DEV Community: DaNeil C

Nevertheless, She Persisted... And Got a Job!

DaNeil C — Wed, 31 Mar 2021 22:48:20 +0000

5 years ago I wouldn't have imagined being a Security Consultant.
In 2016 I was studying Information Technology and taking interest in Security Engineering.
In 2021 I start my career as a Security Consultant.

My most recent achievement was…

Like most stories of finally making it, it's been a long road to get here. I've moved twice, lost a 19-yo loved cat, got 2 new butthead cats, got a degree, started a coding bootcamp, finished a coding bootcamp, got rid of a ex, found a new love, and quit a job I really enjoyed.

It's all coming to a peak in April because this month I signed the contract.

My biggest job related goal is…

My biggest job related goal has always been Getting a job without asking for one/help.

I know... it's crazy talk right?!
I've always heard that "it's all about who you know in tech because they will be the ones hiring you," but I never wanted to ask someone I know to hire me or ask my bf to have one of his friends hire me.

I've always gotten any job I've had on my own; so for me, getting a job this way felt empty and petty. It felt like networking wasn't about making a real connection with a potential colleague or have an interest conversation. It felt like I was collecting connections like Pokémon Cards to later try and get them to hire me and this never sat well with me.

That being said, there is nothing wrong with asking for help when you need it. We all struggle in our own ways and I just wanted to achieve this own my own. No one will help in an actually interview and I didn't want to fill my LinkedIn with random recruiters that were 5+ connections away from me. I wanted to focus on what I was learning and let the work speak for itself.

Advocating for myself looks like…

Previously, I have always had to work a full time+ job and then go to school. I never felt like I was really making progress except getting a degree.

Before I started dating this guy I had already decided to take the leap and start on this path. I had quit my job and started a coding bootcamp. Since the beginning he encouraged me to take time off of retail work so I could actually study (and helped me study) to change careers... er. well, start a career.

I took full advantage of this and treated (almost) everyday like a job and studied more than I had before. CTFs and conference on weekends, any conference talk I could listen to during the week, Network+ training, Security+ training, and having bf quiz me on OWASP Top 10 topics.

My advice for allies to support folks who code is...

I was reading recently that Women make up 20% of the Cyber Security workforce, but I'm a web app penetration tester... and these numbers are even lower.

A recent open survey I found polled 400+ people in cyber security and only 28 respondents were women, with a total of ~39 were non-male. 6.9% of 400+ identified at women.

If these numbers are even a kind of ok representation of women in my field I'm admittedly a bit sad, but this doesn't surprise me. Though I've met a few women hackers/pentesters locally, of the people that I know personally in cyber security no one ever mentions women on their red team. I don't blame anyone for this, nor do I think people should hire a women/non-male to simply have equal representation of genders on his team. Though it is important to have a more diverse collection of humans to share ideas and different views, I (personally) have the same opportunity/ability to apply for a role as anyone else with a computer; and if a male has more skills than me I would expect them to get hired over me. If a cat has more skills than me I would expect them to get hired over me.

My advice for allies is to create more roles for new people and take more chances on people that might not be 100% yet, but are on the right track. You might be surprised how hard they work to hold their own and make the risk worth it.

The next steps for me

I start a job soon and I need to keep it.
I need to keep up my studies and hold my own.

Happy Hacking

PentesterLab: File Include

DaNeil C — Tue, 16 Mar 2021 20:41:51 +0000

A lot of applications need to include files to load classes or to share some templates between multiple web pages. A File Inclusion Vulnerability allows an attacker to access unauthorized or sensitive files on the web server or to execute malicious files by making use of the include() functionality.(2)

How?

The File Include Vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example).

If the call to one of these methods is vulnerable, an attacker can manipulate the function to load their own code which can lead to:

Local File Include: LFI. A local file is loaded, read, and interpreted, such as directory traversal to read arbitrary files.
Remote File Include: RFI. A remote file is retrieved and interpreted.
If the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.(1)

Testing

If you are on a website, such as PentesterLabs File Include Lab, and you can see an error message once you inject a special character (") into the url parameter:

Warning: include(intro.php'): failed to open stream: 
No such file or directory in /var/www/fileincl/example1.php on line 7 
Warning: include(): Failed opening 'intro.php'' 
for inclusion (include_path='.:/usr/share/php:/usr/share/pear') 
in /var/www/fileincl/example1.php on line 7

If you read the error message carefully, you can extract a lot of information such as:

The path of the script: /var/www/fileincl/example1.php.
The function used: include().
The value used in the call to include is the value we injected intro.php' without any addition or filtering.

From here you can also use the methods used to detect directory traversal and to detect file include, such as applying the ../../../etc/passwd technique in the URL.

Mitigation

By default, modern PHP disables loading of remote files, thanks to the configuration option: allow_url_include but that doesn't mean that it's not exploitable if the PHP version is not current.
Applying proper filtering of user-controlled parameters or supplying users with specific parameter options.

Happy Hacking

References

Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Application Server & CORS Config

DaNeil C — Wed, 06 Jan 2021 23:43:19 +0000

At this point basically everything is set up but you probably can't access anything yet or your may only be able to see a landing page with no useful information on it. This is because the Apache HTTP Server doesn't know how to communicate with the Ruby API.

See, for a dynamic application like a Rails API there needs to be some kind of Rack-Compatible Server to handle the incoming requests that the HTTP server isn't able to process. This is where an Application Server, like Phusion Passenger or Apache Tomcat, or a Rack-compatible web server, like Puma, are needed to process the dynamic content requests got the HTTP server.

Because I had built a Rack specific application there are, like always, a few ways you could set this up.

You could set up Apache with a reverse proxy for a stand alone Rack-specific web server, like Puma or Unicorn.
You could use an Apache module, like Phusion Passenger, to manage the processes and any needed reverse proxying.

Though I was originally using Puma as a stand alone server, and because it's Heroku's Recommended Ruby Webserver, this section will be about my process of changing over to the Application Server, Passenger, to help handle the Ruby on Rails routing and how I dealt with CORS for my API. That being said, if you created your own Rails API from scratch for this you might not want to use Passenger and use a straight PHP interface or Puma instead.

Step 1: Adding in an Application Server
Step 2: Setting Apache Passenger configuration
Step 3: Accessing Rails Routes

Step 1: Adding in an Application Server

First thing first is to add Passenger into the server to be used.

Navigate to the applications "backend" folder, if not there already, with cd /var/www/etcpasswdapp/backend.
Run sudo nano Gemfile to edit the Gemfile.
If it's there, "comment out" the Puma gem in the Gemfile by placing a # at the beginning of the Puma gem line.
Now add gem "passenger", ">= 5.0.25", require: "phusion_passenger/rack_handler" (the Passenger gem) below the commented out Puma gem.
Save and close the file.

Add the Passenger packages into Ubuntu with the following sudo commands.

Install our PGP key and add HTTPS support for APT with:
    sudo apt-get install -y dirmngr gnupg
    sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
    sudo apt-get install -y apt-transport-https ca-certificates
Add our APT repository with:
    sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger focal main > /etc/apt/sources.list.d/passenger.list'
     sudo apt-get update
Install Passenger with:
    sudo apt-get install -y passenger

Run bundle install to ensure that all the gem dependencies are up to date and the passenger gem in installed.
Run passenger-install-apache2-module to run the Passenger Apache module installer.
Check the package was installed correctly with sudo /usr/bin/passenger-config validate-install.
- It might give you an option to check the path or the install like mine did below. Use the up and down arrows to select one and press "enter" to select it. I recommend running it twice to check both have a valid install.
Now run sudo a2enmod passenger to enable the Passenger Apache module.

Because I am using Ubuntu 20.04 for this project got stuck here and found out that I needed to also configure my main Apache "conf" file. If you are not using Ubuntu 20.04 you might skip the next step for setting up the Apache Passenger Configuration, but you might want to read it over if something applies to you.

{Back to the Table Of Contents}

Step 2: Setting Apache Passenger configuration

When I ran the the command sudo a2enmod passenger to enable the Passenger Apache module in the previous step, it returned some information about a "passenger.load" file and a "passenger.conf" file. At the time I didn't understand it but after some research it turns out that for Apache 20.04 some additional configurations need to be added to the Apache "conf" file to specify the location of the passenger files. Refer to this tutorial if something doesn't make since. ⁴

Navigate into the "mods-enabled" folder with cd /etc/apache2/mods-enabled.
Run sudo nano passenger.load to edit the passenger file.
Add the "LoadModule" that was output and comment out the current "LoadModule" location.
- See pic in part 6 for what it should look like.
Save the file and exit the editor.
Now run sudo nano passenger.conf to edit the passenger conf file.
Add the "<IfModule mod_passenger.c>" that was output and comment out any other informaiton in the file.
- Both your "passenger.load" file and a "passenger.conf" file should look like this:
- Note: Because my files were previously created on the first module install attempt I only needed to modify them. If for some reason the files are not already created you will probably need to create the /etc/apache2/mods-available/passenger.load file and add the "LoadModule" directive that passenger-install-apache2-module outputs and create the /etc/apache2/mods-available/passenger.conf file and paste the "PassengerRoot" and other Passenger options that were output by the module.
Enable the module again by running sudo a2enmod passenger.
- If this doesn't work hopefully you typed in something wrong and it's an easy fix. If not try checking out the Passenger TroubleShooting pages or the logs and see what it's telling you.
Now navigate into the "sites-enabled" folder with cd /etc/apache2/sites-enabled.
Run sudo nano etcpasswdapi.conf to edit the file.
Add the Passender specific configuration for "Development" and the "PassengerRuby".
- For example,
Restart Apache with sudo apache2ctl restart
Check that it worked by navigating to the site that your API is at on your client computer.
- Because my API doesn't have an index.html landing page I needed to create a temporary index.html file in the "public" folder to ensure general connectivity.

{Back to the Table Of Contents}

Step 3: Accessing Rails Routes

At this point you will probably be able to see the index page (as shown in the previous step) but if you want to access specific API routes to process data, you need to add in some CORS specifications to allow access to secure content. See, although the frontend and backend live on the same server they don't have the same origin. For this to work the Apache headers module will be needed.

The Apache headers module is one that will allow for control over the responses from the server. They can, and should, be set specific to each application on it.

In my case I am using HTTPS for both the frontend and backend of my application so I need to set up both conf files.

To enable the headers module run sudo a2enmod headers.
Navigate to the Apache2 folder with cd /etc/apache2/sites-enabled.
Edit the frontends "conf" file with sudo nano etcpasswdapp.conf.
With the editor open add Header set Access-Control-Allow_Origin "*" to the <Directory> section.
Save and close the file.
Now open the 'conf' file for the backend with sudo nano etcpasswdapi.conf
With the editor open add Header set Access-Control-Allow_Origin "http://etcpasswdapp.com" to the <Directory> section.
Save and close the file.
Restart apache with systemctl restart apache2

If all works you should be able to see your frontend
and use it to interact with your API

{Back to the Table Of Contents}

DONE!!!!

This last part was not that easy for me and took a few days to figure out and configure. Between all the spelling errors of mine and the lack of documentation for Ubuntu 20.04 I had to piece together things to make it all work for my set up. Feel free to ask questions and I hope I can help.

Now that that's done it's time to harden the server, test the application I built, and fix things.

Happy Hacking

Resources:

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Adding Ruby on Rails to a Server

DaNeil C — Wed, 06 Jan 2021 19:32:38 +0000

This series is so close to being done but not quite.

If you've kept up till now your application's frontend is (hopefully) functional on your home server with Heroku hosting its backend API. It's now time to migrate the Rails API and its Database into the server.

At this point there are, again, a few options you could do:

Set up the "pgAdmin", PostgreSQL Tools, and interact with the admin and development platform in a GUI.
Create a fresh Rails API for the application to interface with the PostgreSQL database on the server.
Rewrite the application have the frontend and backend together with something like a Ruby on Rails base and React functionality to display the public "views" folder of the Ruby application.
Create a PHP interface for the frontend to interact with the ProgreSQL database.

Because I already have a Ruby on Rails API built I'm going to download that repository and configure a private endpoint for the frontend to interact with it.
If you need a refresher the difference between an API and a database, refer to my API =/= Database post.

Step 1: Installing Ruby and Rails
Step 2: Downloading and Configuring the API Repository
Step 3: Adding the Backend Endpoints
Step 4: Adding SSL
Step 5: Adding in an Application Server
Step 6: Configure database.yml and secrets.yml

Step 1: Installing Ruby and Rails

Before I add the API repository onto the server both Ruby and Rails need to be installed. For this I'm going to follow the Digital Ocean tutorial for installing Ruby on Rails with rbenv on my Ubuntu server, with a few changes for my specific system that I will list as needed.

Note: For this step I did find that if you run the commands as the "Root" user you will run into some issues; so I recommend using the sudo command as needed.

First I will run sudo apt install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm6 libgdbm-dev. For this command I will need to change the libgdbm5 (that's for Ubuntu 18) to libgdbm6 (that's for Ubuntu 20).
- autoconf is " a tool for producing shell scripts that automatically configure software source code packages to adapt to many kinds of Posix-like systems" ¹⁹
- bison "is a general-purpose parser generator that converts an annotated context-free grammar into a deterministic LR or generalized LR (GLR) parser employing LALR(1), IELR(1) or canonical LR(1) parser tables." ²⁰
- build-essential is "a meta-package that includes the GNU compiler collection, GNU debugger, and other development libraries and tools required for compiling software." ²¹
- libssl-dev is the OpenSSL project's implementation of the SSL/TLS cryptographic protocols for secure communication over the Internet. ²²
- libyaml-dev "is a C library for parsing and emitting data in YAML 1.1, a human-readable data serialization format." ²³
- libreadline6-dev is the GNU readline and history library that "aids in the consistency of user interface across discrete programs that need to provide a command line interface." ²⁴
- zlib1g-dev "is a library implementing the deflate compression method found in gzip and PKZIP." ²⁵
- libncurses5-dev is the "ncurses library routines are a terminal-independent method of updating character screens with reasonable optimization." ²⁶
- libffi-dev is "a foreign function interface... that allows code written in one language to call code written in another language." ²⁷
- libgdbm6 and libgdbm-dev are both a version of the GNU dbm ('gdbm') "library of database functions that use extendible hashing and works similarly to the standard UNIX 'dbm' functions." ²⁸
- The -dev part speaks to the development libraries, header files, and manpages for the packages.
Clone the "rbenv" repository into the "~/.rbenv" folder with git clone https://github.com/rbenv/rbenv.git ~/.rbenv.
Add "rbenv" to your command line $PATH with the following commands
- To get this command to permanently take hold I needed Root privileges and not just run the commands with sudo. Without Root privileges my system would not product any output for the next step. I am not sure if this will effect things with other imaginary users but it was the only way I could get the source ~/.bashrc command to work.
Test the configuration with type rbenv which should produce the output of
Clone the rbenv ruby build part of the repository into the ~/.rbenv/plugins/ruby-build folder with git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
Install the version of Ruby that you need with rbenv install 2.6.6.
- I needed Ruby Version 2.6.6 but you can install any one you need. To see available versions to install run rbenv install -l.
- At this point I actually had a weird thing happen where I think I installed Ruby Version 2.7 and I ended up needing uninstall ruby with the command sudo apt purge ruby as "Root" and then I was able to install the proper version of Ruby with the rbenv.
At this point you can run gem install bundler to manage the gem dependencies for your application.

To reiterate... If you installed rbenv as Root you might have trouble. Rbenv seems to not like being installed as root so only run with "sudo" if it insists.

{Back to the Table Of Contents}

Step 2: Downloading and Configuring the API Repository

Depending on if you are downloading an already built API from GitHub, downloading one from your client computer over SSH, or creating a new API will depend on how you do this step.
Because I already have a Rails API built for my application on GitHub I will go through the same steps here to download the repository as I did with my React frontend into a folder named "backend" in the application's main folder.

Navigate into the folder your application will live in with cd /var/www/etcpasswdapp
Same as with the React frontend, run sudo git clone https://github.com/yourGitHubProject.git backend to clone the backend repository into a new folder named "backend", in the "etcpasswdapp" folder.
- Now if you cd backend into the "backend" folder you just created and run git status you can see that the folder is linked up to GitHub for some great version control and backup ability of your application.
If Gemfile.Lock is there delete it with sudo rm Gemfile.Lock.
Make a copy of the .env.sample file, or whatever you named it, with cp .env.sample .env.
- You can delete the .env.sample file once you have a copy of it.
Edit the file with sudo nano .env, add in any keys needed for your application and save the file.
- For example HASH_KEY=SomeSuperSecretRandonString would be added to the .env file.
Now navigate into the config folder with cd config.
Here you will run sudo nano master.key to either edit an existing "key" file or create one.
Add a key to the file that was previously used.
- This is only for if you are working with a previously created repository and is specific to it's creation.
Back out into the main "backend" folder and read the .gitignore file with less .gitignore to make sure that both the .env and the master.key files are listed so they won't be uploaded to GitHub accidently.
- Mine were in there already but good to double check. Don't want any private folders escaping into the Internets.
Now you should be able to run bundle install to install any needed gem dependencies.
- You night need to "bundle" things again later so, your call if you care to do this now and/or later.

{Back to the Table Of Contents}

Step 3: Adding the Backend Endpoints

Now that Ruby and Rails are both installed on the server it's time to configure the endpoint for the backend API. This step will be similar to the process for the frontend but you will need to make a few naming modifications.

Navigate to the Apache2 "sites-available" folder with cd /etc/apache2/sites-available.
Make a copy of the applications "conf" file with a different name by running sudo cp etcpasswdapp.conf etcpasswdapi.conf.
- I recommend making a copy of the frontend "conf" file because we will a lot of the info in it for the backend to be running over HTTPS.
Run sudo nano etcpasswdapi.conf to open up the new file in the nano editor.
- You will be editing a few things so be sure to leave it open for a bit.
With the editor open change the first <VirtualHost *:443> section's "DocumenRoot" to the location of the backends' "public" folder.
- For example, mine will be /var/www/etcpasswdapp/backend/public
With the editor open change the "ServerName" and "ServerAlias" to the API's nameing scheme.
- For example, my "ServerName" will be api.etcpasswdapp.com and my "ServerAlias" will be *.etcpassedapp.com.
In the second <VirtualHost *:80> section use the same naming scheme and change its "DocumentRoot, "ServerName", and "Redirect" accordingly.
Now save the file and exit the editor.

{Back to the Table Of Contents}

Step 4: Adding SSL

Now that there is an end point you will need to follow the same process as the frontend and configure a new SSL certificate with different names for the endpoint to work for testing.

Create the SSL certificate for the backend with sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache_cert2.key -out /etc/ssl/certs/apache_cert2.crt. It will prompt you for some basic information about your site.
- Note: that req is like "request" with a 'Q' and not a 'G' and you can name the cert anything. I chose the "apache_cert2" because it was convenient for me to type for this project.
Now that the certs are generated you need to navigate into the Apache2 "sites-available" folder, if not there already, with cd /etc/apache2/sites-available.
Open the "conf" file for the backend to edit it with sudo nano etcpasswdapi.conf.
Add the SSL configuration into the <VirtualHost *:443> section below the "DocumentRoot" somewhere.
Once you have edited the locations of the certs in the first <VirtualHost *:443> section save the file and exit nano.

You may still get betting the pesky error from the browsers when trying to access the page but you should be able to go into the "Advanced" button and allow the "unsafe site".

{Back to the Table Of Contents}

Step 5: Configure database.yml and secrets.yml

Now that the API is on the server, it has an endpoint, and SSL is enabled you now need to configure the applications database.yml and secrets.yml/secrets.yml.enc (depending on your set up) files for the database to work. "As of Rails 5.2, config/secrets.yml, config/secrets.yml.enc and SECRET_BASE_KEY are no longer being used to store encrypted keys. From now on, you are to use these files instead: config/credentials.yml.enc and config/master.key." ¹¹

Navigate to the API's database.yml file with cd /var/www/etcpasswdapp/backend/config
Run sudo nano master.key or sudo nano secrects.yml to create the file, or edit an existing file, and add in your secret to interact with the database in it.
- In my case I needed to add in a secret string that I'd previously set up into my master.key file and made a secrets.yml file and put the same key that my master.key file had in it, just to be safe if it's needed.
- Also, this the key not a variable. Just add in the string on the first line all by itself save it. It is case sensitive.
Now run sudo nano database.yml and configure it according to Passenger's Walkthrough step 2.3. It will look something like this when done.
- This will depend a lot on your own set up so take a min with it. (We will be using Passenger in the next section so this will do well.)
- You might need to delete your database configuration if you had set one up previously because it will interfere with Rails' configuration of its database based on the information in the database.yml file.
Now that the database configuration is set up be sure to edit the .gitignore file again and add in any missing files you don't want on the internet.
- For example, I added the database.yml file because of the password for my development configuration as so.
If everything works you will hopefully be able to now run rake db:create to finish setting up the database.
Hopefully you were able to create the database ok. If so you can now run rake db:migrate and rake db:seed to populate your database with the seed data for testing.
- If you run into an error try running rake db:reset or try deleting the database in the psql command line interface and recreating it.
You should now be able to check the configuration of the database within the psql command line interface and interact with the database. ¹⁸

{Back to the Table Of Contents}

Sorry but...
There are a few more things to do as I need to set up application server and go through server hardening.

Happy Hacking

Resources:

1. https://www.postgresql.org/docs/12/tutorial-createdb.html
2. https://www.postgresqltutorial.com/postgresql-data-types/
3. https://www.postgresqltutorial.com/postgresql-create-table/
4. https://www.digitalocean.com/community/tutorials/how-to-install-ruby-on-rails-with-rbenv-on-ubuntu-18-04
5. https://devhints.io/rbenv
6. https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/apache/oss/bionic/install_passenger.html
7. https://www.phusionpassenger.com/docs/advanced_guides/install_and_upgrade/standalone/install/oss/focal.html
8. https://www.phusionpassenger.com/docs/advanced_guides/install_and_upgrade/apache/install/oss/focal.html
9. https://www.phusionpassenger.com/library/install/apache/working_with_the_apache_config_file.html
10. https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/apache/oss/rubygems_norvm/install_passenger.html#step-2:-run-the-passenger-apache-module-installer
11. https://medium.com/@thorntonbrenden/rails-and-the-legendary-master-key-15c8be7799f1
12. https://linuxize.com/post/how-to-install-ruby-on-ubuntu-20-04/
13. https://www.phusionpassenger.com/docs/advanced_guides/install_and_upgrade/apache/working_with_the_apache_config_file.html
14. https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/deploying_your_app/oss/aws/ruby/apache/#rails_configure-database-yml-and-secrets-yml
15. https://www.phusionpassenger.com/library/walkthroughs/start/ruby.html
16. https://www.digitalocean.com/community/tutorials/how-to-use-postgresql-with-your-ruby-on-rails-application-on-ubuntu-18-04
17. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-ruby-on-rails-project-with-a-react-frontend
18. http://postgresguide.com/utilities/psql.html
19. https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/autoconf.html#Introduction
20. https://www.gnu.org/software/bison/manual/bison.html#Introduction
21. https://linuxize.com/post/how-to-install-gcc-on-ubuntu-20-04/#:~:text=The%20default%20Ubuntu%20repositories%20contain,tools%20required%20for%20compiling%20software.
22. https://packages.debian.org/jessie/libssl-dev
23. https://packages.debian.org/buster/libyaml-dev
24. https://packages.debian.org/buster/libreadline-dev
25. https://packages.debian.org/buster/zlib1g
26. https://packages.debian.org/buster/libncurses5
27. https://packages.debian.org/buster/libffi-dev
28. https://packages.debian.org/buster/libgdbm6

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Adding SSL to a Server

DaNeil C — Tue, 05 Jan 2021 03:01:44 +0000

Welcome Back!

If you've kept up till now with this series your application is hopefully/mostly functional on your home server with Heroku hosting its' backend API but you keep getting an error of "net::ERR_CERT_COMMON_NAME_INVALID" or "net::ERR_CERT_AUTHORITY_INVALID".

Fear not! This is a pretty common SSL error during the loading of a website that, in most cases, is due to certificate misconfiguration on a server or lack of a certificate on a server.

At this point of this process this error actually makes since because

I actually haven't configured any SLL yet.
A new server is not automatically configured to have a HTTPS certificate.
Specific to my case, this error occurs because I am pointing my local DNS to the generic herokuapp.com Heroku endpoint, which is not able to be certified for my local server.

To fix this error we have a few things we could do:

Create our own self-signed Certificate and configure Heroku to accept it specifically for testing.
Use the SSL host name provided by Heroku for purchase: "herokudns.com" or "herokussl.com" depending on your setup.
Get a Certificate from a Trusted Certificate Authority; which is very similar to the Heroku specific SSL host names, but through different third parties.

For this part of the series I will be showing how I created my own self-signed certificate on my server that I will be using when I set up my backend API in the next part of this series.

Step 1: Adding SSL Module and Creating the Certificate
Step 2: Configuring Apache to Use SSL

So you want to create your own Certificate and configure it for testing. It's great to lean about how this is done as certificates are and important part of the encryption process of HTTPS. It should be noted that there is some not-so-pretty math involved with encryption and should really be left to the experts in a production environment; so take this all with a grain of salt as I am no encryption expert. As for me, I am just curious to see how a general certificate is made and signed so here is how I did it and the tutorial I used to get around configuring Heroku.

Step 1: Adding SSL Module and Creating the Certificate

By following the DigitalOcean tutorials previously, I already have some things set up so I can jump right into Step #1 of the tutorial

Enable mod_ssl module on Apache by running the command sudo a2enmod ssl.
- mod_ssl is an Apache module that provides support for SSL encryption.
Restart the Apache Service on the server with sudo systemctl restart apache2.
Create the SSL certificate by running sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt. Once run this command will prompt you for some basic information about your site/company like this image.
- You can name the cert anything but I was following the tutorial so I left it as "apache-selfsigned".
- The req flag is like "request" with a 'Q' and not a 'G'. This caught me up when setting up mine.

{Back to the Table Of Contents}

Step 2: Configuring Apache to Use SSL

Now that the Apache module is enabled and the certificate is created Apache needs to be configured to use SSL. To do this you will need to modify the application's conf file and redirecting any HTTP requests to HTTPS.

Run sudo nano /etc/apache2/sites-enabled/etcpasswdapp.conf to open the apps conf file for editing.
Add the SSL configuration to the file below the "DocumentRoot" section. Yours will look similar as the image below, but with whatever you named your cert.
While still in the conf file add in a second <VirtualHost> at the bottom to separate out requests for HTTPS requests on port 443 and HTTP requests on port 80. As shown below, you can see that the second <VirtualHost> for port 80 has a redirect option in it that will take any traffic from an HTTP request to your site and redirect it to the HTTPS address.
Save the file and exit the editor.
Restart the Apache service by running systemctl restart apache2.

After all this is set up you still might have some issues with your browser giving you an error about the site being self-signed and is not safe. This is bad for a production site but for development it's fine for now because the only way to fix this is to get a official signed certificate for a Certificate Authority like Cloudflare. To get around this now click on the "advanced" and tell the browser you are in that it is safe.

{Back to the Table Of Contents}

Up Next...

Now with the app functional with Heroku hosting its API, it's now time to migrate the API and database into the server.

Happy Hacking

Resources:

1. https://create-react-app.dev/docs/deployment/#static-server
2. https://stackoverflow.com/questions/42308879/how-to-solve-npm-error-npm-err-code-elifecycle
3. https://create-react-app.dev/docs/deployment/#customizing-environment-variables-for-arbitrary-build-environments
4. https://serverless-stack.com/chapters/environments-in-create-react-app.html
5. https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04
6. https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Adding React to a Server

DaNeil C — Fri, 01 Jan 2021 01:36:21 +0000

So you built a home server and now you want to put a web site there to test. You are in the right place.

When I last left off with this series I finished setting up a basic LMAP software stack to host a website/application and at this intersection there are a few paths that you could follow to deploy you application on your LAMP server:

You could download an repository containing an applications source files and configure it directly on the server.
You could set up a Content Management System (CMS) and build an application through a graphical interface.
You could build something from scratch on the server.

For this part of the project I will be downloading the source files for an application that I built previously and deploy that from the server.
The files are located on GitHub and my local client computer so I will go over two ways that you can download them: with SSH and from GitHub.

Step 1: Setting up Separate Folders for the Frontend and Backend
Step 2: Downloading an application repository
Step 3: The React Configuration
Step 4: Configure the Environment Variables
Step 5: Clearing the Cache

Step 1: Setting up Separate Folders for the Frontend and Backend

This step is used if you are using SSH to get the application's files or if you are creating an application from scratch.

First thing I recommend doing is setting up the folders for the frontend to live in. You could also create a "backend" folder at this point but I will wait and create it when I need it later in this series.

If not already there, run cd /var/www/etcpasswdapp to navigate into the application's folder.
Run sudo mkdir frontend to create a separate folder for the frontend.

{Back to the Table Of Contents}

Step 2: Downloading an application repository

Now we need to get the application files onto the server and there are a few ways that it can be done. If you system allows a USB you could copy the files onto a USB and then into the applications folder, use git to download the files from GitHub, or use SSH to download the files from your client computer.

With SSH
To get this step done I need to be able to download the files from my client computer through a Command Line Interface. This is easy enough because during the Ubuntu Server install SSH was installed.

You can confirm that you have SSH installed already by running systemctl status ssh.
- If you don't have SSH for the Ubuntu server you might need to run sudo apt install ssh
Ensure that "Port 22" is open on your server computer to interact with it run sudo ufw status.
- If "Port 22" isn't open already (probably not) you will need to run sudo ufw allow 22 to open the Port with the Uncomplicated Firewall (ufw).
Ensure that the SSH service is running on the server computer by running sudo service ssh start.
Now on the client computer open the "PowerShell" CLI as Admin and navigate to whatever folder your application is in. For me I have to run cd ../../Users\meeeeee\Documents\Development.
- Be sure to choose the correct folder for YOUR system. This took me a minute to find the right folder in my system and "meeeeee" is just a name I threw in for an example.
- I'm also not sure if Admin status is really needed but I did it just to be safe.
Once in the folder run scp -r .\Final-Project-Frontend\* dan@192.168.2.43:/home/dan/ (but specific to your set up)
- scp is the Secure Copy Protocol.
- -r is the flag to perform a recursive action on anything in the folder.
- .\Final-Project-Frontend\ is the folder where my application is located within my Development folder on my client computer.
- * is added to mean everything in the folder's folders and not just files.
- dan@192.168.2.43:/home/dan/ is the SSH command to connect to my server computer and the file where you want your files put.
Back on the server computer ensure that you are in your main defualt folder with the cd command.
- FYI, the main default folder is the one that you appear in when you log into the server; usually the /home/your_name_here folder.
Now that the application files are in your server you can move them from the main default folder into the /etcpasswdapp/frontend folder with cp -r * /var/www/etcpasswdapp/frontend.
- cp is the command for "copy".
- -r will recursively move everything in the folder you are currently in (hopefully your main default folder) into the applications main folder.
Now that the application files are moved I recommend deleting the old files. To do this run rm -r <folder_name> and rm <file_name> for each folder and file individually so as to not accidently delete something you wanted to keep.

With Git

First install git onto the server computer with sudo apt install git.
You will need to configure your git identity on the server by running both git config --global user.name "Your GitHub username" and git config --global user.email YourGitHubEmail@example.com.
Now, navigate into the folder your application will live in with cd /var/www/etcpasswdapp.
Before you clone the GitHub repository you will need to delete the folders you created in step #1 with sudo rm -rf frontend. This will recursively remove the etcpasswdapp's frontend folder.
Now run sudo git clone https://github.com/yourGitHubProject.git frontend to clone the repository into a new folder called frontend.
Now run cd /var/www/etcpasswdapp/frontend and you should see the files you downloaded and if you run git status you can see that you are linked up to GitHub for some great version control and backup ability of your application.

{Back to the Table Of Contents}

Step 3: The React Configuration

Now that the application is in the correct folder on the server it's time to add the React configuration into Apache; which really is installing the NPM package manager.

First thing is to navigate into the apache config folder for the application with cd /etc/apache2/sites-enabled.
Run sudo nano etcpasswdapp.conf to edit the VirtualHost configuration for the application.
Edit the "DocumentRoot" line to the new location of the landing page (/var/www/etcpasswdapp/frontend/build)and the "Directory" path to the application's main folder (/var/www/etcpasswdapp/).
- Note: At this time your site might show you an error on your client computer because, like mine, the build folder is probably not be configured right yet.
Install the npm module with sudo apt install npm to allow for the creation of the "production build" for your application.
Navigate to the application's folder with cd /var/www/etcpasswdapp/frontend.
Run sudo npm install to make sure all the packages are installed.
- Add the -g flag at the end to install npm globally.
If you have any .env files ensure that they are up to date. (See step $4 below)
Run sudo npm run build to create the production build folder.
- If you run into an error here where the "build" fails refer to step #5 below for Clearing the Cache and try again.

Now that npm is installed you might need to restart the Apache service but you shouldn't need to run sudo npm run start because the Apache web server is already running and this command is for starting a separate "server instance" that isn't needed for this type of set up.

{Back to the Table Of Contents}

Step 4: Configure the Environment Variables

Environment variables are important to hold secrets for the application as well as tell the application to run in a "production" mode or "development" mode (which is important for testing).
You might not need this step if you are creating an application from scratch or coping the application files from the client computer. However, if you downloaded a GitHub repository then you will need to create an .env file and a .gitignore file and configure them for security of the application.

Ensure you are in the applications folder and run sudo nano .env to create & edit the .env file.
Add any needed variables with the "REACT_APP_" prefix or rename any existing variables to have "REACT_APP_" before all variables you will need.
- For example, if you had a variable such as CRYPT_KEY it needs be be changed to REACT_APP_CRYPT_KEY.
Save the file and exit the editor.
Edit any location where the variables are used and add "process.env" in front of each variable.
- For example, in my "app.js" file any CRYPT_KEY variable becomes process.env.REACT_APP_CRYPT_KEY.
Now delete any of the old variable creations throughout the application's files.
- For example, at the top of my "app.js" file I will delete a bunch of constants that I created for local testing of the API location, like const CRYPT_KEY = "http://localhost:3000/api/v1/login". No need to keep extra code around.
Run sudo .gitignore to create & edit a .gitignore file that GitHub will use to know which files will not be added to GitHub.
- For example: add the .env file to that .gitignore file so it doesn't accidently get loaded onto GitHub.
Add any files with their path to the file
Save the file and exit the editor.
I recommend you rerun the npm run build command here to reconfigure your build to the new variables and the new files.

{Back to the Table Of Contents}

Step 5: Clearing the Cache

So your build failed. Mine failed a few times during this process and the best thing to try is to clear the cache, delete the npm packages for the application, and re-build it.

If not already there, run cd /var/www/etcpasswdapp to navigate into the application's folder.
- This step needs to be done from within the application's folder.
Run sudo npm cache clean --force to force the clearing any cache the application might have.
Run sudo rm -rf node_modules package-lock.json to delete the "node_modules" folder and the "package-lock.json" file.
- Or delete each separately by running sudo rm -rf node_modules and sudo rm -rf package-lock.json.
Install the npm packages again with sudo npm install.
Ensure npm is started with sudo npm start.
Run npm run build again and hopefully your application will be working now.

{Back to the Table Of Contents}

At this point the applications frontend should be working. For my system I have my backend still on Heroku so my links are not broken BUT the backend is not working because I have not set up SSL on the frontend yet.

Up Next... Securing Server Traffic with SSL

Happy Hacking

Resources:

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

"P" is for PHP

DaNeil C — Fri, 25 Dec 2020 00:16:54 +0000

When I last left off I had just finished the PostgreSQL database install and basic configuration so now it's time for the "P" in the LAMP stack, PHP. The "P" in LAMP technically represents "PHP" (PHP: Hypertext Preprocessor); though like MySQL, PHP has also been substituted for other server-side scripting languages in recent years; such as, Perl, and Python.

[⭕]Linux
[⭕]Apache
[⭕]~~MySQL~~ PostgreSQL
[❌]PHP

PHP is an server-side scripting language, and general purpose programming language, that can be deployed on most web servers, works on almost every operating system and platform, and is free to use. It was created in 1994 and in spite of its historical security issues it has been widely ported and remains popular for its ability to efficiency process code and create dynamic web content on/for a web server. ⁴

When building a dynamic website/application PHP commands are either embedded directly into HTML source code or in external files that are linked to. When a web server gets a request for a PHP file, like index.php, or encounters a link to an external PHP file in an HTML file, like index.html, the web server passes that part of the request to a PHP interpreter. The PHP interpreter will read the file and execute any PHP code it finds. Once done interpreting the file the output of the code will be passed back to the web server which will then send the dynamically created content back to the client/browser that made the original request.

This all means that any PHP code that is run will not be visible to the user making a request but instead will be run by/on the web server and will result in a dynamically created HTML document that will be visible to the user. ³

Step 1: Installing PHP
Step 2: Testing PHP

Step 1: Installing PHP

To install the PHP module run sudo apt install php libapache2-mod-php php-pgsql.
- This will install the PHP module with 2 dependencies of the PHP module for Apache and the PHP PostgreSQL connector.
- sudo apt install is the command to install something on Ubuntu.
- php is the thing that is being installed.
- libapache2-mod-php is the apache2 PHP module dependency.
- php-pgsql is the PostgreSQL module for PHP dependency.
Restart the apache2 service with systemctl restart apache.

{Back to the Table Of Contents}

Step 2: Testing PHP

That's it. There is no configuring PHP. The set up is done but you need to test it to ensure that it is working.

Navigate into the "etcpasswdapp" site folder with cd /var/www/etcpasswdapp/.
Make a new PHP index file with nano index.php.
- This will also open up the "nano" editor.

Edit the "index.php" file by adding some simple PHP code to the file such as:

<!DOCTYPE html>
<html>
<head>
    <title>Example</title>
</head>
<body>

    <?php
        echo phpinfo();
    ?>

</body>
</html>

Save the file and exit the editor.
On the client computer navigate to the address of the PHP file such as "etcpasswdapp.com/index.php" and notice that there is now the PHP in the page. Below you can see the output of my phpinfo() command from my server computer.

Notice that I didn't delete my index.html page but instead am able to call the index.php in place of it.

Notice that if you view the "source code" in the browser that you don't see the simple PHP page that I created by instead the dynamically created HTML output of the command in the next picture.

{Back to the Table Of Contents}

DONE!! Now that the LAMP stack is installed and has some basic configurations it's time to move to setting up your website. For this I will be setting up the React frontend separate from the Ruby on Rails API backend and setting up their SSL configuration and then hardening the server itself.

[⭕]Linux
[⭕]Apache
[⭕]~~MySQL~~ PostgreSQL
[⭕]PHP

Happy Hacking

Resources:

1. https://create-react-app.dev/docs/deployment/
2. https://www.ibm.com/cloud/learn/lamp-stack-explained
3. https://stillat.com/blog/2014/04/02/how-does-php-work-with-the-web-server-and-browser
4. https://en.wikipedia.org/wiki/PHP

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

"M" is for MySQL

DaNeil C — Fri, 25 Dec 2020 00:16:22 +0000

When I last left off I had just finished the Apache HTTP server install and basic configuration so now it's time for the "M" in LAMP, ~~MySql~~ PostgreSQL. The "M" in the LAMP stack technically represents "MySQL", an open-source relational database management system (RDBMS), but in recent years has expanded to include any RDBMS that fits your needs; such as MariaDB or PostgreSQL, or even NoSQL databases such as MongoDB.

For my "M" I chose to use PostgreSQL because it has a strong reputation for its reliability, flexibility, support of open technical standards, and its use of both non-relational and relational data types. That being said, there are a lot of options for databases anymore so it's important to do your own research and find one that you are comfortable with and does what you need. (Reference link 2 is a list of RDBMS that you might look at and link 3 is information on choosing a database.)

[⭕]Linux
[⭕]Apache
[❌]MySQL
[❌]PHP

PostgreSQL is an open source Object-RDMBS (Relational Database Management Systems) that uses a client/server model. As with other client/server applications, the client and server can be on different hosts, or the same host, and they communicate over a TCP/IP network connection. ⁵ PostgreSQL became popular for its ACID-compliance (Atomicity, Consistency, Isolation, Durability) and support of both non-relational and relational data types.

Step 1: Installing PostgreSQL
Step 2: Configuring PostgreSQL
Step 3: The Database

Step 1: Installing PostgreSQL

Like other installs PostgreSQL is pretty straight forward to install.

Run sudo apt install postgresql postgresql-contrib libpq to install a PostgreSQL in the Ubuntu server along with some commonly used add-ons for it. ⁸
- postgresql is to install PostgreSQL
- postgresql-contrib is to install additional supplied modules specific to a package
- `libpq1 is to install libraries and headers for C language frontend development ⁷

The install is seriously that easy and if you want to see a list of additional addon package flags available run apt-cache search postgres. I recommend adding on > list.txt to the end of the search command to export the list to a file called "list.txt" so that you can actually read over it.

{Back to the Table Of Contents}

Step 2: Configuring PostgreSQL

At this point there are a few things that are good to know about Postgres:

Postgres uses a concept called “roles” to handle authentication/authorization and upon installation, Postgres uses the "ident authentication" for any connections from the same machine. This means that it associates Postgres roles with a matching Unix/Linux system account and if a role exists within Postgres, a Unix/Linux username with the same name is able to sign in as that role. ⁴
Postgres authentication system assumes that for any role used to log into it, that role will have a database with the same name that it can access. This means that if a user is created with the sudo -u postgres createuser --interactive command called "dan", that the role will attempt to connect to a database which is also called “dan” by default and if this database isn't created then it needs to be for that user role to interact with Postgres properly.
"Each table is a named collection of rows. Each row of a given table has the same set of named columns, and each column is of a specific data type. Whereas columns have a fixed order in each row, it is important to remember that SQL does not guarantee the order of the rows within the table in any way (although they can be explicitly sorted for display)." ⁶
"Tables are grouped into databases, and a collection of databases managed by a single PostgreSQL server instance constitutes a database cluster." ⁶

Now that that is out of the way PostgreSQL needs to be configured.

Switch over to the default Postgres account with sudo -i -u postgres and notice that your terminal now shows "postgres@homeserver:$", or whatever you named your server, instead of "root@homeserver:$".
- The sudo does need to be used for this command even if you are logged in as root already.
Create a new Postgres specific user role with createuser --interactive.
- The "--interactive" flag will enable a prompt for the name and role you want to add.
- The sudo -u postgres createuser --interactive command can be run a root to do the same thing fyi.
Create a database for your new PostgreSQL users to connect with createdb dan where "dan" is whatever name you chose for the precious step.
- The sudo -u postgres createdb dan command can be run a root to do the same thing fyi.
Now if you type exit to leave the Postgres user role and type sudo -i -u dan to switch into the user you created, you should be able to interact with the database created with the psql command.
- To leave the psql cli interface type \q.

{Back to the Table Of Contents}

Step 3: The Database

Here I am going to skip setting up the database as I will be using my API backend to configure a specific database for it. At the time of writing this my database is being hosted on Heroku so I can test that my frontend works properly and I will move it into the server later in this series.

{Back to the Table Of Contents}

Success! Now that the Linux, Apache, and PostgreSQL are configured it's time to move onto PHP.

[⭕]Linux
[⭕]Apache
[⭕]MySQL
[❌]PHP

Happy Hacking

Resources:

1. https://en.wikipedia.org/wiki/LAMP_(software_bundle)
2. https://en.wikipedia.org/wiki/List_of_relational_database_management_systems
3. https://www.ibm.com/cloud/blog/how-to-choose-a-database-on-ibm-cloud
4. https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-20-04
5. https://www.postgresql.org/docs/7.4/tutorial-arch.html
6. https://www.postgresql.org/docs/7.4/tutorial-concepts.html
7. https://www.postgresql.org/download/linux/ubuntu/
8. https://gorails.com/deploy/ubuntu/20.04#database
9. https://stackabuse.com/using-postgresql-with-nodejs-and-node-postgres/

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

"A" is for Apache

DaNeil C — Fri, 25 Dec 2020 00:15:42 +0000

When I last left off I had just finished the main OS install. Now it's time for the "A" in LAMP, Apache. The "A" represents the "Apache HTTP Server" in the LAMP software stack. Apache will receive requests, process the requests, and then serves up associated web assets via the HTTP (HyperText Transfer Protocol) so that a website is accessible to anyone in the public domain via a simple URL.

[⭕]Linux
[❌]Apache
[❌]MySQL
[❌]PHP

In recent years the LAMP software stack has started to utilize Nginx, or other web servers, in place of Apache. "In June 2013, Netcraft estimated that Apache served 54.2% of all active websites and 53.3% of the top servers across all domains... In June 2014, Apache was estimated to serve 52.27% of all active websites, followed by Nginx with 14.36%." ¹

NOTE:: From here on I will be showing commands with my applications name, etcpasswdapp. Be sure to change them to your applications name. By using my applications name this will allow for consistency between the steps and clearer representation of what commands you should be running.

Step 1: Install Apache
Step 2: Configuring Apache
Step 2.1: Configuring Name-based Virtual Hosts
Step 2.2: Configuring IP-based Virtual Hosts
Step 2.3: Configuring Port Virtual Hosts

Step 1: Install Apache

To install Apache on a Ubuntu Server OS is super easy.

Run sudo apt install apache2 to install the Apache HTTP server and a very basic website in the /var/www/html folder.
Run ifconfig on the server computer to find the IP address of the server and then type it into my browser to confirm the Apache2 landing page is live.
- Mine was something like 192.168.2.43.

Now that you have Apache installed it needs to be configured so you can host your own application/website.

{Back to the Table Of Contents}

Step 2: Configuring Apache

To configure Apache you need to set up a "Virtual Host" and there are 3 types of Virtual Hosts available. (If you skipped over it you can refer to my previous definitions post on this.):

IP-based: meaning that you have a different IP address for every web site, 172.20.30.40 or 172.20.30.50
Name-based: meaning that you have multiple names running on each IP address, blog1.example.com or blog2.example.com
Port: meaning that you have multiple ports on one IP address for every web site, 172.20.30.40:8081 or 172.20.30.40:8080

No matter what type of VirtualHost you chose you will need to at least do these steps:

Make a folder for your site to live in with sudo mkdir /var/www/etcpasswdapp.
- Remember to name the directory the same name as the website that you want to create aby replacing "etcpasswdapp" with your website's name.
Navigate into the folder with cd /var/www/etcpasswdapp.
Add a basic index.html page for testing with nano index.html.
- Mine just says "HiiIiIIiI" so I can see it's working. <html> <body> <p>HiiIiIIiI</p> </body> </html>
Now navigate into the "sites-available" folder with cd /etc/apache2/sites-available/.
Here you will create a copy of the default configuration file "000-default.conf" with sudo cp 000-default.conf etcpasswdapp.conf.
- Don't forget to replace "etcpasswdapp" with your website's name. :)

Now it's time to configure the Virtual Host for your set up. The following 3 sections will show a few different configuration options so take a minute to read over them and choose the best one for your situation.

{Back to the Table Of Contents}

Step 2.1: Configuring Name-based Virtual Hosts

There are two ways to configure the Name-Based Virtual Host depending on if you have a registered domain name, such as "www.example.com", or not.

With a registered domain
If you have a registered domain this tutorial "should" work for you. I say this because I am not able to test this part 100% as I don't have any registered domains.

Navigate into the sites-available folder with cd /etc/apache2/sites-available/.
Run sudo nano etcpasswdapp.conf and follow the Ubuntu tutorial for specifics that you will need to change add for your configuration.
- If you are setting up a separate frontend and backend, like my set up, I recommend changing the "ServerAlias" to be like *.etcpasswdapp.com so that it can account for an api address like api.etcpasswdaoo.com that I will be using later for the backend configuration.
Run sudo a2ensite etcpasswdapp.conf to add your site configuration to the enabled sites list.
Run sudo a2dissite 000-default.conf to disable the default configuration site.
Run sudo systemctl restart apache2 to restart the apache service and you should now be able to connect to your registered domain in a browser on your client computer.

Without a registered domain
If your client is a MAC, Linux, or Windows PC, all the above steps will be needed, in addition to the steps below, to allow you to connect to a non-registered domain name to your client computer through its "local hosts". For each client type below you will run the commands above here and then the commands below specific to your client computer type.

▶️For a MAC or Linux client:

Run nano /etc/hosts to edit the "hosts" file.
Add a comment of #VirtualHosts to the bottom of the file so you know which information you added.
Below your comment add 192.168.2.43 etcpasswdapp.com for each of the web sites your are hosting.
- Be sure that you use the IP Address of YOUR server computer and the name of the domain that you want to access from your client computer.
Save and exit the "nano" editor and your site should be accessible in your client browser with the domain name your chose.

▶️For a Windows client:
This is the process that I used as an Admin on my client computer.

Open a "File Explorer" and navigate to the "hosts" file located at C:\Windows\System32\drivers\etc\.
Open the "hosts" file in NotePad.
Add a comment of #Virtual Hosts to the bottom of the file.
Add 192.168.2.43 etcpasswdapp.com for each of the web sites your are hosting.
- Be sure that you use the IP Address of YOUR server computer and the domain that you want to access locally.
Before you can save the "hosts" file go back into the "File Explorer", right-click on the "hosts" file, and view its "Properties".
- If you are not an Admin on your client computer you might need to contact them for this.
Go into the "Security" Tab.
Select your User group and "Edit" their permissions for this file.
Add the ability to "Modify" and "Write" the file and apply the changes.
- It will give you a warning here but click "Yes".
- Also, be sure to change your permissions back as you shouldn't need to edit this again and don't want to let anything happen to this file by accident.
Now you can save the "hosts" file that you edited in NotePad.

If you still have issues accessing your site(s) you might run sudo systemctl restart apache2 on the server computer to restart the apache service again or you might need to restart your client computer. Whichever client computer you have this should change your new landing page to your sample "index.html" page.

{Back to the Table Of Contents}

Step 2.2: Configuring IP-based Virtual Hosts

This configuration will work to set up temporary "IP aliasing" for testing multiple IP addresses on a servers single NIC and will automatically be deleted once the system reboots.
For this configuration to work permanently you need to either have multiple NICs (Network Interface Cards) or be able to configure virtual NICs on the server computer. Both of which are beyond the scope of this blog, but the basics of how to configure a IP-based VirtualHosts, assuming you have one of the mentioned set ups, you will be doing some of the steps as the Name-based VirtualHosts setup as well as adding an IP address into your configuration (See Step 4 below as it's second part is this configuration step) so the NICs knows where to direct traffic.

Run ifconfig on the server to check what your ethernet connections name is and what IP address it is using.
- On my server I currently have a local IP of "192.168.2.43/24" and I named it "EtherNetBond0" when I installed the Ubuntu Server OS.
Run sudo ip addr add 192.168.2.44/24 dev EtherNetBond0 to create a new IP alias for this Network Interface.
- Note: that you can really choose any number for the 4th octet on the IP address as long as it is not being used by another device on you network.
Navigate into the "sites-available" folder with cd /etc/apache2/sites-available/.
Run sudo nano etcpasswdapp.conf and follow the Ubuntu tutorial for specifics that you will need to change add for your configuration.
While still editing the conf file for the application that you want to access through a different ip address be sure to change its <VirtualHost *:80> to <VirtualHost 192.168.2.60:80>.
- The * represents what IP addresses will be used to connect the site on the server. Changing *:80 to 192.168.2.60:80 will enable the separation of IP address connections of incoming traffic on port 80 and allow for more VirtualHost connections through different IP addresses on the server.
Run sudo a2ensite etcpasswdapp.conf to add your site configuration to the enabled sites list.
Run sudo a2dissite 000-default.conf to disable the default configuration site.
Run sudo systemctl restart apache2 to restart the apache service.
You should now be able to connect to your website in a browser on your client computer with the IP address you chose.

{Back to the Table Of Contents}

Step 2.3: Configuring Port Virtual Hosts

The configuration of Port Based VirtualHosts is similar to configuring Name-based VirtualHosts but with a port specification and configuration of the UFW (Uncomplicated Firewall).

Navigate into the "sites-available" folder with cd /etc/apache2/sites-available/.
Run sudo nano etcpasswdapp.conf and follow the Ubuntu tutorial for specifics that you will need to change add for your configuration.
Now change its <VirtualHost *:80> to <VirtualHost *:8080> or whatever port your choose.
- Becareful not to use a port that is in use or could be in use by choosing a high number or look up what numbers are commonly in use to avoid them.
Save the file and exit the editor.
Run sudo a2ensite etcpasswdapp.conf to add your site configuration to the enabled sites list.
Run sudo a2dissite 000-default.conf to disable the default configuration site.
Run sudo systemctl restart apache2 to restart the apache service and set the changes.

Now that the basics are set up you now need to configure the UFW (Uncomplicated Firewall), which should be pre-installed on the Ubuntu server, to allow web traffic to that specific port.

Run sudo ufw app list to look at your UFW application list. It should show 4 available applications: Apache, Apache Full, Apache Secure, and OpenSSH.
```
Available applications:
    - Apache
    - Apache Full
    - Apache Secure
    - OpenSSH
```
Run sudo ufw status to view your current Apache Full profile status and what pots are open. It should show that it enables traffic to ports 80 and 443.
Run sudo ufw allow in "Apache Full" to allow for incoming traffic for the "Apache Full" profile.
Now run sudo ufw allow 8080/tcp (or whatever port you chose to host your application on)
- If you run the sudo ufw status again it should now show the port your added.
Run sudo systemctl restart apache2 to restart the apache service and you should be able to connect to your registered domain in a browser now.

Couple notes here:

You might need to add your server IP address to the "hosts" file for this configuration to work, like I did with the Name-Based configuration.
You cannot add an IP address with a specific port to the "hosts" file and it's not designed for this. If you desire to access your website through a specific port you will need to add the IP address to your "hosts" file and bookmark the specific port in a browser.
If you want to see the configuration this sets navigate to the "user.rules" and "user6.rules" files with the cd /etc/ufw and look at the user files with the less user.rules and less user6.rules commands.
- less and cat commands both read the file but less will allow you to scroll through the file if it is too big to fit on the screen.

{Back to the Table Of Contents}

Success! Hopefully that worked for you because it's now that Linux and the Apache HTTP server are installed and configured it's time to move onto the database, ~~MySQL~~ Postgress.

[⭕]Linux
[⭕]Apache
[❌]MySQL
[❌]PHP

Happy Hacking

Resources:

1. https://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html
2. https://news.netcraft.com/archives/2013/06/06/june-2013-web-server-survey-3.html
3. https://en.wikipedia.org/wiki/Virtual_hosting
4. http://httpd.apache.org/docs/current/vhosts/
5. https://httpd.apache.org/docs/2.4/vhosts/examples.html
6. https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
7. https://wiki.ubuntu.com/UncomplicatedFirewall?action=show&redirect=UbuntuFirewall
8. https://wiki.ubuntu.com/UbuntuFirewallSpec
9. https://stackoverflow.com/questions/8652948/using-port-number-in-windows-host-file

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

"L" is for Linux

DaNeil C — Fri, 25 Dec 2020 00:13:22 +0000

Overview

Now that we have some info out of the way in part 1 of this series, it's time to build a server. First up is the OS.

[❌]Linux
[❌]Apache
[❌]MySQL
[❌]PHP

As stated in the intro post for this series, "L" represents Linux in LAMP software stack. LAMP (Linux, Apache, MySQL, PHP) is an open source software stack where each component contributes essential capabilities to an application. Though almost any OS, HTTP server, Database Manager, and data processing software could be used that suites your need the LAMP stack "has a classic layered architecture, with Linux at the lowest level followed by Apache, MySQL, and PHP. Although PHP is nominally at the top or presentation layer, the PHP component sits inside Apache." ⁵

Step 1: Picking out the Server's OS
Step 2: OS Install
Step 2.1: Setting up network access
Step 3: The Install
Step 4: Ping Test

Step 1: Picking Out the Server's OS

Though there are a lot of options for the servers Operating System, I don't need any type of crazy set up and I don't want to spend any money. With this in mind that means that any Windows Server is out as I don't want a Free Trial product and it's about $100+; so I will stick with a Linux/Unix based OS.

As far as free server OS options it depends a lot on your intended use.

If you want a media storage server specifically you could chose Plex Media Server, FreeNAS, or Kodi Open Source Home Theatre Software to name a few.
If you want some flexibility you might try some server management software like Amahi Home Server that is installed on top of Fedora or CentOS servers and comes pre-installed with a lot of services already.
If you want to configure it yourself, like me, you might choose Ubuntu Server Edition, ClearOS, or Fedora Server to name a few.

After some research on the abilities of the server software, I decided on Ubuntu Server Edition because I need something that is widely used in production environments. Now it's time to work on installing it onto an old computer I have hanging out in my office.

{Back to the ToC}

Step 2: Pre-OS Install

Server install will very a lot depending on the one you chose, but for my Ubuntu Server Edition it was super straight forward. The only hiccup was that it did not want to install with WIFI as its' main Internet connection point.

Why you ask? This is because the vast majority of NICs (Network Interface Cards) that are in computers are almost all the same, or there is very little variation, so it's easier to have the drivers already as part of the server OS at install. In contrast, basically every WIFI adapter out there is different and it would be next to pointless for an OS to come with drivers for some 200 WIFI adapters when they could have maybe 10 NIC drivers.

There are ways around it if you know the computers NIC interface, buuuuut it's easier just to have a Ethernet cord there for it.

Step 2.1: Setting up Network access

For my server OS install there might was an extra step here because servers don't like to use WIFI as their main connection and my office did not have an Ethernet connection in it.

For my setup, this means that I need a switch to split the Ethernet connection coming into my office. This is easy enough as its a plug-and-play style device and just needs to be plugged in. I take my incoming Ethernet cord and plug it into slot #1 and then add another Ethernet cord into slot #2 for my server computer and one more into slot #3 (respectively) for my client computer.

{Back to the ToC}

Step 3: The Install

Thanks to the "Install Ubuntu Server" tutorial all the steps are broken down nicely so go there if you need help as I wont go into much detail here. Just follow the tutorial and it explains really well what you might need to do for your setup. For my, I did notice that some steps didn't quite look the same but it worked out just fine.

To follow the tutorial steps as best as able for my system and a basic configuration I did:

Downloading the ISO file in the Manual install
Burning it to a USB or CD (I used BalenaEtcher to burn the ISO to a USB)
Install it on the desired computer following the tutorial steps.
https://paginas.fe.up.pt/~acbrito/laudon/ch8/chpt8-3main.htm
https://www.computerhope.com/jargon/s/server.htm
https://en.wikipedia.org/wiki/Server_(computing)

Note: This series will used a "headless" server; meaning that it will not have any type of Graphical User Interface and that once it is installed, it will not need a monitor. Because of this all interaction with the server will be done through the server's terminal directly or via SSH from my main "client" computer (Windows).

{Back to the ToC}

Step 4: Ping Test

Once the server is installed it's good to make sure that it's all working and you can interact with it from your client as download the Ubuntu net-tools.

You can ensure it has Internet connectivity in general by running ping 8.8.8.8 (Google's DNS) from the servers terminal or it might be evident during setup if it is connected and working as the Ubuntu Server OS I installed said it needed some updates from version 20.04 to 20.09 during the install.
Next I recommend installing the Ubuntu net-tools with apt install net-tools on the server computer. This tool contains the ifconfig command that allows you to see your servers IP address.
Run the ifconfig command once downloaded to view your servers IP address.
Now that you know the server's IP address run the "ping" command from you client computer's terminal with the IP address of your server computer to confirm that your client can see your server. (Something like: ping 192.168.1.14 but will can very depending on your home network.)
Once the client computer can see the server computer, it's good to ping the client computer from the server. Being that my client is a Windows PC I ran ipconfig in my Windows terminal to find its' IP address and then ran ping 192.168.1.15 from my server computer to my client.
- Note: you might need to restart your server and client for this to work. I tried refreshing the caches manually but restarting fixed an issue that wouldn't let my client PC ping my server. Restarting will force refresh the device's cache.

{Back to the ToC}

Success! The Linux OS install is done and it's on to Apache.

[⭕]Linux
[❌]Apache
[❌]MySQL
[❌]PHP

Happy Hacking

Resources:

1. https://www.smarthomebeginner.com/best-home-server-software-os/
2. https://www.technorms.com/77526/home-server
3. https://ubuntu.com/tutorials/install-ubuntu-server#1-overview
4. http://net-tools.sourceforge.net/
5. https://www.ibm.com/cloud/learn/lamp-stack-explained

Please Note: If anything that I have stated is incorrect please let me know what and why. I would love to learn more about what I may not fully understand yet.

SOP vs CORS?

DaNeil C — Sat, 12 Dec 2020 02:22:16 +0000

According to the Merriam-Webster dictionary, an "origin" is a

rise, beginning, or derivation from a source. (1)

The concept of an "origin" on the web was first introduced by Netscape Navigator in version 2.02 in 1995; with the original intent to "automatically prevent scripts on one server from accessing properties of documents on a different server." (2) They didn't use the words "origin" but the heart of it was there. Since this time the Internet has evolved a lot and now there are 2 specific separation of origin policies, Same-Origin and Cross-Origin, that help build the trust relationship between a user and a resource.

SOP

The SOP (Same-Origin Policy) is a web browser security mechanism that prevents of JavaScript, and other scripting languages, from getting access to the DOM properties and methods. It is arguable the most important security concept within modern browsers, according to Google. (3)

According to RFC6454 section 3.5 "the same-origin policy uses URIs to designate trust relationships." (4) It does so by grouping URIs, by origin, as a representation of protection domains. These protection domains control which resources in a origin are granted authority to access objects and network resources within its own origin.

This policy is noticeably important for security because it is common browser behavior to include any cookies, including authentication session cookies, relevant to the other domain as part of the request when sending an HTTP request from one origin to another.

The RFC standard URL value that SOP follows is use an algorithm to match the protocol, hostname, and port of a request; though not all browsers care about the port.

The RFC standard says that

Two origins are "the same" if, and only if, they are identical.
In particular:
 * If the two origins are scheme/host/port triples, the two 
origins are the same if, and only if, they have identical 
schemes, hosts, and ports.
 * An origin that is a globally unique identifier cannot 
be the same as an origin that is a scheme/host/port triple.

Two URIs are same-origin if their origins are the same.

   NOTE: A URI is not necessarily same-origin with itself.
 For example, a data URI [RFC2397] is not same-origin with
 itself because data URIs do not use a server-based naming 
authority and therefore have globally unique identifiers 
as origins.

So, when the URI from above is compared with the URIs below you can see why they would not be considered "same-origin."

CORS

Cross-Origin Resource Sharing (CORS) is a mechanism that allows access to resources across origins. Implemented as an extension of the Same-Origin Policy, CORS enables servers to specify any other origins allowed to share resources with though a suite of HTTP headers that define any trusted origins and associated properties that are combined during the exchange between a Browsers and a resource across web origins. For example, if an API is used on http://example.org, http://hello-world.example can opt in using the mechanism of the Access-Control-Allow-Origin: http://example.org as a response header, which would allow the resource to be fetched cross-origin from http://example.org. (8)

CORS has an "opt in" mechanism where user agents (Browsers) will, typically, isolate content retrieved from different origins, by default, to prevent malicious web site operators from interfering with the operations of benign web sites and to prevent leaking of data. (9)

Be Warned: This does NOT mean that CORS is security.
CORS != Security.
CORS is a way of easing up on the strict same-origin policy of resource sharing and NOT a mechanism to enforce general security or prevent against a variety of risky scenarios.

SOP and CORS Limitations and Importance

Implementing SOP and CORS doesn't mean your website is secure, but is an important security concept within modern browsers. (3)

SOP doesn't completely eliminate interaction between different origins and CORS is needed to allow a Browser and server to each evaluate whether any specific interaction may pose a threat and if not, allow it.

Furthermore, though reading between origins is usually blocked, this doesn't apply to HTML tags. This means a web page may freely embed cross-origin images, stylesheets, scripts, iframes, and/or videos and these resources still be accessed across origins through the associated HTML tag.

Lastly, though reading between origins is usually blocked this usually means you can still send a cross-origin requests but reading the response is prevented.

Happy Hacking

Resources:

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Browser Communications

DaNeil C — Fri, 11 Dec 2020 21:16:54 +0000

Hope you read about What browsers are doing when you make a request for a resource and How do browsers make websites because today we are going to continue this series with How Browsers communicate.

We already established that there are no set rules when dealing with the web but then how are browsers are to communicate?

Protocols

Browsers communicate using "protocols"... Or really any network based communications use protocols.
Protocols are a, loosely followed, set of rules that say how routing and addressing packets of data is done to allow two or more entities to share information.

As shown above, there are a lot of different types of protocols that are used at different stages of network communication. But, only a "few" of these make up the "Internet Protocol Stack" or the "Internet Protocol Suite".

The Internet Protocol Suite

The IPS is a conceptual model and suite of communications protocols (or "stack of protocols") used in the Internet to provide end-to-end data communication and specifying how data should be packetized, addressed, transmitted, routed, and received.

The foundational protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP); and thus it is commonly referred to as simply the TCP/IP Suite.

Internet Protocol Stack:
Note: Some of the layers of the Internet Protocol Suite are not exactly where this diagram shows them or are used at multiple stages in the stack depending on their use.

Internet Protocol

The Internet Protocol (IP) is generally considered the base protocol that all other Internet based protocols sit on top of, is the first to be interacted with when data is received, and introduces the "virtual network abstraction that is the basic principle of the Internet model." (1)

At the very basics level, the Internet Protocol uses a "Internet Datagram" to exchange data though specified encapsulation and lacks any functionality for error handling when datagrams are either duplicated, lost, or arrive to the remote host in another order than they were sent.

IP Datagram

TCP/UDP

The TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) protocols that sit on top of the Internet Protocols in the "Transport Layer" of the TCP/IP Model. Note:: There are a few other protocols at this level, but TCP and UDP are the most commonly used.

UDP
The UDP is an end-to-end communications protocol that contains just enough information to transfer a "user datagram" from one process on the transmitting host to another process on the receiving host.

User Datagram

Much like IP though, UDP is an connectionless, unreliable service that transfers data before any agreement is provided by the receiving party. Because of this UDP is primarily used for low-latency(low-delay) and loss-tolerating connections such as voice over Internet Protocol (VoIP), domain name system (DNS) lookup, and video or audio playback.

TCP
The TCP (Transmission Control Protocol) is a reliable, stream oriented service for connection of application layer software with a service. Because TCP was one of the first network implementations that complemented the IP, it is commonly referred to as TCP/IP.

TCP requires a connection between client and server to be established before a segment of the actual application data can be sent (also known as the three-way handshake). It uses this connection to establish a virtual circuit between the two transmitting hosts so that both hosts can simultaneously put data out on the Internet without specifying the destination host once the connection is established.

Application Layer

Above the UDP and TCP Transport Layer, respectively, is the Application layer where more protocols provide applications with a standardized way to exchange data.

UDP Side
The main protocols on the UDP side include DNS, Network Time Protocol (NTP), BOOTP, and DHCP, but there are more.

These protocols are generally used here because of the lack of need for real-time error handling and the need for a large number of clients to be connected at once.

TCP Side
The main protocols usually used on the TCP side include HTTPS, "HTTP, FTP, Post Office Protocol 3 (POP3), Simple Mail Transfer Protocol (SMTP), and Simple Network Management Protocol (SNMP)." (2)

These protocols are usually used here because of the need for compatible with a variety of operating systems, scalability and reliability as the internet grows, and the ability to recover automatically from the failure.

Access ports

As stated above, each side (UDP vs TCP) has their top protocols that are generally used on them, but how do you access them and what do they do?

The generally agreed upon way to access each protocol is through the logical construct that identifies a specific process, or a type of network service, called a port.

I don't want to dive deep into all of the protocols and ports at this level (because there are 65,535 ports), but a few of the main ports and their associated protocol as well as a few explanations of a few popular ports.

20/21: File Transfer Protocol (FTP)
22: Secure Shell (SSH) Secure Login
23: Telnet remote login service, unencrypted text messages
25: Simple Mail Transfer Protocol (SMTP) E-mail routing
53: Domain Name System (DNS) service
67, 68: Dynamic Host Configuration Protocol (DHCP)
80: Hypertext Transfer Protocol (HTTP)
110: Post Office Protocol (POP3)
119: Network News Transfer Protocol (NNTP)
123: Network Time Protocol (NTP)
143: Internet Message Access Protocol (IMAP) Management of digital mail
161: Simple Network Management Protocol (SNMP)
194: Internet Relay Chat (IRC)
443: HTTP Secure (HTTPS) HTTP over TLS/SSL

Port 80: HTTP
By far the most common port, HTTP defines the rules for transferring files, images, and other media to and from web browsers with web servers over the TCP/IP connection.
HTTP is a stateless protocol that requires all requests to originate from the client-side browser and are then sent to a specific server to process the request and send back a response.

Port 443: HTTPS
This port is steadily becoming used more than port 80 because of its added security through encryption to protect all data exchanges used on it. As shown below, a normal HTTP request/response will be in plain text for anyone to see, but HTTPS encrypts the correspondence so that they cannot be ready by any unintended viewers.

HTTPS is HTTP over an SSL/TLS connection that makes use of public key encryption (where there are two keys — public and private) to distribute a shared symmetric key, which is then used for transmission. (9)

Port 53: DNS
A DNS (Domain Name System) is kind of like a phonebook that lives at your Internet Service Provider (ISP); or on your local system in a few places.
In short, when you make a request for a website (www.example.com) your system will use UDP to attempt to locate its IP address by recursively making DNS requests to attempt to locate and translate your requested domain name (example.com) into an internet protocol (IP) address (something like 123.345.567.789).

Ports 25: SMTP, 110: POP3, & 143: IMAP
SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol), and IMAP (Internet Message Access Protocol) are used to manage the sending and receiving of digital mail to and from a mail server.

More specifically, IMAP and POP3 are most commonly used for retrieving emails and STMP is used for sending emails across the Internet.

Port 123: NTP
The NTP (Network Time Protocol) is an interesting protocol to me because it is one of the oldest protocols used and is generally only used for clock synchronization between computer systems over packet-switched, variable-latency data networks.

For example, most modern operating systems support NTP as a basis for keeping an accurate clock.

How it all comes together

When your Browser makes a request for a page it will take any data associated with the request and make package it together in a "packet" that it will send to its associated Transport Layer protocols (TCP or UDP).
- If the data is too large each layer will break the data into chunks called "packets" that will each travel to the destination in the same process.
Once at the Transport Layer protocol, the defined protocol will add on a TCP Header containing its own specific information about the destination, length, padding, special options, and more depending on if it is a UDP or TCP based request. Then the Transport Layer protocol will send the new packet of data to the Internet/Network layer (see the OSI model for more info)
Now at the Internet Layer the packet the protocol will add on the IP Header and make a Datagram frame that it will be sent to the DataLink layer.
At the DataLink layer the rest of the original frame is encapsulated into a new frame the associated headers (MAC Header and LLC Header) and footers (FCS footer) are added before it is sent over the communication channel of the Physical Layer.
Once the intended device receives the data the opposite actions are performed according to its intended use.

Image from Computer Networking Notes in link 10 below

Why should you care?

The need to understand protocols is important to make sure that you are using the correct protocol for your need and you are not using protocols that have other intended uses. There are a lot of protocols available and there is no need to reinvent the wheel if you can learn how to use it properly. (Read the RFCs for protocol standards.) Not understanding protocols and their use can lead to broken access issues or leaking date that might be accessible through a different protocols than intended.

Happy Hacking

Resources:

Please Note: that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.