DEV Community: Victor Feight

A Motivated Example of Variable Length Subnet Masks

Victor Feight — Mon, 27 Jun 2022 07:05:53 +0000

https://www.youtube.com/watch?v=S4k3fGhCEI4

What is Subnetting?
How does CIDR work?
Motivation for VLSM 1: Static Length Subnet masks
How VLSM Works
Designing a VLSM
Designing a VLSM Example
Summary
References

What is Subnetting?

Hey everyone, I'm taking a small detour from my Dokku series to play with some numbers. 🦓

In this blog post, I'll try and teach you all the tricks I've struggled to learn with variable length subnet masks through a motivated example.

But first, what is subnetting?

Subnetting helps us break large networks into smaller network segments, allowing network traffic to travel a shorter distance without passing through unnecessary router hops on the way to its destination.

This eases network congestion and reduces network load, increasing network efficiency.

How does CIDR work?

Classless Inter-Domain Routing (CIDR) is a subnetting notation used in modern networking. CIDR helps an IP address encapsulate both total network count and total host count for the network range in one address, determined by the network bits (1s) and the following host bits (0s).

/8 = 255.0.0.0  (ie first 8 bits of subnet mask are one—11111111)
/16 = 255.255.0.0
/24 = 255.255.255.0
/32 = 255.255.255.255

It works like this, say we have an IP address, 172.16.0.0/24.

In decimal, that's 255.255.255.0.

The /24 means that the first 24 bits of the network bits are turned on in the subnet mask.

ie. 11111111.11111111.11111111.00000000 indicate 24 network bits (set), and 8 host bits (unset). Network bits on the left, host bits on the right.

This is 2ⁿ networks, where n is number of network bits, resulting in 16,777,216 networks.
The number of hosts is 2^h, where h is the number of host bits, resulting in 256 hosts per network.

Who's that subnet?:
In decimal, that's 255.255.255.0. Familiar? That's because it was also used into old Classful addressing, which is still used in Windows IP protocol settings:

Motivation for VLSM 1: Static Length Subnet masks

When the subnet mask is the same for every subnet, usable IPs become wasted. That's how old Classful IP addressing used to work before CIDR.

Across this whole network a mask of /24 is used, resulting in 254 usable hosts per subnet. Note that in every single subnet, some host addresses will remain unused. In particular, 252 host addresses are wasted for each Point to Point WAN Link between the routers.

Let's calculate it: Altogether, we are using 201 + 201 + 51(4) + 2 + 2 + 2 + 2 addresses (add 1 to each LAN segment since it's connected to router interface) = 612 used addresses.

The total allotted using /24 across the network would be 254(6) for the LANs + 254(4) for each of the WAN links = 2,540 total alloted.

Then the wasted addresses would be 1,928 IP addresses.

That's a lot of addresses for traffic to flow between, with may result in many unnecessary routes between router hops, resulting in network congestion.

Calculating Usable IPs:
Usable IP address formula is 2^h - 2, where h = number of host bits. This is because we subtract the 2 unusable IPs, Network IP and Broadcast IP.
172.16.0.0/24

Would leave 8 host bits. 2⁸ - 2 = 254 usable IPs.

How VLSM Works

By using VLSM, each LAN and WAN point to point Link can have a different Subnet mask. You may have guessed the advantage to this: LANs with fewer required hosts can have their own subnet.

Now we can have each LAN segment behind HQ router use /24 mask, resulting in 254 usable IPs, so only 254 usable IPs - 201 addresses used = 53 IPs wasted per LAN (if you include the router interface in the addresses used).

For branch LANs behind routers A through D, /26 results in 62 usable IPs, so only (62 - 51) = 11 IPs wasted per LAN.

For each WAN Link, /30 results in 2 usable IPs, so only two IPs are needed for Serial Point to Point WAN Links (one for each router interface link). This means 8 usable IPs, one for each of the linked router interface pairs, resulting in no wasted IPs.

Designing a VLSM

The general steps to designing a VLSM for a network is as follows:

Arrange the network from largest to smallest
Use the chart to determine mask, and divide the address into equal address blocks (subnetting).
Note the remaining subnet numbers from mask in step 2.
Take the next available subnet, and subnet it further for smaller networks.
Write down new subnet numbers again.
Repeat steps 4-5 for smaller segments.

Designing a VLSM Example

The first step will be to arrange the networks from largest to smallest:

The network in order of host-size will be:

LAN-D is the largest with 29 hosts behind Router D
LAN-B with 20 hosts behind Router B, LAN-C with 20 hosts behind Router C
LAN-A with 13 hosts behind Router A
WAN Link A <--> D with 2 hosts, WAN Link B <--> D with 2 hosts, WAN Link C <--> D with 2 hosts

Note that LAN-D is the largest with 30 hosts (29 hosts + 1 router interface). Checking the chart, we can see that as we require 30 hosts, /27 would provide us with 2^h - 2 = 2⁸ - 2 = 30 usable addresses.

Therefore, we'll assign 192.168.1.0/27 to LAN-D segment. With this /27 network we'll have a subnet mask of 255.255.255.224/27.

That's 11111111.11111111.11111111.11100000, with 5 unset host-bits, that's 2⁵ = 32 hosts possible per subnet.

256 - 224 = 32 (magic number)
0 32 => NW IP 192.168.1.0, Broadcast IP: 192.168.1.31

Thus, our subnet possibilities for 192.168.1.0/27 are:

192.168.1.0/27
192.168.1.32/27
192.168.1.64/27
192.168.1.96/27
192.168.1.128/27
....etc

ROUTER D LAN:
Number of Hosts – 30
Host Bits – 5 bits
Subnet Mask – /27 or 255.255.255.224
Increment – 32
Network Address – 192.168.1.0
Broadcast Address – 192.168.1.31
Usable IP Addresses – 192.168.1.1 to 192.168.1.30

Note that the next smallest subnets, LAN-B and LAN-C attached to Router-B and Router-C both require 21 host addresses (20 hosts + 1 router interface each). Going by the chart, the smallest possible block-size for 21 hosts is 32, which is a /27 subnet mask.

We already have two subnets with /27 available from step 2. Assign them to LAN-B and LAN-C subnets:

192.168.1.32/27
192.168.1.64/27

ROUTER B LAN:
256 - 224 = 32 (magic number)
32 64 => NW IP 192.168.1.32, Broadcast IP: 192.168.1.63

Number of Hosts – 21
Host Bits – 5 bits
Subnet Mask – /27 or 255.255.255.224
Increment – 32
Network Address – 192.168.1.32
Broadcast Address – 192.168.1.63
Usable IP Addresses – 192.168.1.33 to 192.168.1.62

ROUTER C LAN:
256 - 224 = 32 (magic number)
64 96 => NW IP 192.168.1.64, Broadcast IP: 192.168.1.95

Number of Hosts – 30
Host Bits – 5 bits
Subnet Mask – /27 or 255.255.255.224
Increment – 32
Network Address – 192.168.1.64
Broadcast Address – 192.168.1.95
Usable IP Addresses – 192.168.1.65 to 192.168.1.94

The next smallest subnet is LAN-A with 14 host addresses (13 hosts + 1 router interface). From the chart, we can see the smallest block size is 16, so we can use subnet mask /28.

Take the next available subnet from /27:

~~192.168.1.0/27~~
~~192.168.1.32/27~~
~~192.168.1.64/27~~
192.168.1.96/27

Subnet 192.168.1.96 further using the /28 mask, resulting in two subnets: 192.168.1.96/28, 192.168.1.112/28.

Finding the number of Subnets:
Recall prior 192.168.1.0/27 binary subnet: 11111111.111111111.11111111.11100000

192.168.1.96/27 to /28 means 1 host bit was borrowed (111 to 1111), and the formua for number of subnets is 2^{s, where s is host bits borrowed.}

Thus 2¹ = 2 subnets.

We assign the first available subnet to LAN-A segment (192.168.1.96)

Write down the new subnet numbers again.

Our two subnets would be:

192.168.1.96
192.168.1.112

ROUTER B LAN:
192.168.1.96/28 means 11111111.11111111.11111111.11110000 or 240 subnet mask. 256 – 240 = 16 (magic number).
96 112 => NW IP 192.168.1.96, Broadcast IP: 192.168.1.111

Number of Hosts – 14
Host Bits – 4 bits
Subnet Mask – /28 or 255.255.255.240
Increment – 16
Network Address – 192.168.1.96
Broadcast Address – 192.168.1.111
Usable IP Addresses – 192.168.1.33 to 192.168.1.62

Repeat steps 4-5 for the three point-to-point WAN segments.

The smallest segments are the three WAN links between the routers (2 hosts each):

WAN Link A <--> D with 2 hosts
WAN Link B <--> D with 2 hosts
WAN Link C <--> D with 2 hosts

We know that each of these WANs' address block sizes will need to accommodate 2 usable host IPs (for both router interfaces) plus 2 (the network IP and the broadcast ip).

This is because 2^h - 2 = 2² - 2 = 2 usable IPs.

Therefore, 2 hosts requires block size 4, and thus subnet mask /30.

Available subnets:

~~192.168.1.96~~
192.168.1.112

Take the next available subnet: 192.168.1.112/28 and subnet it further with a /30 mask.

192.168.1.112/30 has 2^h = 2² hosts per subnet.

11111111.11111111.11111111.11110000 (/28)
11111111.11111111.11111111.11111100 (/30)

2 host bits borrowed gives 2^s = 2² = 4 subnets possible.

We'll take the next 3 for our WAN Link Segments:

192.168.1.112/30
192.168.1.116/30
192.168.1.120/30
192.168.1.124/30

WAN Link A <--> D:

192.168.1.112/30 11111111.11111111.11111111.11111100 => 255.255.255.252/30 256 - 252 = 4 (magic number) 112 116 => NW IP 192.168.1.112/30, Broadcast IP: 192.168.1.115

Number of Hosts – 2
Host Bits – 2 bits
Subnet Mask – /30 or 255.255.255.252
Increment – 4
Network Address – 192.168.1.112
Broadcast Address – 192.168.1.115
Usable IP Addresses – 192.168.1.113 to 192.168.1.114

WAN Link B <--> D:

192.168.1.116/30 116 120 => NW IP 192.168.1.116/30, Broadcast IP: 192.168.1.119

Number of Hosts – 2
Host Bits – 2 bits
Subnet Mask – /30 or 255.255.255.252
Increment – 4
Network Address – 192.168.1.116
Broadcast Address – 192.168.1.119
Usable IP Addresses – 192.168.1.117 to 192.168.1.118

WAN Link C <--> D:

192.168.1.120/30 120 124 => NW IP 192.168.1.120/30, Broadcast IP: 192.168.1.123

Number of Hosts – 2
Host Bits – 2 bits
Subnet Mask – /30 or 255.255.255.252
Increment – 4
Network Address – 192.168.1.120
Broadcast Address – 192.168.1.123
Usable IP Addresses – 192.168.1.121 to 192.168.1.122

Summary

We've broken down our subnet from a /27 to a /28 and then to a /30. By optimizing our subnetting with VLSM, we can summarize results:

LAN-D is the largest with 29 hosts behind Router D

LAN-D requires 30 hosts (29 hosts in LAN segment, 1 for router interface)
With /27 it has 2⁵ - 2 usable hosts, giving 31 hosts (30 usable hosts + 1 for router interface). Thus there is 1 wasted IP address on LAN-D.

LAN-B with 20 hosts behind Router B, LAN-C with 20 hosts behind Router C

LAN-B requires 21 hosts (20 hosts in LAN segment, 1 for router interface). /27 gives 31 hosts (30 usable hosts + 1 for router interface), . Thus, in LAN-B and LAN-C, there are only 10 wasted IP addresses each.

LAN-A with 13 hosts behind Router A

LAN-A requires 14 hosts (13 in LAN segment, 1 for router interface). /28 gives 15 hosts (14 usable hosts + 1 router interface). Thus there is 1 wasted IP address on LAN-D.

WAN Link A <--> D uses 2 hosts (as does WAN Link B <--> D and WAN Link C <--> D)

WAN Link A <--> D requires 2 hosts (one at each router interface in the Point to Point WAN Link). /30 gives 2 usable hosts. Thus there are no wasted IP addresses on any WAN links.

Altogether, we have 92 addresses being used (30 + 21 + 21 + 14 + 2 + 2 + 2).
We have 114 addresses total allocated (15 + 31 + 31 + 31 + 2 + 2 + 2).

Thus, 114 - 92 = 22 addresses wasted. Big improvement over 1,928.

Hope you enjoyed, and hope to be back soon.

References

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 4

Victor Feight — Fri, 17 Jun 2022 01:58:34 +0000

Sidequest: Installing NVM in Powershell
Local Strapi backend Installation
Configuring our Local Strapi Backend
Install GraphQL plugin and configure it locally
Creating a Collection Type for Articles
Set roles and permissions on our Strapi API
Database configuration with .env variables
Testing the Strapi API Locally via GraphQL
Still to Come...

Welcome back!

╰(°▽°)╯

If you've been following along so far, you should have a Dokku instance on DigitalOcean that's been hardened from attackers (through SSHD configuration and Fail2Ban static IP allow-lists). You should also have a MySQL database server installed onto the instance. ✔

In this post, we'll be installing Strapi CMS onto our local machine, and then allow Strapi to talk to our local MySQL instance. Strapi is an open-source content management system that eases managing a custom blog by enabling multiple users and fine-grained permissions over adding, editing, or deleting posts.

Once it's set up, it's as easy as making a new post with your username through Strapi's dashboard, and the file will get posted into our database automatically. We can turn on the GraphQL Playground and start querying for our posts.

INFO: Hostname is blocked by MySQL
Recently, I had an error when trying to connect to my remote mysql instance via MySQL Workbench.
The error was along the lines of: Host is blocked because of many connection errors.

At this point, I ssh'd into my machine with ssh vic@apps.vicstech.xyz, entered my dokku db instance with dokku mysql:enter db and while in the dokku db bash instance, entered mysql -u root -p followed by my db password.

Once in, I ran FLUSH HOSTS; to empty the host table. Apparently this happens if more than max_connect_errors occur successively for a given host, MySQL will block them. By flushing the tables, further connection attempts from the host are allowed.

Sidequest: Installing NVM in Powershell

TIP: Strapi and Node versions

Strapi won't run on NodeJS odd numbered versions - which are for developers. If you're not using LTS, you can temporarily change to use 14.16.1 with nvm use 14.16.1 in an elevated powershell (assuming nvm is installed).

TIP: The easiest way to install nvm (Node Version manager) is to use Chocolatey. 🍫

Right Click Powershell icon in Start menu, select Run As Administrator.
Confirm chocolatey is installed by running choco command in a new elevated Powershell.

If it's not installed, run the following command: Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
Install nvm using choco by running: choco -y nvm
Open a new, regular Powershell and install Node.js using nvm: nvm install 14.16.1

Great. We'll need to use Node 14.16.1 LTS in Powershell to ensure optimal Strapi and node compatibility.

Local Strapi backend Installation

Create a new directory in your project and name is strapi-dokku-backend.

We're going to download the latest Strapi code onto our local machine before pushing it to our dokku instance.

In powershell with node 14.16.1 enabled, run npm/npx to install the Strapi project named 'strapi-backend' locally:

npx create-strapi-app@latest strapi-backend

Choose manual Installation with arrow keys, press Enter
Choose mysql as default database client
Enter db as Database name.
Enter localhost as Host.
Enter 3306 as Port.
Enter root as username
Enter password used for local and remote root MySQL instances.
Enter N for "Enable SSL connection" option

INFO: You can retrieve this password by sshing into apps.vicstech.xyz and running: sudo cat /var/lib/dokku/services/mysql/db/ROOTPASSWORD on your Dokku instance.

If you've been following along, this password should now be associated with both the root user in your local MySQL Workbench, as well as the root user of our remote MySQl instance on the Dokku Digital Ocean droplet. If you entered something different as a local password, ensure DATABASE_PASSWORD in env is set to your remote instance ROOTPASSWORD, as that will take precedence in settings when Strapi is pushed onto dokku.

Next, run the following commands in the newly created strapi-backend directory:

cd strapi-backend
npm install
npm install strapi-admin

Powershell Output:

Strapi command reference:

Available commands in your project:

npm run develop
# Start Strapi in watch mode. (Changes in Strapi project files will trigger a server restart)

npm run start
# Start Strapi without watch mode.

npm run build
# Build Strapi admin panel.

npm run strapi
# Display all available commands.

# You can start by doing:
cd /mnt/c/Users/Vic/Documents/CODE_2020/ELEVENTY/strapi-dokku-backend/backend
npm run develop

Configuring our Local Strapi Backend

We can go ahead and give it a whirl by running the following commands in the Strapi strapi-backend folder:

npm run build
npm run start

If everything went smoothly, you should get a Windows Firewall notification asking to allow Strapi permission to serve its admin panel. Go ahead and allow it.

As per Strapi developer docs quick start guide:

Once the installation is complete, your browser automatically opens a new tab.
By completing the form, you create your own account. Once done, you become the first administator user of this Strapi application. Welcome aboard, commander!
🥳

Complete this form to create the first Administrator user and click Let's Start!

Now you'll have access to the Strapi admin panel. Navigate to http://localhost:1337/admin in your browser and you should see a success message:

Now we've got a local Strapi server running (strapi-backend), configured to use MySQL with a database named db through port 3306.

Install GraphQL plugin and configure it locally

We're going to install the GraphQL playground plugin and configure it to be used both locally or remotely.

Press Ctrl-C to cancel any running Strapi instance, then run the following in your strapi-backend project directory:

npm run strapi install graphql

Output:

Next, create a plugins.js file at /config/plugins.js (in your root strapi-backend directory):

// path: ./config/plugins.js

module.exports = {
  //
  graphql: {
    config: {
      endpoint: "/graphql",
      shadowCRUD: true,
      playgroundAlways: true,
      depthLimit: 7,
      amountLimit: 100,
      apolloServer: {
        introspection: true,
      },
    },
  },
};

This will enable Strapi's GraphQL playground both locally and remotely (by default, it's turned off when deployed remotely), and set its endpoint to /graphql.

Output:

Now, go ahead and rebuild Strapi with GraphQL installed, and run in develop mode:

npm run build
npm run develop

Creating a Collection Type for Articles

INFO: Develop Mode
Develop mode allows us to add new collection types, and add fields to these new collection types.

We're going to create a data structure for our future blog content, add some entries and publish them so that the API for the content can be consumed. We do this by first creating collection types for Article with the content-type builder and create the fields to display when adding new entries.

Navigate to Content-Types Builder under Plugins in the left-hand menu.
Click the "+ Create new collection type" link
Name it Article and click continue
Add a Text field (short text) and name it title
Click the "+ Add another field" button
Add a Rich Text field and name it content
Click the "+ Add another field" button
Add a Date field (date) and name it date
Click the "+ Add another field" button
Add a Text field (short text) and name it author
Click the "+ Add another field" button
Add a Text field (short text) and name it excerpt
Click the "+ Add another field" button
Add a Text field (short text) and name it categories
Click the "Finish" button
Click the Save button and wait for Strapi to restart

For more information, see the Strapi Quick Start guide.

Set roles and permissions on our Strapi API

Next, we'll set roles and permission on our API and and then test querying our new posts in GraphQL.

Click Content Manager on the left menu.
Navigate to Article under Collection Types

Click "Create New Entry".

Fill in this information in the fields specified :
title: This is my lovely title
content: Hope you enjoy this great content.
author: vrfeight
data pick a date of your choice
exerpt: Short description
categories: test

Click Save.

In order to send requests to the Strapi API, we need public permissions on our articles to make them accessible.

Navigate to Settings under General left menu.
Navigate to Roles under Users & Permissions Plugin.
Click the Public Role
Scroll down under Permissions, find Articles
Tick the find and findone boxes.
Click Save

Now that we have a collection type with content, and permissions on the articles, we can finally test querying our API. 🎉

Database configuration with .env variables

We'll finish setting everything up locally and confirm that local MySQL database querying works in the GraphQL playground.

Now, the next part's important, so sip your tea and roll up your sleeves. 🍵👕

TIP: Strapi local .env to remote settings

Strapi uses an environment variable for Host, Port, APP_KEYS, and JWT_SECRET. When pushed to dokku, all these environment variables can be processed once configured on the server for our strapi-backend application, in addition to any other variables set in the .env file.

Our authentication strategy is based on the use of Users & Permissions plugin API access.

You will see in the database.js file's module.exports function there is a connection property holding an object with these configuration values (password will be unique, set upon Strapi installation):

require("dotenv").config();

module.exports = ({ env }) => ({
  connection: {
    client: "mysql",
    connection: {
      // host: env('DATABASE_HOST', 'localhost' ),
      host: env("DATABASE_HOST", "localhost"),
      port: env.int("DATABASE_PORT", 3306),
      database: env("DATABASE_NAME", "db"),
      user: env("DATABASE_USERNAME", "root"),
      password: env("DATABASE_PASSWORD", "e754d62fcfk5f929"),
      ssl: env.bool("DATABASE_SSL", false),
    },
  },
});

The way this works, is that the local Strapi server will check the first argument value (ie DATABASE_PORT or DATABASE_HOST), and if these values are not found in the .env file, then use the second argument provided (3306 or localhost)

A default Strapi .env file might look like this:

Thus, we can start by testing our local server with this default .env file, and afterward add database variables in .env with information from our remote mysql server.

This will allow us to query from either a local database (MySQL Workbench) or our remote MySQL instance by commenting or uncommenting Database variables in .env.

TIP: Remote Dokku-mysql environment vars

Later, when we push Strapi onto our remote dokku instance, we will use dokku config to set these same environment variables remotely, so that Strapi can pick up our remote dokku-mysql database. 😎

Testing the Strapi API Locally via GraphQL

To query your data, navigate to http://localhost:1337/api/articles/1

You should get back a JSON response:

Navigate to http://localhost:1337/graphql
Welcome to your personal GraphQL Playground. 🙂

Try this query:

# Write your query or mutation here
query {
  article(id: "1") {
    data {
      id
      attributes {
        title
        content
        date
        author
        excerpt
      }
    }
  }
}

Output:

Success. We've just successfully queried our local MySQL database through Strapi's GraphQL playground.

Great job. 🎈

Still to Come...

Next time, we'll be deploying and confiuring Strapi on our Digital Ocean droplet, and we'll use the Dokku Plugin for LetsEncrypt to obtain a free certificate for our domain vicstech.xyz as well as our new strapi-backend subdomain we'll be creating.

Then, we'll practice querying our remote database with GraphQL, and start setting up an 11ty front-end to retrieve entries from the database .

Hope to see you soon.

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 3

Victor Feight — Tue, 07 Jun 2022 11:04:20 +0000

!!! warning
here be dragons

Table of Contents
Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 3
Apps needed to proceed
Download and Install MySQL services
Configure Local MySQL services and choose Authentication Method
Install and configure Dokku mysql plugin (Remote)
(Remote) Playing around with our new MySQL database
- Sidequest? Adding a MySQL User for extra security
Still to come...

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 3

Hello, welcome back! In the last post I made, I added SSH keys to my Dokku DO droplet, assigned it a floating IP, and added an A record in Cloudflare DNS settings so we can SSH into it any time with ssh vic@apps.vicstech.xyz. I then set up a static IP on my host PC, installed Fail2Ban on my remote Digital Ocean Dokku droplet, and whitelisted our host PC's IP on the remote server in both SSH and Fail2Ban's configuration. In addition, I created a new user to work under and disabled root login for extra security, and hardened both Fail2Ban and SSH configurations against attackers. See my previous post for more info.

For this post, I'd like to show you how to install the MySQL plugin for Dokku and see if we can test it out using MySQL workbench remotely.

Apps needed to proceed

Node.js v16.13.2. You can use nvm(node version manager) to install older versions of Node.js or manage multiple versions.

npm (node package manager), which comes with Node.js. I'm using Git Bash in this tutorial to run npm but you could also use Powershell.
MySQL Community Server v8.0.x.

Download and Install MySQL services

As I've already installed and set up MySQL, I'll go ahead and relaunch the MySQL Installer now, but these instructions would work for a new installation:

!!! note
If you're installing MySQL, choose Developer Default option to install necessary services for Strapi. Let the installer install any missing requirements.

If you get a message like the following, go ahead and click next; you can install missing requirements later.

Let the installer continue and install any missing products.

Configure Local MySQL services and choose Authentication Method

MySQL, which Strapi uses, has a client-to-server architecture, which interacts over a network. To configure the server, we need to do a MySQL Product Configuration for MySQL Server and MySQL Router.

MySQL Server will grant the Strapi application access to the DBMS. The DBMS then handles all queries and connections.

MySQL Router acts as a middleware, routing between our Strapi application and the MySQL Server.

For the MySQL Server configuration type, choose "Development Computer", ensure your settings look like this:

!!! attention
Important note: We need to set the authentication method to Use Legacy Authentication Method as I've had issues getting dokku's mysql plugin to work with Strapi using the default recommended authentication method.

Ensure your screen is like this:

Enter a memorable password for our local MySQL root user, then click next. We want to ensure a successful connection as root user.

For Windows Service settings, leave everything default:

This will add the MySQL Windows Service to your system, and enable it whenever Windows restarts.

Last, click "Next" and then Apply Configuration by clicking Execute.

Click Finish. When prompted for Router configuration, leave it blank and continue.

Finally, enter your credentials in the test scripts for root user to execute the scripts.

Now MySQL Services and workbench should be successfully installed locally. 🌟

Install and configure Dokku mysql plugin (Remote)

Now we have installed MySQL services and workbench on our local Windows machine. Next, let's install dokku-mysql plugin on our remote Dokku instance.

So far, we haven't touched a single Dokku command. Let's change that by installing the official dokku mysql plugin (currently defaults to mysql 8.0.28):

sudo dokku plugin:install https://github.com/dokku/dokku-mysql.git mysql

Output:

When it's finished installing, we can create a new database named db with the following command:

dokku mysql:create db

Output:

Note the Dsn:
mysql://mysql:3e7b42ca09896a88@dokku-mysql-db:3306/db

We should expose port 3307 on our remote mysql instance so that we can test a remote connection with MySQL workbench.

dokku mysql:expose db 3307

Output:
-----> Service db exposed on port(s) [container->host]: 3306->3307

Next, note the config directory: /var/lib/dokku/services/mysql/db/config

We can cat for the root password in this directory:

sudo cat /var/lib/dokku/services/mysql/db/ROOTPASSWORD

Take note of it!

With the exposed port and root password, we should be able to remotely access the db database from MySQL workbench.

Create a new connection in MySQL Workbench home and input the following information:

Hostname: apps.vicstech.xyz
Port: 3307
Username: root

Click Test Connection and enter the mysql root password you just noted.

Success! 🌟 Some helpful tips for your new instance can be found on this gist.

(Remote) Playing around with our new MySQL database

We can connect to our db as follows but note as we're a regular user we cannot edit our database on the server: dokku mysql:connect db

Enter your dokku db instance with the following command:

dokku mysql:enter db

Then, while in the dokku db bash instance, enter the following, and enter the password noted earlier when prompted:

mysql -u root -p

Now we're logged into our remote MySQL server as root.

Enter the following command at the root sql cli to see which authentication plugin our root user uses:

SELECT user, plugin FROM mysql.user WHERE user IN ('root');

To connect Strapi with MySQL, we have to ensure the authentication plugin for our root user is mysql_native_password as our Strapi/dokku-mysql combo currently does not support the auth plugin that comes with MySQL 8.0.x, chaching_sha2_password.

!!! note
Seeing 2 root accounts here is normal, one describes the rules for 'root'@'%' and the other for 'root'@'localhost'. I went ahead and changed both to use mysql_native_password.

Enter the following command, replacing password with a memorable root password (you can use the one from earlier, to continue testing queries in MySQL Workbench without trouble).

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

Then:

ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY  'password';

Then refresh privileges with this query:

flush privileges;

Resulting output:

If your authentication plugin is now mysql_native_password, you're good to install Strapi.

Sidequest? Adding a MySQL User for extra security

!!! note
MySQL also comes with some security considerations—a default superuser account called root is enabled by default, which can dump the whole database, or create and delete any user from the user management list, and this can be a security issue. It is often sensible therefore to create another MySQL user account, with a more restricted set of privileges for daily use.

Still to come...

Next time, I'll install Strapi CMS onto Dokku and allow Strapi to talk to our MySQL instance. Last, we'll play around in GraphQL playground (built in to Strapi), querying our MySQL instance.

By the end, we'll be able to use Strapi as a small scale, headless CMS blogging engine, configured with MySQL—giving our blog access to security features and user permission management.

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 2

Victor Feight — Tue, 07 Jun 2022 10:46:20 +0000

Table of Contents
- Hardening the Ubuntu Dokku Droplet Part 1: Creating a new user in the sudo group
- Hardening the Ubuntu Dokku Droplet Part 2: Harden OpenSSH on Ubuntu and disable root
- Changing your Host to a Static IP and Implementing an IP address Allowlist Part 1
- Changing your Host to a Static IP and Implementing an IP address Allowlist Part 2
- Connecting the dots...getting a blog pushed onto Cloudflare pages, querying our MySQL database on the DO Dokku droplet via a GraphQL playground in Strapi (hosted also on our DO Dokku droplet).

Hardening the Ubuntu Dokku Droplet Part 1: Creating a new user in the sudo group

!!! tip
As a preface, to anybody who's interested in hardening your Linux server, I highly recommend "Unix and Linux Administration Handbook 5th edition" which contains the following advice and more.

!!! note
Recall, instructions prefaced with REMOTE are run on my remote Dokku droplet in an SSH terminal.

For further instructions, see here and here.

REMOTE: Set the RAM swap. Although we will be temporarily increasing memory when installing Strapi, using a RAM swap decreases the chances of failure due to low memory when installing NPM packages. For more information, see here.

cd /var
touch swap.img
chmod 600 swap.img
dd if=/dev/zero of=/var/swap.img bs=1024k count=1000
mkswap /var/swap.img
swapon /var/swap.img
free
echo "/var/swap.img    none    swap    sw    0    0" >> /etc/fstab

Here's my output:

REMOTE: Let's adjust swappiness values and vfs_cache_pressure. swappiness values close to 100 (the default) attempt to load the SWAP with data to free up RAM. For a server, this is better closer to 0: sudo sysctl vm.swappiness=10

vfs_cache_pressure is related to inode/filesystem access and should be set conservatively, so inode information is removed from cache less often:

sudo sysctl vm.vfs_cache_pressure=50

Output:

To make these settings persist, sudo nano /etc/sysctl.conf and add the following to the bottom of the file:

vm.swappiness = 10
vm.vfs_cache_pressure = 50

Output:

Being root user is a huge security problem, as you could wipe your system in a single command if you're not careful. Let's remedy this by creating our own user account and later we'll be turning off root account.

REMOTE: Create a new user as root with adduser <username>

REMOTE: Grant that user administrative privileges with usermod -aG sudo <username>

REMOTE: Next, we copy Public SSH keys from the root user to our own user. The set of commands is as follows, replace vic with the user you created:

mkdir -p /home/vic/.ssh # Create ssh directory
chmod 700 /home/vic/.ssh # Apply directory permissions
cp /root/.ssh/authorized_keys /home/vic/.ssh/authorized_keys # Copy the ssh authorized key
chown -R vic:vic /home/vic/.ssh # Apply user and group permissions
chmod 600 /home/vic/.ssh/authorized_keys # Apply file permissions

LOCAL: Reconnect to the droplet as your new user. exit the root remote connection, then, on a local Git Bash window, run ssh <user>@<subdomain>.vicstech.xyz

REMOTE: Delete the Docker ports which are opened by default to mitigate security risks.

sudo ufw status

# Delete Docker UFW rules
sudo ufw delete allow 2375/tcp
sudo ufw delete allow 2376/tcp

sudo ufw status

My output:

Nice, we're getting there. 🌷

We've set up a new user account with sudo privileges and added a swap file.

Hardening the Ubuntu Dokku Droplet Part 2: Harden OpenSSH on Ubuntu and disable root

We're almost finished setting up our server. The last things we need to do are harden our security settings for OpenSSH, and install Fail2Ban to prevent unwanted logins.

Information is taken from this guide.

Now that we're logged in as a new user, let's go ahead and harden OpenSSH then install Fail2Ban.

REMOTE: Backup configuration file: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
REMOTE: Edit the SSHD configuration with sudo nano /etc/ssh/sshd_config

Change the following settings to more secure ones as follows:

PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 20
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no

Output:

REMOTE: Validate the syntax with sudo sshd -t, which should have no output if everything is correct:
REMOTE: Reload the new settings with sudo service sshd reload
LOCAL: Now, if we attempt to SSH at root, we get the following output:

Alright, good. Now root can no longer login, which was a big security risk. We'll continue by implementing an IP Address Allowlist.

The basic idea behind this is Deny By Default security, in which all inbound and outbound traffic not expressly permitted by SSHD service is blocked. 🛑

Changing your Host to a Static IP and Implementing an IP address Allowlist Part 1

!!! note
The following commands are all local.

Even if by some odd chance your private keys or password gets leaked, if you have implemented an IP address allow list, you can ensure only users on those IP addresses can login. Let's do that now.

!!! tip
For the purposes of this guide, I'll be setting up my Ethernet IP as static, though the instructions are similar for a Wi-Fi adapter.

I'll be taking steps from this guide.

Type ip address into the Windows 10 search bar, then click "Ethernet Settings"
Click "Change Adapter options"
Right click on Ethernet to set up a static IP over Ethernet, or right click on WiFi if your computer is connected via WiFi --> Then click "Status"

Click "Details"
Take note of the following info: IPv4 address, IPv4 subnet mask, IPv4 default gateway, and IPv4 DNS server.

!!! note
As my IP is currently Static, it says DHCP is not enabled.

This information can also be found via ip config /all on the Windows CMD prompt:

Note: the adapter's name is "Ethernet"

IPv4 Address: 10.0.0.220 (Preferred)
IPv4 Subnet Mask: 255.255.255.0
IPv4 Default Gateway: 10.0.0.1
IPv4 DNS Servers:
- 75.75.75.75
- 75.75.76.76

We can set our static IP address graphically or through the CMD. To set it graphically, follow the rest of this guide.

To set it manually via CMD using netsh command, keep following:

To set a static IP address to 10.0.0.220 for an adapter named "Ethernet", with subnet mask 255.255.255.0, and Gateway 10.0.0.1:

   IPv4 Address. . . . . . . . . . . : 10.0.0.180(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, February 24, 2022 9:07:06 AM
   Lease Expires . . . . . . . . . . : Saturday, February 26, 2022 9:07:06 AM
   Default Gateway . . . . . . . . . : fe80::10:18ff:fe46:236a%12
   10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1

C:\WINDOWS\system32>netsh interface ip set address name="Ethernet" static 10.0.0.220 255.255.255.0 10.0.0.1

Output of ipconfig /all:

Note: If you're using a Wifi Adapter, check the name in ipconfig /all:

Your adapter name would be "Wi-Fi" (case-sensitive).

To set the DNS servers:

Set DNS servers:
C:\WINDOWS\system32>netsh interface ip set dns name="Ethernet" static 75.75.75.75
C:\WINDOWS\system32>netsh interface ip add dns name="Ethernet" 75.75.76.76 index=2

Output of ipconfig /all

Great, that's it. We're static. ⚡
There's a lot of other benefits to setting your static IP such as ease of SSH use and port forwarding, but I won't get into that here.

For our next steps, let's finish configuring OpenSSH on our remote server, then configure Fail2Ban.

Changing your Host to a Static IP and Implementing an IP address Allowlist Part 2

!!! note
These instructions are taken from the latter half of this guide.

Now we're going to implement an IP Address Allowlist in both OpenSSH and Fail2Ban.

LOCAL: If you're not already, log on to the remote server again with ssh vic@apps.vicstech.xyz
REMOTE: press w and enter to see your connecting IP:

!!! note
My remote Dokku server's connecting IP is 71.59.236.28.

REMOTE: Edit our OpenSSH server configuration: sudo nano /etc/ssh/sshd_config and add some configuration directives:

AllowUsers *@71.59.236.28 *@71.59.236.0/27

Here we restrict all users to a specific IP address and a range.

To be a bit more secure, you can remove the range if you want.

REMOTE: Run sudo service sshd reload

Congratulations, your SSHD server is hardened. Next, let's install Fail2Ban to prevent any unwanted users from accessing our server.

REMOTE: Let's update with sudo apt update

Output:

REMOTE: Install Fail2Ban on our Dokku server with sudo apt install fail2ban

Output:

REMOTE: Create a .local Fail2Ban configuration file from the default jail.conf: sudo cp /etc/fail2ban/jail.{conf,local}
REMOTE: Open the jail.conf file with sudo nano /etc/fail2ban/jail.local and uncomment the line starting with ignoreip, add our local IP address followed by all machines to whitelist (insert your IP from earlier here):

ignoreip = 127.0.0.1/8 ::1 71.59.236.28 71.59.236.0/27

Output from /etc/fail2ban/jail.local

Modify the following additional settings in /etc/fail2ban/jail.local:
For more information on these options and more, see this guide.

!!! note
Set 1d to a negative like -99d if you want to permaban them.

bantime  = 1d
maxretry = 4

REMOTE: Finally, restart Fail2Ban to apply the configurations -- sudo systemctl restart fail2ban

So we've set up a static IP on our host PC, installed Fail2Ban on our remote Dokku server, and whitelisted our host PC's IP on the remote server in both SSHD and Fail2Ban configurations. We've also disabled root login and hardened both configurations against attackers.

It's a lot... but it's necessary in this dog eat dog world. 🤷🏼‍♂️
Check out your Fail2Ban logs sometime, you might see some surprising brute force and automated attack attempts...

Soon, finally, we will get to the cooler stuff 🥁

Setting up an Eleventy blog with MySQL-hosted posts and a Strapi CMS on our shiny new and secure server. 💻 🕷

Connecting the dots...getting a blog pushed onto Cloudflare pages, querying our MySQL database on the DO Dokku droplet via a GraphQL playground in Strapi (hosted also on our DO Dokku droplet).

I'll save the nitty-gritty, inner-workings of my blog and how I emulate Eleventy's high performance blog example for later. For now, we just want to connect the dots...let's see what we have and what we still need to do:

Install MySQL plugin for Dokku
Install Strapi CMS onto Dokku
Allow Strapi CMS to talk to our MySQL instance.
Query from our MySQL instance using GraphQL query playground (built-in to Strapi).
Pull queries into Blog markdown files and present them with Nunjucks templating language (and some JS) in Eleventy.

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 1

Victor Feight — Tue, 07 Jun 2022 09:03:52 +0000

Table of Contents
Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 1
Getting a Domain Name from Namesilo.com
Creating SSH Keys and adding them to your Digital Ocean Account
Creating a new Digital Ocean Dokku droplet to hold our apps and MySQL database
Getting free fast static site hosting and DNS management from Cloudflare Pages and adding new A records
Setting our nameservers to Cloudflare's within Namesilo Domain Manager
SSH into the Dokku droplet from Windows 10

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 1

For my first article, I'll review all the steps required to setting up a new digital ocean Dokku Ubuntu droplet and hardening it. Throughout this process you will be picking up a few DevOps and Front-end skills to add to your toolset. By the end, you'll have your very own secured remote Dokku server to host your static site, apps, and database. Next time I'll cover installing Dokku mysql and a Strapi CMS on our new Dokku server.

Getting a Domain Name from Namesilo.com

For the first step, you'll be deciding if you want a domain name. It doesn't really matter who you choose to go with, I personally go with Namesilo because they're cheap, easy, and they don't have "daddy" in the name. 😏

For the purposes of this tutorial, I'll walk you through creating a new domain name with namesilo.com, though do note that Cloudflare also sells domain names if you want to do it all through them.

After creating an account at namesilo.com, search a new domain name to create. For this tutorial, I'll be using vicstech.xyz (since it's only 99 cents). Press the Add button, then "Checkout".
After purchasing, leave "Service link" as "None (default)". We'll be configuring our DNS nameservers we get from Cloudflare pages in a bit, so leave that blank for now, so go ahead and click "Skip this step".
Click domain manager, then the little 🌎 icon next to our new domain name to get to DNS management.

Cool, now I have a new domain name, vicstech.xyz. By default, it creates a few A records and CNAME records for default hostname mapping settings. As we will be configuring our DNS through Cloudflare pages, feel free to leave them or delete them. Leave this tab open however, we'll be coming back to it in later.

Next, we'll be creating an SSH key pair to securely login to our new SSH Dokku droplet once it's up.

Creating SSH Keys and adding them to your Digital Ocean Account

I'll walk you through the process of creating the SSH keys on Windows that we'll need for our Dokku container later. Note the process is similar on Linux, full directions for DO are here.

If you could kindly sign up through my Digital Ocean Referral, you'll get a free $100 to start which is plenty to play around.
Install Git for Windows, go through with all the default options.
After installing, open a new Git Bash window, and run the following command to generate a 2048-bit RSA key pair, stored in ~/.ssh (which, on Windows 10, is C:\Users\Vic\.ssh for me):

ssh-keygen

After signing up and creating a new account on Digital Ocean, we'll upload the contents of id_rsa.pub to Digital Ocean. Login to your control panel and click "Settings" on the side.

Click "Security" tab and then "Add SSH Key" button near the top.
Copy and paste the contents of id_rsa.pub into the "SSH key content" field on the New SSH Key dialog. Name it "SSH_DESKTOP" and click "Add SSH Key". Cool, now we've got an SSH key readily available in DO for any of our new droplets. 😎

Next we'll be creating a new Digital Ocean Dokku droplet and add our generated SSH key for use in our Dokku applications.

Creating a new Digital Ocean Dokku droplet to hold our apps and MySQL database

After signing up and creating a new account, let's go ahead and create a new Dokku droplet. After creating a new Project, let's set up a Dokku droplet found here.
Go with whatever defaults you prefer. I chose Regular Intel with SSD plan, 1GB CPU / 25GB SSD ($5/mo plan). I did not add block storage, and I chose San Francisco data center as that is closest to me.

!!! note
We are going to need to up this to around 4GB later temporarily, a requirement to get Strapi installed correctly. Luckily, Digital Ocean allows you add and remove CPU/RAM quite easily.

Before finishing up, ensure you tick the checkbox for the SSH Keys you created earlier. Finally, click "Create Droplet" button at the bottom.
After it's created, let's visit the droplet. Click the Droplets tab on the left, then click on the name of the newly created dokku droplet.
Next, go to the Networking tab of your new droplet and assign a Floating IP. We'll need this to tie to our new domain name later.

It should look like this after assigning a Floating IP:

Visit your new Floating IP in the browser to find the Dokku setup screen.

If you had ticked the SSH Keys box this should be filled, otherwise go ahead and copy and paste from your local id_rsa.pub file (generated by ssh-keygen). For hostname, I chose my subdomain as "apps" following by .vicstech.xyz, the domain I just created with namesilo.

Be sure to check "Use virtualhost naming for apps" as it makes naming conventions easier, and finally click "Finish setup".

Let's review what we've got: A domain name tied to a floating IP (accessible from anywhere), and a Dokku droplet configured with our SSH key for authentication. This will allow us to SSH into the Dokku server as the "dokku" user later on.

Next, we can configure Cloudflare to use our Dokku droplet's newly assigned floating IP address.

Open up a new tab at Cloudflare Pages. We will be setting up a new account to host our static websites and manage our DNS through cloudflare's blazing fast DNS services.

Getting free fast static site hosting and DNS management from Cloudflare Pages and adding new A records

Sign up for a free account at Cloudflare Pages.
Enter your new site's domain name and click "Add site" button (note you can also register a new domain through Cloudflare directly, if you so choose).
Go ahead and click the Free plan and click the "Continue" button.
As we'll be letting cloudflare manage our DNS, let's set up some DNS records. Click "Add record", for type choose "A", for name the chosen subdomain which is "apps" in my case, for IPv4 put the floating IP from the Dokku droplet. Untick the Cloudflare Proxy, for DNS only mode, as Proxy mode can cause problems when connecting.

This will be for our main subdomain. This will allow me to SSH into "apps.vicstech.xyz" soon enough.

Add a "catch-all" rule, using *.apps as the name, so that anything deployed on the subdomain will be forwarded to the droplet. Be sure to also disable the Cloudflare proxy, then click "Continue" for now.

Before we go too much further, we're going to set the nameservers to our Cloudflare ones within Namesilo Domain manager settings.

Cloudflare should instruct us to do this the first time through:

We'll do exactly that next.

Setting our nameservers to Cloudflare's within Namesilo Domain Manager

!!! note
Now before we forget, let's ensure Cloudflare is actually the one managing our DNS by setting the nameservers in Namesilo domain manager to our Cloudflare DNS nameservers

Note the Cloudflare Nameservers: dell.ns.cloudflare.com, and zeus.ns.cloudflare.com.
From Domain Manager in Namesilo, tick the domain to update, and click "Change Nameservers".
Delete the default nameservers and add Cloudflare's given ones, then click "Submit".
Within Cloudflare, click "Done, check nameservers" and go through some configuration recommendations.

Apply both the options:

After a few minutes, you should get a success message upon reloading:

Cool. Now our new vicstech.xyz domain is being managed by Cloudflare. 🧐 Ultimately, we want our static website to be reachable on our main domain, vicstech.xyz, to be able to SSH to our apps subdomain, apps.vicstech.xyz, and all of our serverside applications reachable by further subdomains, such as strapi.apps.vicstech.xyz.

Later on, when we have an actual Eleventy blog to push, we'll add some additional records to our Cloudflare DNS settings, so that www.vicstech.xyz will redirect to vicstech.xyz and vicstech.xyz will redirect to the url produced by Cloudflare page build.

https://community.cloudflare.com/t/redirect-www-example-com-to-example-com/78347

Now we can finally SSH into the new Dokku Droplet. Pull up the hacker shades.

SSH into the Dokku droplet from Windows 10

Alright, so we have got our domain name set up and configured behind Cloudflare pages, we have configured Namesilo to use Cloudflare's nameservers, we've added appropriate A records for redirection rules to our subdomain apps, we have enabled HTTPS and Autominify services from Cloudflare, and we have set up a new Dokku droplet (configured with our SSH keys). Feel free to grab some tea, this next part gets pretty Linuxy. 🍵

!!! info
I will be prefacing each instruction with either LOCAL or REMOTE meaning "Launch these commands from your LOCAL computer" and "Launch these commands from the REMOTE DOKKU DROPLET", respectively.

LOCAL: Launch Git bash. First, add our Private SSH Key to our local terminal so we can authenticate and connect to our droplet.

eval `ssh-agent -s` # Start the agent that holds on to our keys
ssh-add '~/path/to/ssh/private.key' # Add our private SSH key

In my case, it looks like this:

LOCAL: Check the key was added correctly with ssh-add -l
LOCAL: Finally, let's try to SSH into the Dokku droplet.
To enter your new server, type: ssh root@<subdomain name> ie. ssh root@apps.vicstech.xyz

Hopefully, you'll get output similar to the following:

I'm in. 👨🏻‍💻

Pretty soon we'll add a Strapi node application to our fresh server, that will be reachable at strapi.vicstech.xyz, containerized and speaking to a MySQL service on the same host. But before that, we've got to do some administration tasks on our new server.

Now, take a breather, because in my next article we'll be hardening up our server. Digital Ocean gives us pretty much our own server and with that much power comes great responsibility. 🕷

DEV Community: Victor Feight

A Motivated Example of Variable Length Subnet Masks

What is Subnetting?

How does CIDR work?

Motivation for VLSM 1: Static Length Subnet masks

How VLSM Works

Designing a VLSM

Designing a VLSM Example

Summary

References

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 4

Sidequest: Installing NVM in Powershell

Local Strapi backend Installation

Configuring our Local Strapi Backend

Install GraphQL plugin and configure it locally

Creating a Collection Type for Articles

Set roles and permissions on our Strapi API

Database configuration with .env variables

Testing the Strapi API Locally via GraphQL

Still to Come...

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 3

Table of Contents

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 3

Apps needed to proceed

Download and Install MySQL services

Configure Local MySQL services and choose Authentication Method

Install and configure Dokku mysql plugin (Remote)

(Remote) Playing around with our new MySQL database

Sidequest? Adding a MySQL User for extra security

Still to come...

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 2

Table of Contents

Hardening the Ubuntu Dokku Droplet Part 1: Creating a new user in the sudo group

Hardening the Ubuntu Dokku Droplet Part 2: Harden OpenSSH on Ubuntu and disable root

Changing your Host to a Static IP and Implementing an IP address Allowlist Part 1

Changing your Host to a Static IP and Implementing an IP address Allowlist Part 2

Connecting the dots...getting a blog pushed onto Cloudflare pages, querying our MySQL database on the DO Dokku droplet via a GraphQL playground in Strapi (hosted also on our DO Dokku droplet).

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 1

Table of Contents

Deploy an Eleventy Blog on Cloudflare pages with Strapi, MySQL, and Dokku on a Digital Ocean Droplet, part 1

Getting a Domain Name from Namesilo.com

Creating SSH Keys and adding them to your Digital Ocean Account

Creating a new Digital Ocean Dokku droplet to hold our apps and MySQL database

Getting free fast static site hosting and DNS management from Cloudflare Pages and adding new A records

Setting our nameservers to Cloudflare's within Namesilo Domain Manager

SSH into the Dokku droplet from Windows 10