CloudFront and WordPress

Lots of tutorials and articles out there talk about a popular combination of CloudFront (CF) / WordPress (WP) / S3. In my case I don’t want to use S3 (why? because I don’t need to and don’t want to pay for it). I want to cache files stored by WP which in my case is using block storage. So, how do you set up CF with WP but without S3? Pretty easily, really. Here are the steps I took and pot holes I fell into. For the WP part I followed this post: https://blog.lawrencemcdaniel.com/integrating-aws-s3-cloudfront-with-wordpress-2/ the section about plugins was most useful. For AWS I followed this post: https://aws.amazon.com/blogs/startups/how-to-accelerate-your-wordpress-site-with-amazon-cloudfront/. There were a few gotchas along the way so I’ve tried to point some of them out below.

DNS and certificates

As far as your DNS records go, all we really need to do is point the www record as an alias to the CF URL and then point the apex record to the IP of your EC2. In the Origin setup, specify the Origin Domain Name as the apex record (not www). In my case this is just wojtek-kedzior.com. Don’t forget to set HTTPS Only if you are using an SSL certificate. It’s worthwhile mentioning that you will want to add both your DNS records to the Alternate Domain Names (CNAMEs). In my case these were www.wojtek-kedzior.com and wojtek-kedzior.com.  My DNS setup looks like this:

wojtek-kedzior.com.  A   <ip to instance> 
www.wojtek-kedzior.com.  ALIAS  d1l97lizsxt89f.cloudfront.net.

Not having a wildcard certificate complicates things somewhat as you only have two DNS records to work with.  Ideally you would refer to your distribution through something like cdn.domain.com.  You still can, but if you are using a certificate issued only for domain.com then using sub-domains will yield errors.  

No redirect when hitting the distribution URL.

Make sure to set “Default Root Object” to ‘/’. Since CF doesn’t follow redirects it will show your page from the origin, but the URL will stay as the distribution URL. Setting the root means a redirect happens immediately after hitting the distribution URL. One note worthwhile making is that the even though the distribution URL is public and may be easily found, if your page is setup correctly clicking any link on it will redirect you to your proper URL

CloudFront is caching everything

Make sure to add in behaviors to control what really gets cached. Most, if not all, content under /wp-content/ and /wp-includes/ is static which makes it a candidate for caching. Since WordPress relies on cookies make sure you your default behavior (the ‘/’) forwards all cookies and query strings. This ensures that your webserver will get all the info it needs otherwise weird things start to happen. One of the bizarre issue I ran into was the slash missing between the domain and the rest of the URL. Although the webserver had the slash explicitly defined at the end of the domain there was no slash to be seen in any of the links rendered in the HTML

For the WP admin pages you’ll need to allow the POST method in the distribution config.

Disabling Canonical URL Redirects

One ugly hack which is required is to update the functions.php file of your theme to disable canonical redirects.  Otherwise what happens is that you get redirected to the origin, which is something you don’t want – the distribution should be doing that.  In other words, the server generates a 301 redirect, which the distribution returns to the client.   The problem is that the redirect is pointing directly to the server, which cannot be accessed as the security group only allows traffic from the distribution. More on that later. You can also end up with a redirect loop here if you force the redirect URL to be that on the distribution.

// disable WordPress's Canonical URL Redirect feature
remove_filter('template_redirect','redirect_canonical');

Source: https://www.dev4press.com/blog/wordpress/2015/canonical-redirect-problem-and-solutions/

On admin pages there is also a reference a canonical URL with the old value. To fix it you need to remove the reference to canonical URL in:

 /var/www/html/wp-admin/includes/misc.php

source: https://taylor.callsen.me/settings-up-aws-cloudfront-in-front-of-wordpress/

Restricting traffic to your EC2 instance 

Restricting traffic to your EC2 instace to allow HTTP/HTTPS traffic originating only from the CF edge server means your site will not be accessible directly anymore.  The browser will not be able to access the your EC2 instnace any more, only the distribution will be able to do so.   The benefits here are that CF can protect against DOS attacks and to some degree other types of attacks.  The setup can be automated so that whenever AWS change the IPs of the edge servers you can trigger a lambda function which will update your security groups. 

Guides as to how to to about setting up Lambda to trigger on SNS notification:

https://blog.eq8.eu/til/configure-aws-lambda-to-alter-security-groups.html

https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

Renaming URLs

Changing the URL of your site after already having some content is painful, but for the most part it works OK. It’s the themes that usually break.. In my case any images added through the theme customize page would point to the old URL (which now happens to be inaccessible due to the security groups) even though the URL has been updated in the media view and the images are accessible via the new URL. Go figure.



Java – Pass by Value or Pass by Reference?

Plain and simple…

… Java is always pass by value.

However, it’s also true to say that a reference is actually a value – a memory address.  So more accurately Java is pass by value for primitives and pass by an object’s reference, which is a value.

It’s quite interesting that even in Oracle’s Java Programmer certification course it’s written that a primitive is passed by value and an object is passed by reference.  In the case of an object that ‘reference’ is actually a primitive that contains the memory address of where the object structure is held.  From a logical point of view the phrase ‘objects are pass by reference’ actually makes sense, but how would you describe what happens to primitives on a logical level?  Oracle’s wording is actually cause of the confusion.  There is an attempt at distinguishing how primitives are handled i.e primitives are passed by value, compared to objects, but it would much clearer to describe it as is.

From another point of view, this is a fantastic interview question – albeit a very simple one. It does prove if a candidate just remembered some text, or actually thought about it and is able to go into a little bit more detail.

WordPress on t2.nano

The t2.nano instance type does not come as well configured at the t2.micro, so if you want to run WordPress on one of these instances you will need to a bit more leg work.  Assuming you have chosen Amazon Linux you should be able to get everything up and running with the commands below.

Install PHP, MySql and httpd

sudo yum groupinstall -y "PHP Support" (be careful, this will only install php 5.3, which is a tad old)
sudo yum install php-mysql
sudo yum install httpd
sudo yum install php55-mysqlnd (this is needed with newer versions of php)

Delete the welcome page as it will give you trouble

sudo rm /etc/httpd/conf.d/welcome

Install WordPress

Follow the WordPress installation guide to install WordPress. If re-using a DB create a new schema in MySQL or create a new server.  The WordPress installation guide will tell you where to stick the credentials.

Install SSL:

sudo yum install mod_ssl

Run a SSL test to see what rating your server will get.  You will probably get a B because Apache by default allows SSL v3, which is dead and RC4, which is weak.  Run the test anyhow to see where your configration is at before hardening it.

https://www.ssllabs.com/ssltest/

Update ssl.config

sudo vi /etc/httpd/conf.d/ssl.conf

Remove SSL3 because it’s broken

#remove SSL v3
SSLProtocol all -SSLv2 -SSLv3

Turn on Cipher order

#turn on cipher order
SSLHonorCipherOrder on

Adjust the available ciphers (note, when copying and pasting into vi you need to get rid of the invalid space and new line chars)

#remove RC4 from cipher list 
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+ SHA256 EECDH+aRSA EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 RC4+RSA"

And finally provide the location of the keys to be used during SSL

#location to certificate file
SSLCertificateFile /etc/pki/tls/certs/<certificate file name>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<prive key file name>.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crti

At this point it would pay to move the localhost.key and .cert files to a backup folder or delete them all together. Update Apache Config to redirect all traffic to HTTPS

sudo vi /etc/httpd/conf/httpd.conf

Modify the Virtual Host to redirect everything to https:

<VirtualHost *:80>
    Redirect permanent / https://<your domain>
</VirtualHost>

Add the following to the SSL Virtual Host

sudo vi /etc/httpd/conf.d/ssl.conf

Modify the HTTPS Virtual host so that it always forces SSL

<VirtualHost _default_:443>
   #force HTTPS usage.
   Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"

Restart Apache

sudo service httpd restart

Re-run the test

https://www.ssllabs.com/ssltest/

Some useful configurations

If you are missing the .htaccess file then you have to tell WordPress to download the updates explicitly, otherwise it will try to get you to update via FTP.

#to force direct update, over ftp
 define( 'FS_METHOD', 'direct' );
#increase memory for php
 define( 'WP_MEMORY_LIMIT', '64M' );

If you want image cropping (if you are seeing something like this: “There has been an error cropping your image”) then you will need something like this:

sudo yum install php<php version>-gd
#eg yum install php55-gd
sudo amazon-linux-extras install php7.2

SSH to EC2 killing consoles

sudo vi /etc/ssh/ssh_config #under Host * ServerAliveInterval 240

Make sure HTTPD starts in reboot

sudo chkconfig httpd on

Change the host name

vi /etc/sysconfig/network

https://gist.github.com/sl-digital/9838411#file-amazon-linux-ami-php55-L23

add to .htaccess Options All -Indexes    this is to prevent the display of WP directories

https://www.danielmorell.com/guides/htaccess-seo/redirects/https-www-and-trailing-slash

// disable WordPress’s Canonical URL Redirect feature
remove_filter(‘template_redirect’,’redirect_canonical’);

Overclocking, processor lifespan and CPU trends

Yay! Love the smell of that new piece of hardware you just bought? That feeling when peeling off the tight plastic.  Plugging it in. Seeing lights, fans what ever else do something. Why not let loose on the voltage controls and see what the new device can really do.   CPU over clocking has become a breeze these days and so has cooling, which you will need a lot of when overclocking.  Many people are concerned about performance degradation over time when the CPU is juiced up on extra voltage.  Fair point, but looking at the trend of  CPU performance over say the last 15 years it’s crystal clear that a 7-8 year CPU cannot keep up with heavy computing such as games, rendering and anything else that needs CPU cycles.  So what will, say, an i7- 5820K have to say for it self by the time the year 2022 ticks over?

The general trend in  processor evolution is that we have given up on trying to go mega quick and instead are concentrating on go wide by way of cores and efficient by way of the manufacturing processes used.  This trend has and will continue for the foreseeable future because it is driven by  demand of ever more powerful and efficient mobile devices.

Software is getting better at utilizing cores more effectively (and Microsoft has jumped on board by announcing pricing plans per core rather then per socket).   Not all software needs multi-core performance, instead it relies on single core performance to get its work done.  Most games work like this as do lots of desktop programs.  In the server world software such as databases, web or application servers are much more optimized to utilize multi-core  processors.  Visualization is where I think multi-core processor really come into their own by even supporting multiple virtual machines.

Pocket processor

Soon the time will come where we will carry our processors in our pockets.