP address, site+domain):
DHCP “dynamically distributes network configuration parameters, such as IP addresses”. Process of obtaining IP address on private network. It’s obtained on a lease that will eventually expire.
Router gives out IP addresses. There’s a limited number.
You can configure leases to expire after a certain period of time. Helps prevent running out.
Packets and Traffic
Packets directed by routers. Routers owned by ISPs.
See the path of your request:
$ traceroute learn.co traceroute to learn.co (126.96.36.199), 64 hops max, 52 byte packets 1 lo0-100.nycmny-vfttp-407.verizon-gni.net (188.8.131.52) 4.954 ms 2.340 ms 2.594 ms 2 b3407.nycmny-lcr-22.verizon-gni.net (184.108.40.206) 6.657 ms b3407.nycmny-lcr-21.verizon-gni.net (220.127.116.11) 7.809 ms 11.878 ms 3 * * * 4 * * * 5 0.ae13.gw10.ewr6.alter.net (18.104.22.168) 29.671 ms 0.ae1.gw10.ewr6.alter.net (22.214.171.124) 13.458 ms 6.881 ms 6 126.96.36.199 (188.8.131.52) 14.051 ms 12.765 ms 10.800 ms 7 nyk-bb4-link.telia.net (184.108.40.206) 5.831 ms nyk-bb4-link.telia.net (220.127.116.11) 7.330 ms nyk-bb1-link.telia.net (18.104.22.168) 6.450 ms 8 nyk-b3-link.telia.net (22.214.171.124) 10.902 ms nyk-b3-link.telia.net (126.96.36.199) 6.161 ms nyk-b3-link.telia.net (188.8.131.52) 13.696 ms 9 digitalocean-ic-306498-nyk-b3.c.telia.net (184.108.40.206) 9.293 ms 10.936 ms digitalocean-ic-306497-nyk-b3.c.telia.net (220.127.116.11) 18.379 ms 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * *
TCP manages sending and receiving of packets (Transmission Control Protocol).
HTTP and DNS manage the sending and receiving of web files
Made possible by TCP + IP routing
Examining Network Traffic
Your computer has a hardware address that you can change. Look up with
Example: free wifi networks
- allow you to log on for limited time, then they try to upsell you
- they identify your device by hardware address
- change hardware address will allow you to stay on for free (bc you look like a new device)
tcpdump command allows you to examine traffic on a server. Wire Shark is a GUI for
tcpdump. Allows you to examine packets going across network. Can see handshake that’s getting made (TCP).
Get capture file (
tcpdump -i eth0 -s 65536 -w capture.pcap), then import into Wire Shark.
Transport Layer Security
Data sent using HTTPS is secured via Transport Layer Security protocol.
When a company registers for a certificate, they provide info and Certificate Authority (trusted entity) verifies it. If valid, authority issues certificate. Certificate Authority signs for your authenticity. Process is not difficult. Relies on trust in the Certificate Authority.
You can be your own Certificate Authority with self-signed certificates, but that’s not trusted.
View SSL Certificate on Chrome: open Developer Tools, then click on the Security Tab.
Often in the wild, people terminate SSL at the load balancer, so traffic between load balancer and hosts is unencrypted traveling over private network. Terminating at load balancer is a common pattern and makes things easier to scale. Otherwise you’d have to make sure certificate and keys are on all hosts.
Explaining public/private key encryption: https://www.youtube.com/watch?v=YEBfamv-_do
Understanding the SSH encryption and connection process: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
We disabled password identification on our servers (hosts). Instead, we identify by public keys, which is more secure. Developers’ public keys have been distributed out to all servers. Then developers can connect from their local machines, where private keys are stored.
Setting up SSL on new Digital Ocean droplet
- Create new Droplet
- Datacenter: New York
- Private networking, backups, IPv6, monitoring
- Select SSH keys
- Choose hostname (we used
- SSH into new droplet as
ssh enroll.flatironschool.com -l root
!!HOLD UP!! Our IP address was released into Digital Ocean pool. We had a server at 18.104.22.168, then deleted that server, so it went back into the pool. BUT we never updated our DNS record for enroll.flatironschool.com.
- Go to
- Update A record to new IPv4, add new AAAA record for IPv6
- Add PTR record to enroll.flatironschool.com
Back to setting up SSL...
- Get certificate from ssls.com
- On server, run
- On server, run
openssl req -new -newkey rsa:4096 -nodes -keyout example.key -out example.csr(generates certificate signing request and key)
- Install Apache on server: run
apt-get install apache2on server
- Check if it’s running
service apache2 status
- Visit domain in browser, should say “It works!”
- On list of certificates, get the one for the domain, enter key and click activate
- Look for email when approved
- Save stuff into some file (I missed whatever that was)
- Now we’re following these instructions for Apache2 * NOTE: instructions for chain file are outdated
sudo a2enmod ssl
sudo serve apache2 restart
sudo vi /etc/apache2/sites-available/default-ssl.conf
cat AddTrustExternalCARoot.crt COMODORSAddTrustCA.crt COMODORSADomain...crt enroll_flatironschool_com.crt > cert-ssl-enroll.pem
cp example.key ssl-cert-enroll.key
mv ssl-cert-enroll.key /etc/ssl/private/
mv ssl-cert-enroll.pem /etc/ssl/certs/
sudo a2ensite default-ssl