In this case, the mobile apps are calling into the backend service without using Django’s cookie or session authentication; instead, we use Django Rest Knox for token authentication (Django REST Framework’s builtin token authentication should not be used because it is a unencrypted single token).
The Nginx configuration has to be configured to allow all of GET, POST, PUT, PATCH, and DELETE methods from a non-web client. The configuration is inspired by other developers posting their Nginx configurations in Github, and we’ve extended it here:
I have an existing Angular 1.x web application that I transpile using Webpack 1. Since Webpack 2.2 has entered into release candidates with no further features to add as of December 14, 2016, it’s the right time to upgrade my web application. To upgrade from Webpack 1 to Webpack 2, I followed the the migration notes:
And I referred to the configuration docs for Webpack 2:
The upgrade took less than 2 hours to complete for my project. In addition to upgrading webpack, I had to update a few dependencies (sass-loader, babel-loader) and get some directly from the github repository (extract-text-webpack-plugin) since the Webpack 2.2-compatible release hasn’t launched yet.
Initially I ran into a problem where Webpack didn’t run properly, but removing node_modules directory and running npm install solved that problem.
Overall the consistency of the configuration file is better than in Webpack 1.
- a private key file
- an intermediate certificate from the certificate provider (.crt or .cert) e.g. GoDaddy’s intermediate certificate: gd_bundle-g1-g1.crt
- a certificate
To solve the problem, in our Dockerfile we need to configure NPM settings:
Remove any old environments
Make sure to remove old installations of Python, if previously installed on your system, except for the one installed by Mac OS X. For example, if we previously installed Python from homebrew, then the uninstall commands are:
If you installed python via the OS’s python (for example, the one coming from Mac), then:
A side effect of removing previous Python installations is also removing project-specific virtualenv‘s. If you have created requirements.txt files for these environments, it should be straightforward to rebuild them later.
Installing the new environments
Since many versions of Python have been shipped, it’s wise to choose a recent installation of 2.7 and 3.5. We’ll use a environment tool to properly build and install the right version of Python. We will be using pyenv tool. We don’t use homebrew because it doesn’t list all available versions.
1. Install homebrew for Mac if you don’t have it.
2. Install pyenv using homebrew:
3. Let’s configure Pyenv correctly in your terminal’s ~/.bash_profile (~/.bashrc on Ubuntu). Add the following lines if not already there in the file:
4. After installing the prerequisites, now we’ll use pyenv to install Python. Please choose one of the following steps to follow, depending on which Python you wish to install. Also, if you are using certain packages such as bcrypt, use the alternative install steps.
Regular install steps for Python 2.7.
Steps for installing Python with bcrypt package (see bug report).
Regular install steps for Python 3.5.
5. To configure virtual environments for project-specific Python dependencies:
Gotcha: We have to use the pyenv version of virtualenv and virtualenvwrapper. The non-pyenv version won’t work: it will stop your terminal from opening (See bug report).
For more detailed information see the sources at the end of this post.
Before You Begin
- Make sure the server has at least 2GB of RAM. If not, add or increase your swap size to meet this requirement, otherwise problems may occur during install as reported here and here.
- Update the server software packages:
Clone and Install Let’s Encrypt
- If is not installed then execute the following command:
- Clone the Let’s Encrypt GitHub repository to :
Generate an SSL Certificate
- Navigate to :
- Run Let’s Encrypt with the parameter. For multiple domains add :
From: Sudo Manual
- Next enter an administrative email address and follow the prompts:
- Agree to the Terms of Service:
- If no problems occur then a similar message will show below:
- The files that will be used in nginx for the certificate are located at . The two files that are need are and .
Generate Strong Diffie-Hellman Group
- To increase security, generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
- This will take a while to generate.
Configure SSL in Nginx
- Edit the nginx configuration that contains your server block. The default one is located at , for the purpose this post we will edit this one:
- Now locate the following lines and comment out or remove them in your server block:
- The following is an example configuration:
OCSP Stapling for Let’s Encrypt Certificate with Nginx
- Determine which of the Let’s Encrypt certificates was used to sign your certificate:
- The output will be similar to the following:
- That last part, , is the name of the Let’s Encrypt certificate that was used to sign the certificate.
- Download the PEM version of this certificate. All of the Let’s Encrypt intermediate certificates are on the Let’s Encrypt site; click on the “PEM” link for the appropriate certificate to get the file you need. Or, from the command line,
- Replace “x3” with a different certificate name if necessary.
- Edit the nginx configuration from before and add:
Apply the Changes
- Test the nginx configuration:
- Reload nginx to put the changes into effect:
Test the SSL Certificate
- Check with the DigiCert SSL Installation Diagnostic Tool at: https://www.digicert.com/help/
- Check with Qualys SSL Labs Report to see how your server configuration scores at: https://www.ssllabs.com/ssltest/analyze.html (should result in a A+ rating, it will show “OCSP stapling: No” here is the explaination of why)
- By command line:
- If OCSP stapling is enabled, in the OCSP Response Data section, it should say the following:
Renewing SSL Certificates
It will show a similar message below, certificates have a 90-day lifespan before they expire:
Programmers conduct code reviews to ensure best practices are followed. Code reviews are useful primarily to ensure good coding patterns are followed. Good coding patterns include defensive code to handle invalid input, separation of logic, meaningful variable names, and using proper libraries. Most importantly, code reviews allows a programmer to check assumptions made by other programmers. Contrary to popular belief, code reviews do not reliably find software defects.
Most software defects are found by testing. Testing runs the software in a controlled environment. Different inputs are provided to the software and checked against expected output. The software should also be checked against invalid input to ensure it gracefully fails. Testing these input and outputs can be performed by manual or automated testing.
Manual testing only verifies that the software works at a specific instance in time; after the next code change is made, the tests will have to be performed again. Given that software is changed several times a month, if not every day, significant time and effort is required for manual testing.
Automated testing ensures that the software continues to work after any code change. Automated testing can be performed by unit tests or integration tests. Unit tests check the smallest chunks of code and integrations tests check entire end-to-end systems. Although there is a significant time to write automated tests initially, it saves time in the long run by making new feature development more stable without breaking existing code.
A specific type of test is a canary test, which has a higher degree of confidence than automated testing. The software is tested against a copy of real-world inputs. An engineer’s set of test inputs might have missed some assumptions of real-world inputs, which will be caught in this type of testing. For example, canary testing can test algorithm speed and memory usage. The limitations to canary testing are computational resources and company approval to access customer data.