Automating Static Website Deployment

In this post I am going to document the steps I took to implement a fully automated deployment of my blog using GitHub Actions and GitHub Pages.

As always, I started my journey with the definition of what I really wanted to get at the end:

  • The website is published on GitHub pages

    Since the website is static and all of its content can be easily downloaded using a web crawler (like wget --mirror https://website.tld) I was OK with

  • < read time 20 min.
Offloaded on blog

Wrap indicator in <pre> blocks

I am not a front-end developer, not a UI designer, nor a UX guru, but I am an engineer, so when I face a puzzle worth solving my brain switches on and I cannot let it go until I find a satisfactory solution to the puzzle.

My blog heavily relies on me sharing session dumps and file excerpts using the code blocks. I am using PrismJS to highlight syntax in these blocks. However, after a while I found that there is one thing that really irritates me: these code blocks are not designed to be truly responsive, for instance – when read time 18 min.

Migrating blog to Pelican

I had my blog site for more than a decade now, but until now I was not putting any effort or thoughts into maintaining my audience or promoting the site. It was dormant for nearly a decade and I decided to rejuvenate it and start using it as a platform I could leverage to share some ideas I think which are worth sharing.

Before I embarked on the journey of renovating the blog site I needed to set some goals and requirements up, so I would be able to assess my progress and estimate how much effort is required. The read time 6 min.

Offloaded on blog

nginx + a backend with a dynamic IP (e.g. AWS ELB)

Recently, I wrote about the dynamic resolution of upstream servers in nginx which was achieved by quite an intrusive patch to the core nginx module. The patch was invented a while ago and was working very well up until recent nginx versions were released.

With the release of nginx 1.10 it was noticed that the patch crashes some workers under heavy load and this was unacceptable for the production load, hence a new approach was implemented.

The beauty of the new solution is that it is non-intrusive and works with any services that communicate via sockets.

In a nutshell read time 9 min.

Dynamic resolution of upstream servers in nginx

UPDATE: This approach was superseded by the proxying through systemd-socket-proxyd approach.

Many of my clients are running application stacks consisting of nginx plus some kind of scripting engine behind it (be it PHP, Ruby, or something else).

The architecture I designed for this kind of workload involves at least two load balancers:

  • an external, frontend load balancer that serves the web requests from visitors; and
  • an internal, backend load balancer that distributes load between the backends.

Everything looks great when you implement this using “in-house” infrastructure where you control most of the networking aspects.

However, the tendency is that most read time 1 min.

Transparent SSH host-jumping (Expert)

A while ago in the Transparent SSH host-jumping (Advanced) post I described a technique on how one could jump quite effortlessly through a chain of intermediate hosts. However, there was a catch: the user names and ports across the whole chain should be the same and there was no easy way to change that.

Given that I recently paid quite a lot of attention to the ProxyCommand directive I decided to look into the implementation of the helper script that will allow one to tweak parameters for the hosts in the chain.

You can read the original post for the read time 3 min.

Offloaded on ssh

SSH: Interactive ProxyCommand

I was involved in the creation of the sshephalopod project, which was an attempt to build an enterprise level authentication framework for SSH authentication using the SSH CA feature.

The project is based on a wrapper script that signs a user via a SAML identity provider and gets user’s public key signed for the further usage.

In one of the discussions I pointed out that such a wrapper script is not good for the end user experience and I proposed to provide the users with an excerpt for their ssh config file, so the functionality of sshephalopod would be read time 5 min.

Offloaded on ssh

Raspberry Pi 3 toolchain on CentOS 7

I heard a lot about Raspberry Pi boards but until now I had no need nor time to work with one.

However, recently I purchased a Dodge Journey R/T and found that although I love the car I am so disappointed with its software and hard-wired logic that I decided to experiment a bit and fix the most annoying things.

Since almost everything inside the car is talking over the CAN bus I needed some kind of a enclave inside the car where I could run my code and inject/intercept CAN messages.

I looked around and found that read time 5 min.

Offloaded on linux

Building a firewall? Simple and easy!

I strive for simplicity since I am a strong believer that achieving a goal with the most simplest solution looks elegant, proves that you have deep knowledge on the subject, and overall is beautiful by itself. Additionally to this, a simple solution is easier to comprehend and to audit, hence it is much easier to ensure the security of such a solution.

Over the last decade I stumbled upon numerous complicated firewalls erected on the NAT boxes with tens (sometimes, hundreds!) of rules describing the traffic flows and punched holes for some edge cases. Every time I wondered what kind read time 7 min.

Offloaded on linux

Transparent SSH host-jumping (Advanced)

In this brief article I am going to describe how I resolved a nagging issue I had with setting up access to hosts which are not directly reachable, but where you need to forward your connection through an intermediate host.

Previously, I was using the local SSH port-forwarding technique (although I was configuring hosts I connect to in the ~/.ssh/config file instead of using the command-line options). However, this approach turned out to be quite inconvenient since every time I wanted to connect to a new host (and, possibly, through a new intermediate host) I had to edit my read time 6 min.

Offloaded on ssh

Should we use "sudo" for day-to-day activities?

None of the systems I administer or supervise have sudo installed with the SUID bit set.

Every time I answer a question on how to do privileged work on these systems (i.e. do tasks that require administrator privileges) with a proposal to SSH under the privileged account directly to do such a work, whoever asked read time 15 min.

Offloaded on sudo

SSH port-forwarding (Intermediate)

In my previous blog entry I described some basic functionality of SSH in terms of port-forwarding. Now it’s time for a little bit more complex stuff.

In this article I will highlight:

  • (forward) piercing of a firewall (getting access to resources behind it);
  • dynamic port-forwarding (AKA proxy);
  • (reverse) piercing of a firewall (exposing your local services on the remote side).

Forward firewall piercing

Let’s start with the forward firewall piercing, since it is the easiest and was somewhat already described in my previous blog entry on this topic. Now, imagine that you already have SSH access to some read time 4 min.

Offloaded on ssh

SSH port-forwarding (Basic)

I think all of you are using SSH in your daily routines. However, do you use its full potential? Today’s topic is the SSH port-forwarding feature and how it can be use to achieve some interesting configurations.

I’m sure most of you are aware of the feature, but how many of you are using it? Personally, I’m a bit obsessed with it and have found numerous cases where this feature of SSH is a real life saver.

Let’s start with simple things and imagine that you have a server where you are running MySQL (as a read time 2 min.

Offloaded on ssh