Cloudspoint

Visual Studio Code for web developers

Visual Studio Code is an open source, lightweight, and full-featured text editor that supports a multitude of extensions for all kinds of developers. If you are getting started in the larger world of web development, Visual Studio Code can be a valuable tool. Features such as build scripts, environments, debugging, and more, combined with its role of powerful text editor, are of particular value to new developers. Visual Studio Code handles all this in one environment without the traditionally heavy integrated development environment (IDE).

Visual Studio Code is built on a platform called Electron, and is available for Windows, macOS, and Linux. This learning will be as platform-independent as possible. Though some screenshots may be from specific platforms, the information should transfer to any platform with some minor adaptation (for example, shortcut key combinations).

Here’s a list of some of Visual Studio Code’s key features:

Lightweight
Multiplatform
Color coding
Built-in debugger
Integrated terminal
Integrated git support
IntelliSense with autocomplete
Open source
Extensible

In this post, you will learn how to install and use Visual Studio Code with some basic web development extensions, then use these features to make a very simple web application. Even if you’ve never written a web app, you’ll still be successful with this post. And if you are an experienced web developer, you can still learn many useful things here to get you started with Visual Studio Code.

This post has only given an introduction, but you can continue with more tutorials to pick up on more and more features. For a fully detailed treatment of Visual Studio Code features, see the links provided below.

Build a Basic Web App with Visual Studio Code

Why You Shouldn’t Use Cloudflare Proxy

There is such a wonderful thing as Cloudflare. Almost everyone knows it and many people use it not only as a DNS provider, but also as a reverse proxy with a CDN (for which it is more and sharpened). But few people think about how it works and what they may encounter when using it. They just add a domain there, turn on proxy, connect a free SSL certificate and think that Cloudflare will become a magic wand for all problems.

Problems when proxying through Cloudflare

Now let’s throw some shit on the fan 🙂

No guarantee of DDOS protection

Many people think that Cloudflare’s free plan will protect them from DDOS, but daam it. The best thing it will do in a DDOS is give an error page until the attack is over. That’s all. No one will filter traffic for you for free, because. it costs resources and therefore money. You will have to fork out for paid tariffs. And then there are rumors that normal traffic filtering will be only on the Enterprise tariff.

Turning on captcha when suspicious individuals enter the site will help quite a bit, but do not forget that the algorithm often does not work as it should, and unfortunate users will endure this mockery of them.

Unstable work

Cloudflare may suddenly turn off abuse proxying without warning or if they think that you are pumping too much traffic on a free plan.

Also, something might break. But no one is immune from mistakes.

I still often notice several errors, And most often these errors are not related to what they write in the documentation. Yes, I checked many times, the occurrence of the error was not related to the firewall, errors on the server and accessibility. Other errors appear less frequently. Most people will not even notice errors, but if you put the site on monitoring, then it is hard not to notice them.

Some people notice that sites start to work slower when proxying. There are no proofs, but there are such reviews.

Incorrect operation of protection on the server

(if you have a regular shared hosting, you can skip this paragraph)

When proxying through Cloudflare, the server receives requests not from real IP clients, but from IP subnets of Cloudflare. The real IP of the client can be found through the same PHP (X-Forwarded-For header), but the server software sees only the final IP. As a result, server protection will not work very correctly. And it becomes even more complicated if there are several sites on the server and some of them are not proxied.

Let’s take Fail2ban as an example. Most often, incorrect authorizations on sites are recorded in error logs and set Fail2ban on these logs. As a rule, end IP addresses get there, i.e. Cloudflare IP addresses. When brute-forcing proxied sites, it will block not real IP addresses, but Cloudflare IP addresses. If a massive brute force starts, it will block part of the Cloudflare addresses, from which real clients will also come. And if the duration of the ban is long, then this will result in massive 521 errors with high attendance. Well, if you make a separate log, where to throw real IP addresses? In this case, Fail2ban will block real IPs, but traffic will come from Cloudflare’s IP addresses, and the firewall will continue to let villains into the server. Here, breakers can even break, and Fail2ban will work for nothing.

There is a solution for Fail2ban to block the real IPs of hackers, and they, in turn, could not access the server. In this case, Fail2ban gets the real IP and sends it to Cloudflare via their API. Cloudflare, in turn, blocks this IP already on its side. IP unblocking works the same way. Fail2ban receives a command to unban or sees that the ban is about to expire and sends a request to Cloudflare to unban that IP. Everything seems to be great, but in this case intermediaries appear, additional delays appear, and protection goes over to Cloudflare. We can only hope that it does not fall, does not suddenly turn off proxying, and API requests do not break. Or, for example, imagine that bad people find out the real IP of the server (and you can find it out in different ways), register it in the hosts of the attacking system (or botnet) and start hacking the site. Fail2ban sees unsuccessful logins to the site and starts sending them to Cloudflare for blocking. But they are no longer accessing the site through Cloudflare, but directly. And here they are not blocked. Alternatively, you can allow access via http and https only via Cloudflare IP addresses directly to iptables or pass them there via IPset. At the same time, the list of subnets must be kept up to date and pray that proxying does not fall off. Or support both options: classic blocking on the server with whitelisting Cloudflare subnets and sending real IPs to Cloudflare. But do you need such complication? Moreover, in this case, different nuances are possible. The easiest option is to block Cloudflare IP addresses for a short period of time.

Another example is the mass blocking of IPs by lists of bad IPs, for example via IPset. These IP addresses will simply not be blocked, because they will hide under the Cloudflare IPs. As an option, transfer them to Cloudflare in parallel, but you can run into limits, which is also not very good.

Secure traffic can be sniffed on the Cloudflare side

When using SSL and proxying traffic through Cloudflare, it connects its certificate. And this means that the traffic is first decrypted, and then encrypted with another certificate. This is all happening on the side of Cloudflare. When their servers are compromised, an important part of the traffic can be intercepted and modified by third parties.

When Proxying through Cloudflare

Hiding the real IP address of the server

One of the important reasons for some. But do not forget that there are many ways to find the real IP of the server.

It also often happens that on shared hosting, several dozen sites (or even more) hang on one IP, some of which do not have a very good reputation and partially spoil the reputation of the site in the eyes of search engines and mail services. When proxying through Cloudflare, the IP of the site is substituted and saves money on purchasing a dedicated IP.

Shared hosting and unattended servers

In this case, there are basically only pluses, because. Cloudflare partially solves the problems with protection and parasitic load. Better that way than nothing at all.

Unoptimized sites

If you have a site that is not cached in any way and without any optimization, then theoretically enabling proxying will fix some problems by caching some statics, compressing scripts and styles, and so on.

Using paid plans

Here and so everything is clear. For a fee, you will already have at least some kind of traffic filtering and all sorts of interesting goodies. Any commercial organization is interested in making money.

CDN

If you have an extensive audience around the world, then of course there will be sense. But most often, the server with the site is located close to the main narrow audience, and there is no need for a CDN.

Conclusion

I do not dissuade you from refusing to proxy through Cloudflare. The service itself is good, a lot of goodies even in the free plan. Easy setup for everything. But first of all, you need to think about whether you need proxying. If you think that it is fashionable or you just activate it automatically, then most likely it is not necessary.

‎How to Install SSL certificate on WordPress

An SSL certificate is basically the standard that most websites use. It has a positive effect on security, user trust and helps in website positioning. So I don’t have to convince you that it is also worth running it on your WordPress site. The only question is how to do this?

SSL certificate – the choice is important

The first step, of course, is to enable the certificate for your domain. Most hosting companies offer the option of purchasing such a certificate. Here, the choice is quite large, which depends mainly on the budget. If it is larger and you run, for example, an online store, it is worth considering a paid solution that gives an additional guarantee. If your budget is modest or none at all, you can take advantage of the free Let’s Encrypt certificate. Check how to enable such a certificate in your WordPress website.

What’s next?

Suppose you are using the Let’s Encrypt certificate. It is on, but the page is still unsecured. I get this message in my browser.

This is because the page is still loading with an address prefixed with HTTP rather than HTTPS. To change this, create the appropriate redirects, update all links, and make changes to the database. It sounds scary, but in practice it’s not that complicated.

Two methods – good and better

We can distinguish two main methods how to run an SSL certificate in WordPress. I will discuss both of them step by step below.

The first is to use the Really Simple SSL plugin. This is a simpler solution, but unfortunately not without its drawbacks. In fact, you just need to install and run the plugin. However, as it usually happens in such situations, it has a negative impact on the speed of the website. If this is not an essential element for you and you just want to get your SSL certificate up and running quickly, you can use this method. However, it is not recommended.

The second and better method is to manually enable SSL. Yes, it takes more work. We have to tamper with the files and get our hands dirty with code. This seems difficult, but with the tutorial below, it is basically limited to plain copy-paste.

Method 1 – Really Simple SSL plugin

As is usually the case with WordPress, everything can be done with the right plugin. When it comes to running an SSL certificate in WordPress, the choice is simple – the free Really Simple SSL plugin. As its creators advertise, all you need to do is have an SSL certificate and she will do the rest. Each time the page loads, the plugin detects the elements loaded via HTTP and converts their address to the one we want with the secure HTTPS protocol. This solves many problems, such as the one with mixed content, but it can slow down the performance of the page.

Plug-in installation

It installs like any other WordPress plugin. The easiest way to do this is to go to the admin panel and then to Plugins> Add New. In the search engine on the right, enter “Really Simple SSL“, The plugin should appear in the list.

Really Simple SSL plugin

Plug-in activation

Click Install Now and then Activate. The Really Simple SSL window will appear on the page, which will allow you to run an SSL certificate in WordPress. Before this step, it is worth making a website backup. A plug-in is popular and works well, but it can make all pages get a 404 error. This is usually due to different plug-ins or extra security being used. You can find the entire list of errors on the plugin’s official website.

Really Simple SSL plug-in activation

When ready, you can click the “Next, activate SSL!” Button. You will likely be logged out of the WordPress admin panel. So log in again.

Really Simple SSL plugin overrides direct link settings. So let’s finally go to Settings> Direct Links and save the changes. This will overwrite the link structure after installing the SSL certificate.

That’s it, You have an SSL certificate running on your WordPress site. If you are concerned about the speed of the website, the plugin allows you to block some of its functionality in the settings.

Method 2 – Manually enabling SSL in WordPress

If you want to do something properly, roll up your sleeves and do it yourself. It is the same in this case. Manual SSL activation is more reliable, it will not make the website dependent on any plugin, and it will also help to avoid website slowing down. There are several stages, so let’s discuss them step by step.

Updating URLs in WordPress settings

Let’s start with the simplest. Go to the admin panel and then to Settings> General. In the WordPress address (URL) and Site address (URL) fields, update the addresses with the HTTPS prefix and save the changes.

WordPress URL update when installing SSL certificate

Redirection in the .htaccess file

The next step is to create a 301 redirect in the .htaccess file. You have to get to him. To do this, use an FTP client (eg FileZilla or Total Commander) and log in to your hosting. Go to the main WordPress folder, find and open the “.htaccess” file.

At the very beginning of the file, add the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Finally save the file.

If you are using Bluehost WordPress hosting, you can add this code even more easily. All you need to do is log in to the Direct Admin panel, enter File Manager and click the edit icon next to the .htaccess file.

direct admin file manager

The file editing window will appear. All you have to do is paste the code provided earlier and click the Save button.

Update Permalinks

Despite previous actions, some links can still open with the insecure HTTP protocol. This is a mixed content problem. Some of the links will be secured, but for others you will still get the unsecured message. However, it can be remedied quite simply.

Let’s start with the database. Even with the manual method, we will not avoid using the plugin. This time, however, it will be a one-time use, which will not affect the speed of the website. As in the previous method, go to the admin panel and then to Plugins> Add New. In the search box on the right, type “Better Search Replace“. The plug should appear in the list.

Click Install Now and then Activate. With the plug-in enabled, go to Tools> Better Search Replace. In the Search / Replace tab you can replace all references in the database. Then, in the Search For field, enter the address of your HTTP website. In the Replace With field, enter your HTTPS website address.

Select all tables, check the Replace GUIDs option, uncheck Run as dry run and click Run Search / Replace. The plugin itself will replace all addresses from HTTP to HTTPS. After these actions, you can disable and remove the plug-in. Its operation was one-time and there is no need for it to be on all the time.

The problem with mixed content can also be with the theme or other plugins. However, this is rare. If you developed the plugin or theme following the right practices, you shouldn’t have any problems. When something like this happens, contact the plugin / theme developer. If this is not possible, it is worth considering looking for a better alternative.

Good practice at the end

Regardless of the method you choose, it is a good practice when running an SSL certificate on your WordPress website to notify Google of the changes by adding a new version of the website to Google Search Console. Why new? From a technical point of view, the HTTPS version of the website is a separate version of it.

Now you know how to run an SSL certificate in WordPress. Regardless of which method you choose, your website will become safer and you will start to reap the benefits of image and positioning. Good luck!