Nginx By Example | Daniel Platt | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

27 Lessons (2h 22m)
    • 1. Introduction

    • 2. Where to begin?

    • 3. SSH Keys

    • 4. Creating a VPS with Digital Ocean

    • 5. Getting Started with Virtual Box

    • 6. Installing Ubuntu with Virtual Box

    • 7. Installing Nginx

    • 8. Nginx: Folder Structure

    • 9. Nginx: Sites directory

    • 10. Snippets: Installing PHP

    • 11. Snippets: Installing Composer

    • 12. Snippets: Overriding a domain with the hosts file

    • 13. Examples: Introduction

    • 14. Examples: Holding Page

    • 15. Examples: Maintenance Page

    • 16. Example: Error Pages

    • 17. Examples: Simple CDN

    • 18. Example Fast CGI

    • 19. Examples: FastCGI with Symfony PHP Application

    • 20. Examples: HTTPS Terminator

    • 21. Examples: HTTPS Terminator - Update

    • 22. Examples: Load Balancer

    • 23. Examples: Moving Servers (HTTP)

    • 24. Examples: Moving Servers (HTTPS)

    • 25. Example: Security

    • 26. Example Block by Country

    • 27. Conclusion

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class


Ever wanted to see what you can do with Nginx, besides hosting your static content?

Start with more common Nginx examples and move on to more complex example.

We have a range of examples:

  • Holding page

  • Using PHP

  • CDN

  • Load Balancer

  • and more

Enrol today!

Still unsure?

We also show you how to install PHP and Composer, and how to get a free SSL/TLS certificate, so you can secure your web sites.

What are you waiting for?

Meet Your Teacher

Teacher Profile Image

Daniel Platt

Teacher, Developer, Systems Admin


Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. Introduction: Hello. My name's Daniel, and I would like to work in me to my course. This course is about showing you what is possible with engine X. After all, Engine X is more than just a Web server. I won't be explained. Every concept of engine X. I'll leave that to another course, though I will explain what I use. I hope that you already have some experience with engine X. If not, you may struggle, but feel free to reach out. These examples will be complete and you can use them in your own server. Sometimes it helps to have a starting point that you can change to better suit your requirements. I'm gonna show you how I have used engine ex in some simplified examples, but they are based on real world applications. You are free to use them in your own set up or, better yet, combined some of them to make something even more awesome. I'll see you in the next lecture 2. Where to begin?: before we get started and we start talking about operating systems, we need to know where you're gonna be running your your creation. If you just want something that's free and you don't mind dealing with installing the computer, then you can use virtual box much boxes free. You can install it on Windows MCE Lennox. If you use virtual box, you won't be hosting on the Internet on. Nobody else would get access it. If you want somebody to be out of access your creation, I recommend a VPs and I person use digital ocean. There are others, but for cheapness, that great on the visible is is pretty good. I think I've only access their support a couple of times in the last few years. It's mostly because they've got great documentation. In the next couple of lectures. I'll show you how to set up virtual box on digital ation if you want. Let's move on 3. SSH Keys: the Internet isn't a safe place. Passwords are being brew. Forced accounts of being hacked. There's no safe. So how do you connect to a server securely? Why use on what most people do use is something called Ssh! And they use ssh keys instead of passwords. This is a lot more secure than just having some eight character password or even a 20 character password instead of taking years to crack, would take centuries to crack, if not longer. So for this reason, so let me show you how to generate an ssh key on a Mac or Linux. If you're on Windows, you need to use ankle party on up. Put in a link in The resource is so we need to do is open up your command, prompt your term no type in SS age Cajun and what that would do. It will generate your keypad. Tell you what, saving it. You just press enter. And in my case, I've already done this, so I don't write it. When it's finished, you will have these key pairs and they will live inside. You're dot ssh directory inside your home directories. Let's make that bit more obvious. Gosh, on. You can see there. I created my ssh keys back in 2012. And what you'll need to do is your need content off your your public keep I d underscore. Arcee is your private key and I d underscore Are Sadat Pub is your public key. The idea is your private key. You keep ah 100 cents safe. You don't reveal it to anybody. Your public key, you can give it out to everybody. And they used that to verify that you are you based on some challenges they do between the two keys, so it's pretty secure. So what you need to do is view the contents, your public key and her later lecture. You need to copy and paste that and we can add it into Digital ocean or another server to allow automatic log in. I'll see you in the next lecture. 4. Creating a VPS with Digital Ocean: for my online hosting. I use a company called Digital Ocean. Their philosophy is very simple. They give you the royal computing power and then you build something awesome on top and that's reflected in their pricing. The ones I will be looking at other standard droplets and depending on your needs, you can pay as little as $5 a month or you can pay as much as you want, have as many services you want. But for this course, I'm gonna focus on the $5 a month one which with free credit, if you use my referral link, you can have at least a couple of months free without him toe to pay anything. And when you're testing, you don't need to spend a lot. But when you're in production, it might be that you need a little bit more a little bit more memory for cashing or more cause to enable Mawr to enable your application toe handle mawr traffic. But we can talk about that later, so you're gonna want to sign up. But I already have an account. So let me log into mine, so I'm gonna shoot me, have an account, and when you log in. This will be what you're greeted with, so the first thing you're gonna want to do is create a drop. And you want to make sure you're choosing your bun, too. 16 04 And we'll scroll down to the size. And for this purpose is we're going to choose the one gigabyte $5 a month. We don't need to worry about block storage. And for data center, you need to choose the location. That's closest your customers. I'm gonna leave on London. Additional options is right. You have backups, which, as it says, it adds 20% to the monthly droplet cost, and it takes a back up once a week and retains the last four weeks. So it's pretty handy if you you want to roll back for these purposes. I'm not going to enable back ups. However, I recommend that you consider it, and certainly if you're in production for I p six i p v six. Rather, you don't need it. However, if you add it, it's a lot easier than adding it later. You don't have to take advantage of it, but if it's enabled, then at least your assigned an I p address. Don't worry about user data, Andi. I would recommend you turn on monitoring because it gives you some nice metrics about the CPU and memory utilization. Ssh. Keys. With these service, there are two different ways you can authenticate when you lock it. One is with the user name and password. Unfortunately, most people know what the user name is, which is root. So it could be a matter of time. You get around it by creating a second account and disabling log in to root. However, what I like to do is use ssh keys. There are a lot harder to guess who have had nine. Impossible. But you do have to look after. If anyone gets your private key, then it's kind of game over. They can log into anything you can. So I'm gonna show you how to set up Ssh. Keys on this server, which also has the nice side effect of disabling the password log in. So what? Do new ssh key. And then here we just need to paste in your public key. So let's get the one we generated earlier. So we copy that based in here on give it a name, so you remember which one it is. You can also edit your account. Teoh store your ssh keys and next have you create several. Just appear here and you can just take it rather pasting it every time in this instance, we're gonna want once, ever. So unless you're creating a whole load of service at the same time, just leave. This one is one droplet and host name. You can leave it is blank or you can treat This is the reverse domain name. So someone was trying to find the i P address on the host name associate ID. This would be what would be resolved so you can type in a full domain name here. This will only benefit you if you set your domain name to point out this server on you can also add tanks if you want whatever you want toe help you filter on the dashboard, the news type end, enter on and hit Craig. And there you go my server, my I P address. And if you click into it, we just click on here. You can actually see everything about it. So you want to turn it off? Snapshots is a good one. It's like backups, but you're in control of when you take them. So if you're gonna do anything you're not sure about, you can take a snapshot and you can always roll back to it, and that's it for this lecture. 5. Getting Started with Virtual Box: During this course, I'm gonna be using digital ocean. However, if you don't want to use digital ocean, you can use any other provider as long as they provide you with a VPs with root. Ssh! Log in, then they should be compatible. That said, there is also a free alternative. It won't delay to test online on certainly won't like to use. Let's encrypt that we're gonna use later if you want https certificates. But you just need it for local access, and you only need it running on your computer, then the same called virtual box, and you can download it from virtual box. So let's do that. The jewel box dog. So you click download, and then you choose the host you want. I'm on a Mac, so I'm gonna download the Mac OS version. If your windows, then this is the one for you and that's just gonna download the installer most. You here. You might as well download this extension pack. It just makes it a bit more compatible with the drivers. Okay, there, now downloaded, and they'll come down as an installer. You may have to unzip them. You may know it kind of depends on your own. Your platform in your browser on the Mac. This is the execute herbal. So we'll just go through the motions of installing this. That shouldn't be anything to customize. It's pretty much everything. On fact, it's everything on. We just authenticate. No, this is just gonna install it for us. It shouldn't take too long. That's it done on. We don't need the in store anymore on the mat. There's another step you may need to do, which is to authorize the extension on all you need to do. Is it up here? In here is Oracle is requesting access and there'll be a little allow button. You press that and will be Otto continuous installation on. We just need to install this extension we need to do is double click that, and it should open up virtual box for us. If it doesn't, you may need to sort of drag it into the application on this is asking me to upgrade because I've already had it installed. But yours will probably say installed rather not braid. So if we do that on, we just need toe, read the terms of conditions and then click agree I never go virtual boxes installed in the next lecture. We'll talk about how to install the operating system into this. 6. Installing Ubuntu with Virtual Box: previously, we installed virtual box. Now let's create our first actual machine. I'm gonna call mine Who Bun to machine. It's very unimaginative. Virtual Box is trying to guess the type of machine I'm gonna be installing. It's kind of guessing Mac, because Mac is in machine, but we need to choose the type of Lennox and there we go. It's got a button to now the preferences for a bun to 64 bit. And then we just hit Continue and we're gonna use the same devotes his digital ation. So it's one gig of Ram. It's crowd disk. It's gonna be dynamic, because if we don't use it'll, then it doesn't matter. And I believe Digital ocean is 25 gigabytes. So we hit. Create on that. We need to quickly go into settings on. The first thing we need to do is we need to download the ice over this. Go to a bun to dot com. We click on server and download 1 to 7 and then finally actually download it like the ice is now downloading. Most were waiting for that. Let's do some other changes under audio. We don't need it under networking. We need to change that to bridged adapter, and this just means it's gonna share your network card, and it's gonna appear as if it's directly on the network. You need to pick the network adapter that your Internet connection comes into your computer . If it's WiFi, then you choose your WiFi card. If it's Ethan that, then you choose your reason at Port. It doesn't work the first time. You can always come back into this and change it later. Great. So the ice is now downloaded, and what we need to do is make sure we're selecting RCD Room. Dr. It's virtual so it doesn't matter. And then there's a little seedy icon that weaken Tell it, which filed to use. You. Just navigate your downloads directory selected and tell it to open it, and that is everything you need to change in the settings. So you okay that, and let's just click the start button and your virtual machine will start to turn on. There's installs gonna be slightly different to the digital Ocean one, but it's mostly because Digital Ocean will have customized their install to remove a lot. The extras that bundu server may come with and they may have added a few extras of the road . The first thing we're gonna need to do is choose the language, so you need to give the window focus. So then you click on it, and then your euro keys are hanging. Move around. You just press enter when you got the right one and you just press down again. Once you've done this and we're gonna be installing the bare bones grab on to we're not gonna worry about cloud or clustering or anything like that. And we're gonna use the HDP for I p v four address and you can see up that what your I P address will be, if usually proxy, to connect to the Internet. You'll need to enter it here. But if you don't, you can just skip this part for this. We're going to use the whole hard drive, the whole disk that we created, and then you can see it's called virtually 25 gigabytes. It was click done again on. We need to make sure they were happy with this. So it is double jacking that we just hit. Continue just warning about data loss, but because it's a new hard drive image. There's no data to lose, so it doesn't matter. So the install is going at the moment you can see copying of the bottom, but he wants to create an administrative user rather than the root user, which is is different to the digital ocean way. You can choose whatever you like for the server name. This is. It's kind of like the reverse look up name off the digital ocean gave us because no one's accessing. It doesn't matter. So I'm gonna just call minor button, too. I don't get to use the name Daniel, and then we'll just put password in there and then clicked up. Finally click Reboot, then press hasn't again to say you've removed the disc. Virtual box will remove the disk for you. You have to do it every time. If you want the seedy image toe to stay there on the virtual machine is booting back up, and when it is done, we'll be out of log in. Well, that is. You just press enter again toe to bring up the log in screen. Logging in is a simple matter of remembering the user name and password. You sat So mine was Daniel and password. And there you go, how she looked in You can look in this way, but I find this terminal Lovett clunky. You can't resize it as much as you want. Copy and paste is a bit hit and miss. So I recommend is looking out of this off. See, take no to the I P address, which you can see there we also saw earlier. Actually, we don't even need to look out and load up your terminal on what you can type is ssh. Your user name? Yeah. 12 one day because we've never connected to this virtual machine before. We don't know what's fingerprint is the fingerprint is computers way of identifying remote servers. So let's just say yes because we know for sure that this is the right computer and now we just need to type all possible them. That fingerprint thing will only come up once unless it it changes. And then we got You've got a much better term right here to get to the same state where we are with digital ocean or where we will be in a later lecture with digital ation. What we want to do is enable us to re log in as the root user. So the first thing we need to do is become the root user. And we do that by typing Sue do dashes. Sudo is just super user do Bash s is for shell prompt. We just need to enter a password again. I think that's the root user. Andi, If we look inside here, Su doesn't change our home directory. So what we need to do is change into the root user's home directory. Let's have another look up the directory structure. So in here is a dot ssh folder on. If we go into that, what's in here as an authorized keys file on What we need to do is we need to paste our public key in there. So I've got my public Ian the clipboard, and then we just paste it in, and then we just press control axe, and then why then entered to save? Now, when we log out and then we try to reconnect his route, it's using our public key to authenticate with our private key. And we don't need type password, and that is where we will be with digital ocean. So if you see me connecting to digital ocean as a route I p address, then you just need to take these steps, which is Ssh route at. And then your local I p address. I'll see you in the next lecture. 7. Installing Nginx: Now we have set up the operating system. We need to move on to setting up engine X by default. The bun to won't have installed engine X the bun to 16. 04 has an old version of in the app to repository. But if you're using 18 04 then the moment you're running the same stable version that's currently available on engine X talk, regardless of which version of o bun to your running, I would recommend using the engine XP P A a p p. A. Is just a way of overriding the apt repository to tell it where to get some software from the abundant version will only have some security fixes applied. Where is the engine? X P P. A. Will always have the latest release in it. First, we need to add the signing key toe. Allow a bun to to verify the authenticity off the engine ex packages. If you don't have the key, then a bunch of will complain with updating such from such a repository can't be done securely and therefore has been disabled by default. So it's connect to the server, clear the screen on what we need to type is apt. Hyphen key a TV And then we tell it, Dash, dash, fetch dash keys and then we give it the path. Http, engine X dog Ford Flash keys ford slash engine x Underscore signing Daki. Don't worry too much about copying these down. I will put a file in. The resource is that you can just copy and paste from we enter a new agency is imported the key quite nicely. Now that we have the key, we can create file the overrides that to tell it where this p p a is. So that's an E t c. Apt. And then it's in sources dot less study and we're gonna crack file called Engine X, Don't list. And in here we're gonna pace two lines and we're gonna need to replace code name. And this is just the code name for the version of a bun to you're using. So I'm using 18 04 which is bionic. If you're using 16 or four. Believe it. Zaenal Andi again, I'll put these in the text file for you and then we press control X and then why? And then hit Enter And if it all goes to plan when we do an apt update download from this. This is just doing an update of ALS, the APP, repository information as well as the button to stuff. So somewhere along here and they go, you can see it's checked the engine extra orc. We can just type apt, apt in stole engine eggs and that would be that would be it done. However, in one of the examples we'll need to access the GOP information on that requires a module. So we might as well install it now. So that is called engine X module. G o i. P like us installing. And whilst we're here, we might as well load the modules forward. Always, we may forget later on. We just pay sees at the top, and the last thing we need to do is start engine X so we can just type service engine X engine X stop if we type in our I p address 19 to $1681.136 they go. That is our engine X welcome page. You don't see that? Then double check your settings now that we have engineers working on a bun to let's move on 8. Nginx: Folder Structure: in the last lecture were installed Engine X. So we just need to go into this conflict folder on what we do is I'm just gonna show you what it looks like. You've got the Comstock D folder, which is where ALS conflict resides. You've got far siege I prams, which is something we will use for PHP. We're gonna ignore the utf and the wind, the's just character mapping files and there's something we're not going to touch on. You got the mime types, which is just telling engine X What file type a file extension is so dot Zepa's application Zip doc txt would happen to bay text slash plane, that sort of thing. And obviously all the images you've got modules, which is all the engine next modules we've installed in our case GeoEye, P Andi. And most importantly, we've got the engine ETS come pick. And this is just the default configuration friends annex on. You can see the last line it does is that's how it pulls in all the conflict from confident D folder. But this is your main come pick entry point. So if you want something to affect every website on your server, this is the finally be editing. Okay, I'll see in the next lecture 9. Nginx: Sites directory: In the previous lecture, I tried to show a little bit about the folder structure. This is the default engine X folder structure that you get from engine X when you install like the P P A. If you install engine X from so bun to Debian or some other destro, the chance is gonna be slightly different on what's gonna happen is confident it will be a directory that everything gets pulled in from boots. Maybe they'll have a photo called servers instead. And the idea is that you group your server convicts for your domains in one place, and then you add in, Come pick the effects, everything incompetent d Another thing you'll see is that actually have sites available and sites enabled photos. So something like that on what will happen is that instead of you having your site confident, confident d deputy insights available. So let's assume we've got the file here. Now there's no conflict in it, but this is just to illustrate the point on what will happen is insights enabled. You'll actually have a sibling going between the two. What's the point of that? Well, the point is that you can turn off sights and sites enabled by removing the SIM link. So if I want to turn off the default file, I would just remove the SIM link. But you're conflict still there. So to get this to work, you would actually need to edit your engine ex dot com and right at the bottom. What you would do is you take, is your link in like this. It's up to you whether you require the file extension to end dot com for no. Typically it's like that and then you'd save it and reload and it would start working. So that's just one way. The other Destro's will handle Engine X and is up to you personally. I don't turn off websites that often, so I'm more like to go with the service folder toe pulling out the confident D folder. But throughout this course, I'm gonna just going to use confident D whichever way you want to do it. It's entirely up to you. I'll see you in the next picture 10. Snippets: Installing PHP: installing Page P is beyond the scope of this course. I'll give you a quick idea of how to install it. Connect to the server. What we need to do is at the p p a. And now we need to do an apt update. And then we would do apt in Stole page B 7.2 Dash F P m. And now we should have PHP installed every guy. And now you will have PHP ready to use for when you need it in the examples later. 11. Snippets: Installing Composer: for a couple of projects. We're gonna need something called Composer. It's a PHP dependency manager, and I quite like it. So what we need to do is get composer and the euro is get composer dog we have to do is copy and paste this PHP code. Connect to the server. Let me paste it on Finally. So they got you got composer dot phar and I like to move it us our local bend and we'll call it composer. No, I got the actual far to move. Never guy. Unfortunately, I don't think we have any path variable set up. What do we I go So now you can just type composer in whichever directory you r and it's available globally. You also can type their self update in the future, and it will keep itself up to date. But every time you run, it will update itself. So that's how you install composer. I'll see you next one 12. Snippets: Overriding a domain with the hosts file: when you're building websites or maintaining websites, sometimes you're gonna want to move a site from one server to another and you can do this is it's easy. You download the contents and I played it with the day space. No problem. But how do you know that the new site, its new location is working perfectly. Maybe you've missed offer PHP extension. You've not configured engine. It's correctly that something What you can do is you tell your computer to override the I P . Address that you get from DNS. So when you make the request to your new site, you're going to the new server rather than the current server. And that's fairly straightforward to do so on Lennox, the file is cold E T. C house. You have to be route to do this. So if you're not route, you need to do suit. And in here is over right on. This is just a default file for your your internal networking. I would leave whatever is in there alone begin at to it. So how does this work? But let's take Google, for example. Google's like P address and this instance happens to be this so let's overwrite them. So what we do is we talked The i p address. We want it to bay. I used Tab because it helps to keep everything a bit more organized. And then you just took the domain name. You can type more than one domain name here if you want, but for this purpose, we're just own one. And so we come out of that and save. And now, when we redo this, you'll see that the I P address has changed to the I p address we've over in, I hear you thinking, but I'm not on Lennox. Okay, on the Mac is exactly the same thing. And I know most of you are not gonna be on the Mac, but and there's me doing a a local website. Well, my my local address range on the market slightly different. So you do that and then you have to flush the DNs. Andi, that is that is different. Depending on which version of Mac West you've got. It's ah, macro ass flush. Janice, this is a good one, because it's got all the different versions of Windows and Mac os. So that's gonna be the one you need. If you're on Mac OS, what does I'll put this in? The The resource is and also on Windows. It's different again, but not too different on Windows. The path is C colon windows system, 32 drivers, A T C. Nice. So you see that Microsoft have kept the E. D. C host part, but they just hidden it away in the System 32 directory inside the driver's directory, and you will need to be an administrator to do this. So when you open no pad, you need to open note pad with administrative rights. And again, I'm gonna link you to a document that tells you how to do this for windows. So before you put a website live, double check, it works and use your host files to help you do so. 13. Examples: Introduction: in this section. I'm gonna show you different engineers configurations, but I'm only gonna show you a handful of website. The idea is to show you what you can do with your own sites rather than how to set up lots of different applications. And just because I show you one way of doing something, it doesn't mean that's the only way you have to do it. You can even combine some of these ideas together. You can even combine lots of these ideas together. Let's move on to the first example. 14. Examples: Holding Page: Do you have a few domain names that can't currently being used? If you do, then why not create a holding page for them rather than letting your DNS provider claim all the money? If you don't have your own holding page, the chances are you've left. It is default with your DNS provider, and they have got a page on there that potentially makes them money. Why don't you do it for yourself? Promote your own business. And if you wanted to, you could put ads on him. What we're gonna do is create a holding page that tells people they've reached the right location. But the website is currently offline on being developed on May Be offers a method to get in touch with support. This scenario is the most basic set up so basic, in fact. But this is the engine X default configuration. You can think of it like this. The Internet comes to your server on regardless of the domain name. Get shown the same website. If you have another website to find, then that will get shown. But this is just undefined domain names. However, the default engine next page isn't very exciting. It's more of an advert for engine X than anything. Editing this page is a simplest changing the files in us our share Engine X hates to mouth directory. Just have a quick look, so we'll connect to the server. We'll go to that or change the directory into ford slash usr four slash share, four slash engine X four slash takes him out and then you can see there's an index fall like is that same page Now, if you want to make good holding page, you're gonna need some picture melon, some images in some CSS. So that's something I can't provide you with. But I can give you an idea. So I've got my own copy of that contract tree. I've got the index. I've also got the 50 x error page. I can give you a copy of this, but that's what it looks like. It's very basic, but it looks a hell a lot better than the engine X default page. So we need to do is copy these files up, and that's just a simple matter of finding an SCP client. They cannot lead the files for you. On the Mac is cyber duck on Windows, It's win SCP or file Zilla. So let's load up cyber dark on. What we need to do is we need to connect it to the same server. But it's and Sava importantly, we need to use s FTP or SCP or something that says, ssh file transfer protocol and we give it the route and we need to give it our private key wherever it's stored on your computer. Then click Connect and they go, you're on the server. So we need to go to that same directory, U S ah, share engine axe on hates him out We need to do is copy of these files. Yes, we're gonna have to overwrite them and then you're done. And then when you refresh the page, there you go. So how is that working? Well, if we have a look at the come pick which is in the d c engine extract tree on inside, this comp directory is a default dot com on this just tells engine X to serve that file. And if it encounters any 500 except your eras, it will display the other one so you could put a more of a twist on it if you wanted to. So sorry, an error is a cut. But until you set up any other domain names on their server in this block, this is the one that's gonna be chosen because it's the only one. We can encourage it by saying, because otherwise it's gonna be a race condition. It won't know which one to pick. But we use the underscore. We can say that this is the one to use. We can also say up here, default, underscore server. And this will tell in genetics that this is the exact one that we want that everyone toe have until we specify a server name the matches alls. But that is all we need. So it was engine X reload. And this will also work for the I P address as well. So anything that hasn't been configured pace that in there. No guy. The only change I will make is I prefer everything to be under vaal W W. So if we change that five because the W W director itself doesn't exist will create it on. What we can do is we can then say everything in that engine. X hates female and then we'll move that into this directory. I just find it a little bit easier to find. Uh, so at the moment, if you do that, there's no files, can't do anything. We reload, then it's all working. So from this point onwards, I'm gonna be using Vaal W W Deputy Directory. I'll see you in the next example. 15. Examples: Maintenance Page: in the last example, we create a holding page, But maybe instead of creating a holding page, you change the default toe. A maintenance page. What's the difference? I hear you ask? The main difference is the holding page. We probably don't care if it gets cash by a search engine. It's probably a page on a website that you've never had before. You've just bought the domain name don't want to do with it, just pointing this ever and then don't worry about it. Havre Maintenance page More than likely shouldn't be cashed. It's an existing website. You've gone down. You got a problem. But you want to tell the search engines. This isn't your actual website. We're having problems. We're back in a minute. That's what the 500 errors of four have a quick look. So several hours Ah, 500 is an internal several. It suggests it's good enough error code for us. There's a problem on the idea is that Google won't cash it if he said return to 200 which is his. The website then good was more like to cash that. So I already created a maintenance page as part of the 50 X. All we need to do now is a little bit of engine ex con thick. Then we'll rock from running the Haitian. What is good enough? So unlike before we want the domain name to be catchall, you would never have the holding page and the maintenance page on the same server unless you put the server names directly in it. Because you can't have both being a catchall, only one will be able to take precedence. So we want the same route. We need the same redirect. But what we actually need is we need to go to say anything that matches slash. We need to return our 500 anything else, then we need toe match it when you say equals took me absolutely matching. So we'll modify this one because we need the same try files. So we're telling it's a regular expression. But we also need to say it has to start slash don't to match anything and again one or more characters, so that would match anything but the slash. In this case, we're not worrying about default file, So that also means we can get rid of this middle one because we don't have an index. And one thing I will change about this. His remarks will keep all these area codes. But I also want to tell it that when it returns this era that we want it is a 500. And so we just reload. Now, any your l should throw us officer down for maintenance page and we can double check that with terminal. So we copy that Euro, Load up, Tom. No. On. And if I type cold Ash V to give us more information, we scroll up and then we're going to see in there the internal server error. So that should tell the search engine that we're having problems and that's it. I'll see your next example. 16. Example: Error Pages: In the previous lecture, we created a maintenance page and I using called Air Underscore Page to achieve this. And I want to talk a little bit more about that. So let's have a look in again. So you see at the bottom here, Error page and all this is is it takes http error codes so one through to however many you want and it will catch them all this second toe last parameter is the area code. Do you want engine next to return to the browser, which is optional? Otherwise it will just return 504 if it was a 54 with this parameter overturned 500 on this last parameter is the follow you want to serve, and it's fairly straightforward, but you can also have more. You can have as many as you want, in fact, so let's go down on. What I want to do is create a for four version. So we're missing out the equal sign because we're only returning one. So for four will always be a 44 Andi, I've created a 44 page inside this directory inside fall www html. Now this conflict is the same as the last one, so we're gonna change it a little bit. First of all, we do not want to redirect. If a file is missing, let's tell trifles to return a 44 rather than the redirect, which also means we do not need that redirect so you can save that. And then if we reload and genetics and you'll be familiar with this page. But now, instead of if I was to go toe If I was to Goto Page that didn't exist, it would redirect me back in the previous example. Now it would return my custom page, and you can do this for every Hey http code there is. So if you want to do a four or three accustomed for three page rather than just saying forbidden by engine X, you could have a nice looking page. Anything you need to remember is trying to make This page is self contained as possible, and that means in line your CSS and ultimately could in line your images, make the pedal it with heavy but doesn't matter. It's an error page. Or you could serve this example this image off like Amazon or some sort of Cdn my s three. That's all thing. So hopefully that makes a little bit more sense. I'll see you next lecture. 17. Examples: Simple CDN: one way you could speed up a website is by moving all of its assets images, movies CSS to a cdn, a content delivery network. But if you want to do one yourself looking to a simplified version, this isn't a complex cdn. That's the kind where you have geo location serving assets from service that are local to those users that you could do with multiple servers and some DNS hacks or the right DNS provider. However, there's gonna be some benefits to this set up. Even though it's simple, it's gonna simplify your engine. It's come pick because all your assets just need to in 11 convict file your application. One could be that done for one, and it's easy to cash if you use separate domain names. And by this I don't mean sub domains. My websites off down, and then you could have off. Dan assets dot com. You can think of the set up a bit like this. Then you could have cookie free requests, which would reduce the head of size and make it that much quicker for mobile. So there's connect to the server on and make one of those going to the conflict directory on and let's call it see the end of comp. What we need to do is create Sava Block, and it's just gonna listen on Port 80 and it's not going to the default. It's not catchall, so we need to give it a 78 Now I'm being lazy, so I'm gonna use see the end or example golf dan dot com. And it's perfectly valid. I mean by lazy is that it's not cookie free. So any cookies on off dan dot com will be sent along with the request to the server on. We need to give it a root directory so we'll create the structure in a minute. We need to give it a location block. Well, I'm gonna do is I'm gonna pace this in here. So this is a location blocks purely for images on dykan files and CSS on this Jackson there . So what is it? Well, it's a regular expression match, and it's case insensitive. So if you put Capital P and G at the end of your file, then it's gonna be fine. Now it's looking for a dot That backslash means it literally the dot Know any file. And so we're looking for a Nikon. The point means all that vertical bar symbol CSS Js gif jpeg. That question mark makes the optional pin gee close the set and dollar means that has to the end of the euro. So these file extensions need to match at the end of the euro on what we can do with this is we can actually say tell engineer XTO past the headers. The these files are valid for 30 days. So when the Browns have received these files, then it can keep a copy for 30 days without checking again on we can have the head of, uh, public. And that's just to support older prizes. When your browsers, we had the head of cash control and it's public, and that's the correct way that's up to you. What you do if the files don't exist. So what happens if somebody was come to a CD in server and just go to slash Do you want it to show them a fall through a 44? What? Well, why don't we be clever? Why don't we say if the location flash, then why don't we just say the root directory is far W W pasty mouth on the index is indexed or hates to mouth. And so we saved that. What do Engine X reload? And now we load up safari. We type in CD and dot example. Don't often comb. We've got down for maintenance page I am. We need to create the directory. So if we go into I really love you and then make the directory cdn, and then why don't we copy? Hey, html Often logo into the cdn. Now you got that image, guys Town the telephoto bar on and we're Inspector. What we're trying to do here is proved that is worked by checking the headers inside the browser, but I can't see the content type or the expires header in there. Let's try something else. Let's copy but CD an image too often dot pin g. Just to be absolutely sure that it's serving the right file from the right location, it looks like our conflict hasn't worked at all, and it's just reverting back to the default server. So let's have a look at the conflict again. Go on in that So we go back to ah always pays to do a conflict test. Okay, so come Figures. Okay, Reload. Let's try that image request again. It was different. It would have helped him put that fall in the right directory. Okay, Right. Like I the files there. I will check this on. There you go. You can see the expires had a and you can also see the cash control. So if you had an application that supported CD ends, you could just tell it that or your images and javascript are on this euro, this domain name and under the hood, they could be anywhere. That route could just point back to your application directory, but it keeps your engine. It's convicts separated. So it's a lot easier to have a look at this and realize what's going on than having the default convict. And this on the immune. That was a large conflict fall. That's a little bit harder to read. Certainly when you're first starting starting out and you could modify this, you could have your location block. You could have two lots of location. Block one for your average is one for your CSS. Maybe you want your CSS to be cashed only for one day. or your Jarvis for it to be in these cash for one day because you're doing a lot more depth work on it. It doesn't really matter if the same image get served or an old image gets served. But O. J s. And it might matter if you serve old job script or old CSS because you've updated the CSS because you've updated your HTML, it might not work, right. So maybe you actually went down to one hour. At least you can change these values in here duplicated up on do whatever you like. You could improve upon this. You could create a server per region, and digital ocean supports quite a few regions. And then you could use the DNS provider that supports proximity based routing that will allow you to redirect your user toe a cdn in their region. If my service in London and somebody's accident from, say, Australia, you could be adding like one or two seconds onto the requests. Well, if they're waiting for the HTML and then they're waiting for the assets to come along with it, it's gonna quite slow experience. But if they it takes a second or two to get the HTML and then they could get the assets from their region. It's gonna be a bit quicker, so it's just a just a thought. I'll see you in the next example. 18. Example Fast CGI: Engine X doesn't have a default way to handle dynamic content. But what it does have is a way to call Farsi G I that can produce this content. An example of this is PHP, though with a bit of work. It could be play Thin Pole or even C plus. Plus, I'm sure there's many more that you could think off the set that would look something like this hopefully installed PHP from the snippets earlier. If not, go back on. Do it now because you'll need it for this example. So let's connect to the server. Andi, Let's just double check. We've got PHP in stores and we do. That's great. And let's just change into the engine. It's directory or the Engineers Conflict Directory, and we're going to use the default fall as a starting point unless edit that file. Andi we'll go in PHP dot example often dot com We changed the index photo index dot PHP. Don't worry about these errors, reader Rex, What we do need is this. So what is this? Well, this is just saying if you're seeing a PHP file proxy, pass it, but actually that's just the same thing. Saying pre CIA page p file. So anything ending dot PHP we'll pass in. I don't need that who literally pass it so far. See gee, I and it's gonna be listening on that i p address in that port. And that's just the default PHP comes with on these just some Defoe's. So this include Fall actually exists inside your engine ex directory. And it just defines a few variables for PHP. So it knows where the file is they're working on. That's been called with the directory. That's all thing. Okay, so that is just that far. So we reload Engine X. What we also need to do is if we go over to the w W directory and we make this PHP directory that referred to and inside put it actually inside there will create an index dot PHP. And if I type in the euro adult No, off dan dot com. I've got five gateway. Okay, this is the double check him. So it's double check this. We're passing it to 1 to 7.0 dot 0.1 on Port 9000. We'll double check the page. P is also doing the same thing on This is the default convict for PHP. First grow down. We're looking for a listen directive. They've changed the devote. So by default, it's listening in a sock file. You could change this toe an I p address, but she passed and prefer the salt fall. So we'll go back in over here. So we just need to tell it that. Is that a sock file on? Then we just restart in genetics. If this doesn't work, it doesn't work. We just need to start PHP me. So it's created the sock file. What's the airlock? Tell us. This is a good reason to define your log file purse. Ever. Come pick. Okay. Permission denied. This is who's the lesson user who is in genetics running as next. We have a look at engine X engine. It's calm of the users Engine X not W W data. So we just need to make a quick conflict change. Let's change W W data 20 necks. This is basically who has permission to access this socket far to save that, Then we just restart PHP. Now do we have access? Yes, but now PHP can't access the script, so let's just double check the logs one more time. So this is just where it's having trouble finding the file, which these variables were supposed to have self to town. Let's go into the server. Come pick again, right. This isn't gonna help. Obviously, in a previous lecture I moved the route out on I've completely forgotten to do it again this time. So obviously engine X, In fact, PHP can't find the fire or because we never actually said what the root waas. So the defoe is gonna be the Engine X directory, so that's not very helpful. Another reason this isn't working. It's because we've hard coded in the scripts treachery again, That's not gonna help. So we need to tell it is whatever the document root is now, hopefully that is all we need to do. And we just reload engine X a a. We got there in the end, but that's no page pay. That's just a file with the word hello in it. If we want to actually do Page P, then we need to do page pay. So if we just edit that file and PHP just starts like this and something that produces a lot of output to show that it's working his PHP info. It just tells you about the configuration we saved that I'm you relate the page like I every single option in page pay tell you what state is. Obviously, you do a lot more with Paige pay, and I'll go over a little bit of it in the next few examples. 19. Examples: FastCGI with Symfony PHP Application: in the last example, I showed you how to get pH people working, which is fine. But should we try a little more of a complex application? I will try my password generator, which I wrote a little while ago, and we'll get to it on the Internet. So the actual euro you're after is get up dot com four slash Axler ford slash password hyphen generator hyphen app. But, like always, I will linked her in. The resource is save you. Typing it out on the quickest way to get it is if we type composer create project, so connect to the server. We'll go to a bar, w W. And if I put another argument at the end, you give us a directory. So if I call it generator okay. To get this to work right, we need to install a few extensions for PHP or modules of their cold on. What we need to do is type apt install page B hyphen, XML, page B hyphen I NTL on PHP hyphen and that will install it for us. Should be quite quick. Great. So now we re run the composer, create project, it should be added. Download everything for us quite quickly. On there we go. So we go into there as engine axe. We can type. Been console cash clear. Make it proud. This is a side effect of me. Installing this project has route using composer the binary files slash been, ah, stripped of their execute herbal privileges. Let's try that again. So what we were doing because we were generating the product cash. And this just sort of helped. If you do any updates or anything, the cash gets stale. We shouldn't have had to do that because it was the first time we installed it. But it's safe. It's safer to do it than no. I think it's more force of habit. Okay, so now we need some Internets conflict to go with this on. We'll call it generated a comp. Now, most of this, you're going to be familiar with his pace in the first part. So we gotta listen on Port 80 we've got the domain name on. We've got the the root directory so pretty standard. And then we just need to tell you how to serve the files. And instead of throwing a 44 we'll just route everything through to the index dot PHP because a lot of Web APS run everything through a single file to generate all the files or generate all the the HTML on this is a PHP block who the you can see it's looking for index dot PHP, and it will run it through the the F. P M socket, so it's all pretty standard now. This bet you haven't seen before is the environment variables, and this is a way of passing data into the application. So we're telling it, Environment prod. We're giving it some sort of secret, and it was after a variable called G a tracking, and if you needed to pass it a database, then this would be how you did it. But this has a particular application, has no database or no need for a database. And then we're just over writing the script file name here on the document room, so and finally, to finish off. If there's any other Page p, we just return a four rifle because the only PHP file we want them to execute is the index dot PHP. We relate that hopefully actually reuse that window go to generated often dot com or generated are examples often dot com Now you got so it's quite happy working. And that's how you set up a more complex Web app. I'll see you in the next example. 20. Examples: HTTPS Terminator: previously, I've spoken about how to install a Web app. My password generator. Now Paul's words of a sensitive thing. So we probably should be using encryption. In fact, a lot of the Internet is moving or the general trend is everybody should be moving towards encrypting all the websites from the banks all way down to the blog's because it just gives people a bit more privacy. So maybe we should set up this password generator without some encryption not to do this. I could just put it into the engine ex convict directly. But I want to do is show you how to create a Haiti DPS Terminator. So we're gonna leave the generator running on the Web host on generated example too often that call. However, just remember, this could be anywhere. This could be even local. So 1 to 7.0 dot 0.1. This could be 127.0 dot zero that one or local host something that nobody else could get to directly. But they have to go through your Terminator to get to it. If you go Webster Tifico then or an SSL certificate, then it's This is gonna be easy if you don't and you have to. If you want to pay for it, then there's a lot of hoops you have to go through. There's 1/3 option where there's a company called Let's Encrypt are giving away free certificates on a bit of software that as long as you're the incoming connection, can get to your server. Then they'll validate and give us a certificate for three months, and it will automatically renew for you as long as the Cron jobs right, which is installed by default. To get this working, we need to install. Let's encrypt so we go over to Let's encrypt dog on. What we need to do is get started on this is the their site to help you get going. So we're using Engine X, and we're using the bun, too, but they don't seem to have the latest version, but no matter. So what we can run? Is this because we've done this before to get actual Engine X installed? That's the P. P I. And then we don't need to do apt in apt update. Then we also need to do apt install Sir Pop and that will install a few dependencies for us as well, right? So that's just telling us we need to start service. So service part, let's go. So what we're going to do is we're gonna go into Engine X again on what we're gonna dio is create another one called password dot com. And what we need to is will take this block. You call it passed with dot example often dot com and instead of redirecting because this one was in preparation, Going to hate to DPS we change that and just give it the route of www. Don't hate him out. Html Now the reason for this is the software is going to try and establish a connection between this domain name on the file system. So it's gonna write saying on the file system and then try to fetch it. If it's successful, you'll give us a certificate. If it's no, then will be denied. So this is kind of like a I get you started Service engine axe relied. So we need to typeset but cert only ever touched of you and we'll give it w w hasty mouth. Now, this directory needs to be a permanent home. Otherwise you're gonna have to change them conflicts. Pick somewhere. That's not going to change. Mary actually must give it sat ball. We'll have to create it and set it up in a minute. But it's probably for the best. We need to give it the domain name we want to secure. So we won't pass What? For example, the often dot com. Yeah. So make that directory and we also need to go in on doubled and change this. Okay, so you've got the directory. Certain pot were telling its that, but we need to give it a name address. Okay, so it's waiting for the verification and congratulations. We've got a certificate. Perfect. If you don't have a sticker, you need to double check that that path is set up correctly. So you should be at a manually create a file in there and be able to access it. I'm going to actually change that. Come pick on. What we're gonna do is we're gonna put a location block in there for dog. Well, learn so that way when the location is rechecked, then it would go straight off into that directory. If no, it will then redirect us that page 22 p s version of the website. So if I try to get it passed with the often dot com, we're currently forbidden. Now they re stop. Yeah, So it's redirecting us to the hasty gas version. Now, if we go back into this conflict because obviously we need to give it a bit more conflict. So we need to give it a hate to PS version. So we'll start that with another server block. If you're wondering what this colon colon stuff is, this is it listening on an I P V six address, we've also got http two, which is Ah, the latest version of how Web browsers can connect to the server and this is just enabling it. But you need hasty csto do that for most of the time. And also, this is the most important bit were telling engine X that it needs to be in Haiti https mode for SSL and then we need to actually give it an SSL certificate. And that is just gonna be the name off the first domain name that you passed into that certain and full chain Pem. And we also need to give it the key, which is gonna be the same format. Password example often dot com forward slash priv key pem semi column. We don't need to give it room because we're gonna pass it off onto another application. So actually, the route is irrelevant if you want to to You put some access logs in. You could do that on a magic is in the last bit. So everything gets past using a proxy onto the local host. But we also need to change that to port 80. So this could be anything. This could be another server. It could be a different port, anything. But we need to pass in the rial i p address, which we could use another day in time if we needed to. We need to tell it the host name we're trying to get to. So in this case is generated our example too often dot com it could be Do you want to use dollar host instead on we want to pass in the same host name. So if you're moving from one server to another, then you'd used all our host here and we're just saying it's been forwarded, Okay, It's safe. That and give that a go. I didn't quite work. It redirected us. So let's check and see what went wrong there. My favorite favorite companion called. That's what the example off Dundalk home, which has been purposely moved to https. Great. It's a good stop for some reason, that is redirecting us. But they could use the hasty ups certificate work. For some reason, this password generator doesn't like being inside a proxy. I can't figure out why. So what I'm gonna do is I'm gonna change it back onto the static website. On that they least will show it working. So we're just changing the host we're trying to get to from the generator to example. We save that on. If we just engine X, we load. We'll see because it's changed your oil. We're gonna have toe type in again. So password off danda come password example Toe off Dando, Come. And there you go. We've got a little padlock. Ural hasn't changed so that the issue isn't with our The issue isn't with art. Https Terminator. The issue is with my symphony application, not liking the Terminator, and what happens is is detecting this and it's just changing the URL instead of complying and accepting this new your l. So at some point, I'll update this lecture when I figured out what what is wrong with particular application . But until then, this is how it worked for most applications. Just occasionally you'll run into this issue and we'll figure out why together I'll see you in the next example. 21. Examples: HTTPS Terminator - Update: - I'm sorry about the last example while I tried to use symphony and use the Hasty Be Terminator with it. Unfortunately, they improved their security so that if you try to proxy it on the host name changes, then it's not gonna wanna it because it thinks it's Ah, seven attack. So you have to tell it to let it through. So I finally got it working because you can see here and how did I do it? Well, all it came down to was a single line change in the old version or the current version. It honors all afforded headers except afforded host, which is a shame. So what I've done is I've literally removed this piece. Andi, I'm gonna put in. The resource is so you can just coughing paste it if you want to. There is another bit that you specify This exported host header. The other conflict change you need to make is into the application to tell it that is allowed to trust applique a proxy i p. So if we go back into the generator dot com and if we scroll if we scroll down So hey, our environment variables that we've had previously. Andi is this one that's important. This is a comma delimited list off I P addresses that symphony or trust. And this is another piece of the puzzle. So we need to say that we're trusting it. We also need to say we're gonna follow the host and it's not something nefarious. The other conflict change you need to make is into the application, and this is in the application that does the actual forwarding. But because we're telling it or we've told it that 1 to $7.00 that one is a safe proxy. It's kind of one of the headers. So this is that header. So with these two headers, it will work as long as you tell it that is allowed to I'll see you in the next example. 22. Examples: Load Balancer: we've seen how to proxy in application. What happens if one server is not enough? What happens if toe handle the load? We need 123 servers. Well, that's where low balance is coming. Now you can pay digital ocean 20 plus dollars to do this for you. Andi. It might be about solution. It might know, but for $5 you can build your own and get good enough, especially as you can be in control of the https certificates. Where's with Digital ocean? If you want hasty GPS on your load, balancer, you need to point your DNS at them, which a lot of people might have problems with. I know I do, because I don't have to recreate my DNS in that way. This is preferable. A load balancer allows you to scale your application traffic across multiple servers. So rather we having one large bps, or droplet, which is mostly underutilized. You can have lots of little servers. In fact, you could have one or two on Gwen. You start to get more traffic. You can add more is required. And when the traffic tails off, you can remove them. This allows you to scale your costs based on the traffic, you can automate this, but it's beyond the scope off this course as the implementation will vary depending on provider and application. Lo balancing an engine X is very similar to the previous example the hated to TBS Terminator. In fact, you could add the upstream from here and change the proxy pass of 1 to $7. 00 82 the proxy past example server and you'll be done. You'd even have https. So that's connect to the server. We'll go into that conflict directory for engine X again on this time. I'm gonna call it balancer dot com. So we got some upstream servers. These are the savages that do things fat actually would this way around this works because obviously the catchall domain name and also works because I've got the default website is gonna be serving the static site, which is what We're gonna load balance. So this is just defining them. So when I refer to example, server is gonna pick one of these. So we need to listen and we're gonna listen. Import 80 on balancer dot example too often dot com and we gonna parcel traffic in through to one of these, and then you can see the example server and that should just work balance. Um, that dot com? Yeah, on what we can do boots is that we consent the header. We'll set the host head. And if you remember my PHP domain, that would give us a lot of information. So in theory, we should start seeing that. So I realized balancer. And there you go on theory in here should be a host. And there you go. There's the host name. So that is how you set up a very basic load, balancer. I'll see you next example. 23. Examples: Moving Servers (HTTP): suppose we have a website on a server, but we wanted to move it to a different server. How would you do it? You're probably thinking install and set up a new server and change the DNS to point to it . This will work with a simple site or a site. That doesn't change, though. No database, but DNS takes time to change. I often quote 48 hours for it to fully take effect. And you can never be 100 onshore when everybody will get the updated record. Usually some people get it within an hour. Other people, it would take the full 48 hours. There are things you can do to speed this up. Like drop the T TL the time to live on the DNS record. It works in most but not everybody. And there's only so low you can drop the t t l before it becomes a a burden on your website . If you dropped it down toe 60 seconds, then every 60 seconds your users will have to query whether or not liking the DNS has changed to drop the t t l. You need to do this a few days beforehand. otherwise you're still waiting for that record to update also, what happens if it goes wrong? What happens if you update your DNS to this new server and it goes horribly wrong? Maybe the server crumbles under the load. What if there was another way you can use engine next proxy from your old server to the new server? So let's do that. Now. What we're gonna do is move my website from one server to another. I don't want to really do this, so I've duplicated it on a domain name, moving dot example dot off dan dot com. And what we'll do is we'll move it from one of my servers to a different server. Let's assume that my website has been running on the servant you've been seeing all this time on the 167 address and I'm moving into a complete different server that you've never seen before. And I've installed it and it's working fine. I've double checked it with the host file and everything, and we are gonna work on the proxy and the idea is ALS. The traffic is currently coming to the old server and we're going to replace the current working engine. It's convict with our own example to proxy it to this new server. This is what the moving example looks like when I've edited the host file. So when I've removed the host fall entry actually looks like this. Let's connect to the server. And again, we'll have to go to the engine ex convict directory. And we're gonna edit something called moving dot com like normal. We need a server block. We're gonna need toe Listen on 80 we need a server name, and that's just gonna be the one we've been playing around with. Example off dan dot com. And then what we're gonna really need is a location block to catch everything. Now it's up to you if you want to turn the access logs off because otherwise you'll end up with duplicate logs, you'll end up with it on this ever. But also the other server. And then we need to configure a proxy. So first of all, we need to tell it where the savories and I recommend using the I P address because we're messing around with Dennis. So the I P addresses a lot more exact. The main lines you need to worry about are these proxy pass and that's the destination server. And that's basically the new I p. Address. Andi, this proxy set header for the host. So the new server knows which website you're after. You don't need to use a variable. You could just hard code this in. But as we're moving the same website, it seemed a bit redundant to specify this host name here again, it just means that you can just copy and paste this block of text as many times as you want this rail. I p it means nothing. But is there in case you need it in your application to get what the rial I p addresses of the user? Because at the moment, any traffic that goes through this proxy will be getting the proxies I p address, not your users. I p address This last one is to tell them the destinations ever that it was afforded request. Andi, this is the proxy i p onda the remote address. And that's what's in this variable here. This won't take effect unless you enable it at the other end. For this, perhaps is we don't really need it because it's not gonna be going for the day long, Two days at most. And so we need to do as we save this and we do engine X, reload, in fact, conflict test first and then reload. And now there you go. It's processing. It's processing everything through this. And now, if because we've we've confirmed that it works, we could update the DNS. Now, leave this running for two days and then take out this conflict. In the next example, I'm gonna do this again using https. Also your next example. 24. Examples: Moving Servers (HTTPS): previously, I showed you how you could move ahead. Http. Website from one server to another, using engine exit the proxy. So this time, let's try it with https. I know my website is actually https site, and when I duplicated the config, I had to turn https off. So why am I making a second video about moving service? Why is hey https harder than Hey, Http. Well, if you bought you certificates, then is easy. You just install them on the new seven. And when you swapped the traffic over, there's no problem. But when you using, let's encrypt. That's a different matter. Let's encrypt uses your Web server as a means to validate whether you're allowed us difficult or not. So if you're tryingto install, let's encrypt on different server to the one the DNS is pointed to. Then the check is going to fail, so you can't get certificate until the DNS has been updated on. You can't move your traffic and to get a certificate. Well, we've got a catch 22. So how can we solve this dilemma? Well, we've got a few ways. One. We copy the civics manually, but we still have to set up. Let's encrypt later to we could use a lesson. Crips DNS challenge. But that's beyond the scope of this course. Third way we could use. Let's encrypt manually. But the problem with that is it's going to expect you to renew it manually as well. So the only real way we can do it is using the Webroot aspect of it. And there's two different ways. So the fourth way we could do is when we're doing it, weaken debunk the challenges. So what will happen is you run the command with this debug challenges flag, and it will wait so it will create the files on the file system and then wait on. What you can do is you copy and paste those files that is created with the same name on the same contents. Put them onto the Web server that resolves the domain name you're trying to get certificate for, and this is a perfectly valid way of doing it I have done in the past, but I prefer the fifth way, which is you can actually just proxy the request. What let's encrypt will do is it will make a request. Your website with the euro, something like Don't well hyphen known Acme Challenge. And then, ah, random string. And all it needs is the content back. It doesn't matter that it's a different server fulfilling the request. It doesn't know it doesn't care. It just knows that it needs that response to say that that generating this difficult is a valid thing. So we're gonna proxy the request in this example. We're gonna be moving the website bank to the other server. So the I P address is gonna swap around again. So let's connect to the server. And this is our new server, the several where we're going to move the website, too. And at the moment, the DNS isn't pointing to it. And we can prove this by trying to get the certificate, the Web certificate. So we're gonna do it all is normal. So I directory Sir Paul on this is because when it comes to renewing, the certificate is going to keep working. What we don't want to do is do something complicated stuff now and in three months, time certificate doesn't renew, and that is why we're going to the trouble of redirecting or proxy ing the Let's encrypt request because once it's happened, will approve this difficult. And when it tries to do again, you'll have moved the DNS over. So we try and do this now, Miss Cert. Only guys try again. So it's doing the verification, and there you go invalid response. So it's not pointing at the right server, so it doesn't know it can't validate. So what we need to do is we need to go to our old server. The server is currently got the Deena's pointing to it. Okay, so this is my old server, and it's a little out of date, but that doesn't matter. So let's have a look at the convict for our live Web site, and that is in a slightly different place to the other server. So just by looking, you can see that I'm listening. Import 80 on 443 and then you can see the server name there. We only need to make a tiny change. In the previous one, we used a location block to grab all the traffic and redirected to the other server. In this example, we just need the cherry pick, the exact thing we need. So let's go up to the top because we don't need to worry too much about this. So what should we do, Right, Well staffed by typing in a location block. I'm not gonna worry about formatting for this because it's only a temporary measure. And yes, we need to start with slash. But as I said earlier, Sert bought only makes the request in a directory called Don't well known Acme Challenge. Why don't we just do that? So in tight, well known now we don't need to use Acme Change, but there are other things that live inside the well known photo as well. I keep finding new ones every day. It's mostly to do with Google and Chrome, but that's another discussion. So let's put it in there. If you don't need it, then it doesn't matter. But at least you'll know how it spells and we create the book. Okay, so we could turn access logs off, but it's not permanent, and it might help us with debugging, and then we just type in what we've timed him before. But this time the I P addresses the other server, and this will be whichever servers new for you that's it we need to do is save and then reload. Engine X, your website still work because the anything we're changing is this well known directory or the Acme Challenge. So we go back to our old server. If we go back to the new server and we re run our command this time, it should work. And we haven't had to worry about any DNS changes. Oh, forbidden. That was unexpected. The chances are that will work for you. But I had forgotten one thing I done with my site. I stop certain file combinations from being accessible on. This is interfering with this particular location block. So we need to make a subtle change to the come pick to make it work. So all we need to do is going here. We're gonna make it a regular expression like that. But we're also going to use this carrot symbol toe override any other location block. So this one will be the default one, and that should be it. So we save that and we reload us again and we try this again. We create our own problem here. Where we in the previous lecture, we set up the forwarding from this over to the old server. We're now going the other way. So we need to say, Well, the redirect or the proxy ing on here because obviously this is going to send it back and the other side is going to send it back and you're going to end up with a really bad request. For the moment. Let's move that proxy and we'll put in here our catchall for the well known directory that's reload Engine X. Hopefully this time when we redo this should work. It's working, not quite sure what we've done there before, but let's keep the existing certificate. But that's how you get the certificate and you can copy your website, your database and your engine. It's come pick because you will have the SSL certificate or they hated PS certificate. Allow your website to seamlessly move from one server to another. I would recommend you do this within three months because other ways you'll need to renew on the old server first. So that's how you get an SSL certificate or Web certificate using. Let's encrypt when the DNS is not pointing to that server 25. Example: Security: out of all the websites we host, WordPress is the most attacked. This is because it's one of the most popular piece of software online. However, you can also give yourself a big head start with security and WordPress. Andi, Any other application for that matter? How can you do that? Well, we can tell Inger next to lock down the admin directory. You can use this on a specific directory or you can use the whole site. Doesn't matter, but we have two ways we can do it. One is by using name and password, which is also known as basic orthe. And two we could lock it down by I P address or a range of I P addresses. Both will stop someone accessing the WordPress admin when there are authorized. And if they are, they still need to log into the WordPress site. I p address restriction is very simple to set up, but it requires that you have a static I p address. If you don't know that you have a static I p address, then you're likely to have a dynamic one. If you do have a dynamic I p address that, then this will work, but you will need to update your engine. It's come pick every time your I P address changes, and that could be every hour or every couple of months. So it's probably best to stick with basic orthe. If you want to get clever, you can also combine both of them and require somebody to use the correct I p address. Andi know the user name and password to be out of log into WordPress. You could even apply these restrictions your whole domain rather than the sub folder, which would be useful for a staging site. So let's begin. So I'm gonna crack Newcomb thick on. I'm gonna quite security. And here's one I prepared earlier. So all this A's is a very basic engine. It's calm, fig just to serve out the farms in slash on passing through the PHP with the seven aim of security. Don't example off dan dot com. So I say that, and we'll just make sure it works on every guy. So this is just a very basic WordPress site. I've only just installed it and we're going to the dashboard. You can say you're always WP admin, so let's make some changes. The first thing we need is a location block. So for WP admin, the BP hyphen admin on this will capture anything that goes in that directory and then finally, do the try files. Just great. So if you know your i p address, you can just type it in here. That is just just like that. You can specify more than one i p address. In fact, I usually recommend adding, in local host a swell just in case of like Cron jobs or things like that on the server that need to get access to itself. You don't have to, but just be aware that you might have to. And then what you need to do is, say, deny all. And that just means unless there's an allow statement that's been triggered, then you're denied and fry p restrictions. That's it. You could save it here, do engine X reload, and that's the only thing that will work. So if I didn't come from this I p address either these I p addresses, then I couldn't get on. No, obviously the other way was usable, and that is quite straightforward. So what I pasted in here? Well, we've got off basic, and that is just enabling it and telling engine X what the realm is. I've caught it restricted. It doesn't really matter anymore. In the old days, it would be the title of the dialog box that you went browser popped up. You'll see if you connected using coal, and we also go forth. Basic user file. On in there is a list of all the user names and passwords that are valid. So we need to create that because at the moment it's going to fail because it's empty and it doesn't exist. Now, this falcon live absolutely any way you like, but for like simplicity, I'm just creating it inside the engine X folder. And there are some easy ways to do this. The one way I'm gonna recommend doing is by installing something called Apache. You tills Apache two you tails apt installed Apache to you tills that just installs a couple of utilities that allow you to easily create passwords on the program we're interested in is hasty Pass would on this is how you use it. So at the moment we haven't created the file, so we're gonna need to pass in dash C. So this type in the commands, we're definitely dash C. The password file is orthe on. It was users, and we need to give it a user name. I'm just going with Dan for the moment. Now, if I press enter here, it will prompt us for the password or we compress type in dash B and basically followed this one and we can pass in the past Would up here on If you have a look at that file, it's just a single line with the user name Colon and then the encoded password. So let's load this up on Reload on were forbidden. Okay, I think we might need to reload Engine X because the fire was created afterwards, the follows created after Engine X was reloaded. Andi actually might even be falling back to the I P restrictions. So there you go. And if I type in the right password kind of works everything except that on a second I'm not sure why Engine X is having a problem with WP admin slash. And when we put slash index dot PHP, it works. Fine. Um, I'll try and figure out. But until then, sometimes you just have Ah, the old bug makes it very difficult. And most I would love this toe work as is if we just had in a little hack just to redirect slash admin slash WP admin to slash WP admin forward slash index dot PHP It's just going to start working, and then you can move on to do whatever is so if we save that. And if we reload, that you can see is reelect redirected us to slash index dot PHP and that it works on what we can also do. Suppose you don't want someone have to enter the user name and password every time and they're on a static i p address. We can use both so we can allow the I p addresses If they work great, then they don't get prompted. If it doesn't work, then you fall back onto this basic orthe and that's it for this security. I'll see you in the next lecture 26. Example Block by Country: Normally you'd want to serve your website toe everyone. However, there might be an occasion where you want to serve your website toe only one country or forbid your website in a particular country. An extreme example would be the new GDP. Our legislation. Some website operators feel the need to block everyone in Europe. So I'm gonna use the example of trying to block Great Britain. And for this we need to make sure we have installed GOP, which when we installed Engine X, I got you to enable that module. There's version two, but it requires compiling it yourself. And I feel like that's a little bit of overkill for what we're trying to do. Just be aware that I was an option. There's a company called Max. Mind the offers. A free downloadable database. Andi, They used to sport version one and they stopped in the beginning of 2019 and now they only offer it in version two. Thankfully, somebody has rewritten it. They have taken the database and recon part in version one, and that's what this is I'm gonna put in. The resource is linked to this website. You got various versions of the data base. You got Max Minds version or D B I p. I haven't had the pleasure of using DP i p yet even though it looks like that's their preferred one and you got it by country, on by city off the country, we'll tell you the continent on the country on the city will then break it down into which city the I P addresses are in for this. I'm just gonna use the country. But just be aware that it's an option toe be a bit more targeted. This database isn't going to be perfect. You're gonna have I p addresses that get moved around because that's what I was peace Do they reallocate their I p addresses sometimes, and they'll update a list. But as you see, this website will update and there could be some lag. It could be that some I p addresses get for gotten, so it's not only foolproof, if you serve are only up. It's on I p v four. Then you can just get this person the database have ah, for safety. I've got my websites operating I p six and I before, so we might as well get both, right? I'm gonna put this in the directory, and I'm gonna call it Geo I p and we'll take that euro, We'll download it on. We also then need to decompress it. Great. I mean, if we want we can we can move that to that file. So we have an idea what's in it, and then we can just do the same again for the city one. Or if you want to do the d v i p one, it's entirely up to you. So we've now got three files in there, but as I said before, we're gonna use the country one because us it's a smaller database is more like to be correct. What I'm gonna dio because this geo I p stuff needs configuring if we add this into the engine. Ex convict. Ah, I'm not even in the engine Ex directory. Okay, so let's just move everything into Engine X and won't move over there as well. Now you see the GOP directory inside my engine, it's directory. And now, if we had it, the engine X file, which does exist. What I'm gonna do is I'm gonna put these files in here. Yeah, we don't have to specify. And if you want the db one, then you would just change it to the rightful name. But last that. So we've done the the general set up for Engine X. We now need to create a site for this on. What I'm gonna do is I'm just going to duplicate my existing password site. So and I'm just gonna call it region dot com eyes. So this is just the same as the previous one. But let's just change it a little bit. So obviously I want the root directory to still say generator because I don't want to go to the house of re creating a new website. I want to show you this, working as it is and we can just remove a lot of this cause is what we were playing with before. Okay, it's a basic engine ex convict to serve a PHP application, just briefly save that. Now we need to tell engine X What is that? We want to allow and disallow. And what we do with that is we have a map. It is kind of like an array of things. That engine it uses a look up and we need to give it a variable to use to match against on a variable that the answer gets set to. So Regan Top Geo I pay country code and then allowed country and the default and the default contains the value that will be if it doesn't match anything else. So if we want to block Great Britain, we would say yes to everything else and then for Great Britain RGB It's two letter country code would say no if we only want to allow Great Britain than we would say yes to Great Britain and the default would be no. So now we've got a map. How do you use it? Well, what I'm going to do, I'm gonna crack an if block in here and we're just going to use the variable that we specified at the top Loud country. If we're allowed, then we're gonna basically just reject everybody. And I believe hasty be code for 51 is because of legal requirements. So if I say that and genetics reload and then agent example dan dot com, I think I've just realised. Actually, you don't need Coghlan's there. That's ah, me using PHP syntax slightly. The other thing we need to do is copy and paste this if statement and placed into the location block for PHP. Otherwise, if you know the name of the PHP script, you'll end up bypassing the first location Block and the other then called the script directly without getting our 451 error. All right, let's give that another guy great. So that looks like it's actually doing what we wanted to do. That's just confirm it. There we go. So code 451 brilliant. So it's no actually showing us anything. But let's flick it around the other way on. And so, yes, when we start okay, so it's definitely working. So hopefully that Matt makes sense and we could add extra ones in here, so and you could have all all manner of different types of conflict. My graphic and beginning was a bit misleading because it said no to Britain, but yes to Europe. Andi, you can't quite just say yes to Europe and no to the rest of the world. You'd have to put more Liam manually. So there is a list of codes dude have toe, put them all in especially if Great Britain ends up leaving Europe. It could make things a bit difficult, so let's just stick with that for the moment. Now we want to control what we show on. What we're going to do is do that with our pages and we know the era coat because there it is and we're going to create that for 51 dot html file. But because we've told Engine next to not serve any files to us, we need to override it. So if the actual document being requested is 451 then we need to serve it. Now. I'm changing the route too far. W w html because that's where I'm putting all my error pages. And this marriage here is because that happens to appear on the error page, just like the holding page of the maintenance page. So let's save that, and what we'll do is we'll go over to that folder, and what would do is we're gonna a copy. No, and let's change it because of the moments of maintenance page. - Just putting a little message in there, and if you happen to have your main website, you could leap from to for support, then so be it on. And obviously this will never fix itself on. We'll save that. So now when we restart Engine X or reload it, it doesn't matter. And there you go. That's the holding page, which, for some reason the image isn't working all this because it's going to be on every single page and we've probably yeah, that's it. We've left it to look for the file, the image in the current directory. If, uh, une easier way would be that if you had this image stored on a cdn like s three nor some other hosting, then you wouldn't need to worry about making exceptions for it. And if we reload that again, never go. While safer completeness is, there's a lot more variables you can actually play around with. So we've used Geo I p Country code. Now there is a big old list that you can use on. Let me pull that up for you. So they go about the country Code three letter country code. If you want to, you could do it by country name. I wouldn't recommend that, But if you're using the city version of the database, then You just need to use GOP on school city and then got continent code Country code Country name. And if you wanted to, you you could party through to PHP as well. False cjp, ram. So what we want And, uh, well, just pause it through the country name. And to make this easy, we're going to say yes because always we won't see anything. If I really like that on somewhere in symphony, you'll actually tell us I look for GOP country and they go, If you use the city GOP file, you could pass through things like Longitude, latitude, city, all those kind of things. The one thing to bear in mind is, if you advertise that you use location based services using all this, then you've got to use the share and share alike thing. So if we go back to food that guy's website, you will use the Creative Commons share alike license. Andi, I believe you'll end up having to do the same for GOP as well. For Max mind just like they've had to do here that's just going to pay him on. I'll see in the next lecture 27. Conclusion: That's all the examples of Engine X I have for the moment. Hopefully, by now you realize that engineers confused in a multitude of ways. But if you haven't been exposed to them, how you ever know was possible in deliberate gurgling. But wasn't it better to have it laid out in front of you? I hope that after taking this course, you're buzzing with ideas and new possibilities. Hopefully, I've sparked an idea, a new way of thinking. Please reach out. If you think there's another way that I've missed all that, you want more information about any one of the ideas I've gone over. I sincerely hope that you've enjoyed these examples of Engine X, and hopefully, if it's not too much trouble could I ask that you leave me a review and let me know what you liked or didn't like about this course. Thank you. Im goodbye