How to setup WordPress with a local database on Azure App Service on Linux

Azure App Service on Windows is perfectly happy to setup a WordPress site with MySql in-app. It even used to work the same for Linux, unfortunately that functionality was temporarily removed around March 2017 (https://blogs.msdn.microsoft.com/appserviceteam/2017/03/21/create-wordpress-using-web-apps-on-linux/).

Considering the price of £57/month for the most basic Azure MySql database, I decided to try and use MySql in-app with WordPress on Linux.

Warning: This might not work for you, there must have been a reason this functionality was disabled in the first place!

To start with I found the docker images which used to be used. The source for which is available at https://github.com/Azure-App-Service/apps/tree/master/Wordpress and the images https://hub.docker.com/r/appsvc/apps/tags/.

I then created a new Web App for Containers and configured the container to point at appsvc/apps:wordpress-0.3.

I then added the following Application settings:

  • WEBSITES_ENABLE_APP_SERVICE_STORAGE = true
  • DATABASE_HOST = localhost
  • DATABASE_NAME = wordpress
  • DATABASE_USERNAME = [[Database Username]]
  • DATABASE_PASSWORD = [[Database Password]]
  • TABLE_NAME_PREFIX = wp_
  • PHPMYADMIN_USERNAME = [[PhpMyAdmin Username]]
  • PHPMYADMIN_PASSWORD = [[PhpMyAdmin Password]]

After restarting the App Service, you should then be able to visit the site where you should see “Installing WordPress…” text. After a few minutes, once it’s all setup, you should then see the familiar WordPress installation guide.

But what about HTTPS?

So we want our WordPress site to be secure. We can follow the previous post to create and configure the certificate (see here).

We then need to configure WordPress to handle it.

Note: It’s best to do this after finishing the WordPress installation guide, as it overwrites the wp-config.php file.

We’ll start by going to the Kudu SSH terminal (https://[[App Service Name]].scm.azurewebsites.net/webssh/host).

From there we need to install a text editor (as for some very strange reason one isn’t installed by default?!):

Note: You might prefer vim, however I tried it and as it’s an embedded terminal, it didn’t seem to handle the ESC character, rendering you stuck in vim… forever… nightmare!

Now we can edit our wp-config.php file.

You’ll want to make your file look similar to this (namely adding the FORCE_SSL_ADMIN and the following line, and updating the WP_HOME and WP_SITEURL to https):

If you’ve never used nano before then, once you’ve made your changes, press Ctrl + X and type Y to save your changes and exit.

Given you uploaded your certificate, bound it to the domain, and enforced HTTPS only, then after refreshing the site, you should have a fully working and secure WordPress site!

I haven’t dabbled with the backups yet, but plan to in the near future.

 

 

 

How to setup SSL Certificates for Azure App Service Web App on Linux

I have an Azure App Service which hosts a few web apps (all on Linux as you cannot have both Windows and Linux apps on the same App Service Plan, and to be honest the Linux ones just seemed more responsive than the Windows ones).

Azure has yet to embrace the LetsEncrypt movement, so the only options for setting up SSL certificates with your Web App is via Azure App Service Certificates (starting ~£50/year) or manually uploading an otherwise acquired certificate.

There is a helpful guide for setting up LetsEncrypt for Web Apps on Windows (https://www.troyhunt.com/everything-you-need-to-know-about-loading-a-free-lets-encrypt-certificate-into-an-azure-website/) however this does not work for Web Apps on Linux.

These are the steps I took to configure my sites (massive thanks to https://www.lastcoolnameleft.com/2017/08/letsencrypt-on-azure-app-service-for-linux/ for doing most of the ground work!).

Generating the certificate

To generate the certificates I used the Certbot tool. I chose to run this via docker.

Note: You’ll need to make sure you’ve enabled Shared Drives in Docker for Windows. To do this open Docker Settings and click Shared Drives. Tick the drive you want to share and click Apply.

Another Note: I tried the DNS challenge however with 123-reg at least, the TTL for the TXT record was 4 hours, and if you rerun the certbot it will give you new validation values everytime, meaning if you screw up you won’t get another chance for around 4 hours!

Follow the interactive steps:

  1. If this is the first time you’ve run it then you will need to enter your email address.
  2. Then follow the link to read the terms and conditions, then enter A to agree
  3. Decide whether you would like to share your email with the EFF
  4. Enter the domain name(s) you would like to generate a certificate for, note this does not support wildcards certificates
  5. Then agree to having your IP address logged (if you don’t you cannot generate the certificate so make sure you are using an IP address you are happy sharing?)
  6. Follow the instructions to validate you own the domain
    1. We picked the http option earlier which means we need to generate a file on the server
    2. To do this go the Kudu page and find the SSH page (will typically look like https://[[Web App Name]].scm.azurewebsites.net/webssh/host)
    3. You’ll want to
    4. Then
    5. Then
    6. Then

Certbot will then spit out a bunch of files in your mounted folder.

Unfortunately these files aren’t quite usable. We’ll need to extract a certificate from them. For that we’ll need to install openssl locally. Navigate to https://slproweb.com/products/Win32OpenSSL.html and download the latest version (Win64 OpenSSL v1.1.0h was the one I used). I chose to install the binaries to the OpenSSL bin directory, and then added that directory to my path environment variable (for Windows 10, type environment variables into Start and add a new row to the Path variable).

Once installed we’ll need to run the following (I used the archive version as the live folder didn’t work for me, and it simply linked to the archive folder anyway)

You will be prompted for an export password, which is important to remember as we’ll need it when we upload the certificate to Azure (use something memorable e.g. iHATEcertificates69!)

Using the certificate

Once we have our certificate we can navigate to the SSL certificates page on our Web App in Azure. Choose Upload Certificate, choose the [[Domain Name]].pfx file and enter the export password you chose earlier.

Then we simply click Add binding under the SSL bindings area on the same page and associate the certificate with the custom domain name we have already added.

One final thing that is probably worth doing is going to the Custom domains tab and enabling HTTPS Only, this essentially forces all HTTP traffic to use HTTPS.

Whats next?

LetsEncrypt only gives you certificates that are valid for 3 months. That means we’ll need to do the same steps in 3 months, which is a bit tedious.

I plan on building a tool to help with this (similar to the LetsEncrypt Windows App Service tool), so watch this space!

 

WordPress permissions

It had been a while since I had written anything on this blog, and I was using some ancient version of WordPress with some dodgy custom theme I built. Inevitably I decided an upgrade would be worthwhile. I won’t bore you with the details as there are already plenty of brilliant guides out there to do that.

The other day I decided to write a post on my sparkly new blog, and thought why not brighten it up a bit with some images. I clicked Add Media, dragged and dropped my images onto the shiny new upload window, and it didn’t work.

There was an error writing to the wp-content/uploads/… folder.

The correct fix was relatively easy, however it wasn’t outlined in detail at any one place, until now!

If you too are hosting WordPress using nginx on a Linux server then follow these steps to configure WordPress to accept uploads whilst remaining secure.

  1. Find your nginx config file, mine was under /etc/nginx/nginx.conf and open it up.
  2. The first line should read something like user www-data;
  3. This describes who nginx runs as. By default it’s www-data.
  4. This user needs to be able to write to the wp-content/uploads folder.
  5. Navigate to your WordPress installation folder and execute chown -R www-data:www-data wp-content/uploads (you may need to prefix this with sudo depending on your security setup).

Voila! The user www-data now owns that directory and you will be able to upload files there.

Don’t take the easy option of chmod 777 your WordPress install directory, stay secure and follow the above instructions.

Simple SSH and teaching Pageant to remember

Recently I’ve found myself bouncing between various servers using SSH and FTP more often than one wishes. Obviously being the security conscious person I am, every password must be different and complex enough to defer even the most determined of intruders.

As you are probably all too well aware, this doesn’t half slow things down when travelling between servers; the remembering, the typing, the mis-remembering, the re-typing…

I was at the verge of despair when I decided to delve back into the Sys Admin module I took at University, and investigate using keys as an alternative authentication system.

My first goal was to streamline the connection between my Windows laptop and my Linux NAS, using my tool of choice, PuTTY.

  1. We need to create a Public/Private key combination. For this we’ll fire up PuTTYgen, which is installed automatically with PuTTY.
  2. Hit the Generate button, and squiggle your mouse around until the bar fills up!PuTTYGen
  3. I like to add a bit more of a description to the comment here, usually username@servername of what I’m connecting to.Key Creation
  4. Next we need to Save private key, now it doesn’t really matter where you save it to, my preference at the moment is username@servername.ppk  in a Keys folder under my user profile e.g. C:\Users\Username\Keys.
  5. Now for what should be the last time, we need to login to our server using our username and password, and navigate to the .ssh folder e.g. cd ~/.ssh
  6. Then we either need to create or edit a file called authorized_keys, note that the file doesn’t have an extension. Welcome to the crazy world of Linux! Anyway we can do this by calling any editor we like, personally I use vim so execute vim authorized_keys
  7. Then we need to copy and paste (right click to paste into a PuTTY session) the content from PuTTYgen box Public key for pasting into Open SSH authorized_keys file into our editor.Vim
  8. If you’re still using vim, press Esc followed by :wq to save and exit.

That should be everything needed to get the SSH set up. Close your PuTTY session and try connecting to your server in a new session.

Still here? Yup, we’re not quite done yet. Windows and PuTTY don’t know how to use our private key at the moment, so we are still prompted for our password. Luckily PuTTY comes with a nifty little utility called Pageant (not sure what it stands for but I always forget the second ‘a’).

Double clicking on the private key we saved earlier should open up Pageant and add our key to the store. Then next time we create a new session with the server we should be logged in automatically.

This is all well and good, however if we were to restart our PC and try to connect to our server we would once again be prompted for our username and password. This is because Pageant does not persist our keys, or even automatically startup. Adding this functionality is pretty easy to achieve following these steps.

  1. Locate the Pageant shortcut on the Start Menu, on Windows 8 it’s as simple as pressing the Windows key, typing pageant, right clicking on the search result and selecting Open file location.
  2. It should take you to somewhere like C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PuTTYPageant Shortcut
  3. Now we need to copy the shortcut for Pageant and paste it in our Startup folder. This can be located by navigating to %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartupStartup Folder
  4. Next we need to tell Pageant what keys to load when it starts up. Right click on the newly pasted shortcut, and select Properties
  5. In the target field we need to append the path to each of our keys e.g. a complete target field could look like “C:\Program Files (x86)\PuTTY\pageant.exe” “C:\Users\Username\Keys\username@servername.ppk”Shortcut Properties

That’s it. All done. Fire it up and give it a go. I use Windows 8.1 with the latest installed version of PuTTY and the server has Ubuntu 14 on it, so depending on your setup some paths could be different. Good luck.

Hacking the Everlast EV-410 Exercise Bike

I recently agreed to take part in the JDRF Ride to Cure Diabetes charity event. In preparation for the event I purchased an exercise bike, the Everlast EV-410. Relatively cheap and collapsible, it met every expectation, but could still be improved…

It comes with a “computer” which displays distance, speed, calories burnt, time, and pulse. This is all well and good whilst using the bike, but what about recording progress over a period of time?

The simple solution would be to manually record this information. However I’d prefer to automate it, so set myself this little challenge. My plan is to connect it to the PC, ideally using WiFi and record the information automatically.

Thankfully the “computer” on the bike isn’t hardwired. The wheel of the bike has a cable that plugs into the computer via a standard 3.5mm audio jack. A little bit of research suggested that the cable is used to transmit a pulse for every revolution of the wheel.

To test this theory I invested in two cables, a splitter and a standard 3.5mm auxiliary cable.

I used the splitter to intercept the signal (as shown above), and the auxiliary cable to connect the the bike to my PC via the microphone port. I then used the free software (Audacity) to record the input when riding the bike. As expected it produced a blip for every revolution!

Next I needed a way to use this information. To begin with I wrote a short bit of java that reads from a WAV file, interprets the amplitude (this page came in exceptionally useful), and counts the blips.

The next step was to get it to read directly from the bike. This involved learning a fair bit about how java handles sound, and to be honest, how computers in general handle sound!

Surprisingly there was very little existing code that demonstrates how to process sound input, so I had to write a majority of it from scratch. After some time experimenting I settled with the following solution.

  1. Find the audio mixers on the PC
  2. Select the desired mixer
  3. Open a line from the mixer
  4. Calculate frame size (in my case 4bytes per frame, 44100 frames per second)
  5. Use a stream to read from the line, frame by frame
  6. Split each frame into 2 channels
  7. Calculate amplitude of the left channel (right channel will be used to record pulse)

This worked fairly well, and seemed to record the blips as expected. The next step was to integrate this with some form of timekeeping. Unfortunately it took around 3 seconds to process 1 second of audio. I tried changing buffer sizes, sample rates, and even tried skipping frames but to no avail. I settled on using a timer to keep track of the time, instead of the frame count.

Even with the lag, I’d come this far, so moved on to calculating the distance travelled for every revolution of the wheel. This was done by eye through experimentation. I settled at roughly 4.44m per revolution of the wheel, which yields distance covered the same as the bike computer.

Next up will be trying to find a way to overcome the lag, and designing a suitable way to store and display the information. The code I wrote is below for reference.

Viewsonic VOT120 Project

My VOT120 Mini PC was originally purchased as a media server, and although running slightly warm, has done a good job.

I have recently resurrected an old project, RAWRWoW, and decided to host it from the VOT120. Either down to the increased usage, or the ridiculously warm temperatures at the moment, it was running at ~86 degrees Celsius the other night, I could smell burning, it was awful.

The airflow on the VOT120 is awful. There is an inflow grill on the back and a 40mm next to the heatsink, which pushes air through the heatsink ,and out through a grill at the top. The 2.5″ HDD is mounted to the rear of the motherboard, meaning all the heat has to pass through the heatsink to leave the case, or just go through the case.

First thought was to swap the HDD for an SSD, it has 160GB in there at the moment, of which only about 10GB is used. Although the prices for SSD’s have come down phenomenally, they’re still a bit too pricey, and there is still a debate about lifetime on server usage.

In the meantime I need a more efficient way of cooling the VOT120. I rummaged through my box of parts and found a 120mm 12V case fan. Fits almost perfectly to the side of the VOT120! The only issue being, the case fan requires a 3 pin fan connection, or a 4 pin molex connection. The current fan in the VOT120 connects to a tiny 3 pin fan connection, not to mention it only supplies 5V , instead of the needed 12V.

The 120mm fan on the left and the opened up VOT120, with 40mm fan on the right.

I figured I’d give it a go anyway, so cut and stripped the tiny 3 pin fan plug, soldered and taped it to the case fan cable. Apprehensively (after the shock from the Landrover the other day), I connected the power supply and switched it on. The fan did try to spin, and with a little encourage it did spin for around 10 seconds, but then slowed to a measly ~1 RPM. This would probably be worse than the original fan!

Old fan connector on the left, new soldered and taped tiny 3 pin connector on the right.

I shopped around on the internet for a 5V 120mm fan, I thought they would have been fairly common, but no. If I was in the USA, I could have picked one up just about anywhere, but here in the UK, there was one (unless I fancied waiting 14 – 23 days for it to arrive from China). Ended up getting the Endermax UR Vegas, it’s USB powered, and has lots of fancy lights (which luckily have an off mode)! Depending how adventurous I’m feeling when it arrives, I might solder it onto the tiny 3 pin plug, rather than waste a precious USB port. Time will only tell.

Landrover Series 2a Petrol

Roof and cab removed, can see the roof against the wall and the cab is sitting in the tub at the moment.

Eventually managed to remove the tub after removing the seats, exposing the rear half chassis and axle.

The damage to the rear cross member, either needs replacing or bashing out, yes it is full of mud as well.

Rear diff removed from axle casing.

The damaged rear diff.

The broken parts found in the rear diff!

Hurray Murray Android App v0.2

Been pretty busy lately, had a bit more of a bash at the Hurray Murray App. Quick round up:

  • v0.2 is now available on the link on the left!
  • New features, slightly better layout, makes it usable when rotated, icon, clear/reset button, abort button not working, gonna take a bit of effort, but i’ll get there.
  • Installed the app on a friend’s HTC Tattoo and it works! Really could do with testing it on a few others but that can wait at the moment.
  • iPhone version looks like a no go at the moment, installed the iPhone SDK on my recent Snow Leopard installation, did some tuts, doesn’t appear to be a way to send a text from inside an app on the iPhone, but i’ll keep looking into it.
  • Signed up for the Blackberry Developer program, got the kit, another plug in for Eclipse, lovely, will get round to releasing a version for that when I get a bit of free time!

So for the time being feel free to look at the updated code and have a play with it and the app!