From 5e29ab57c60f1f387090ac16ce9ef2794368f49a Mon Sep 17 00:00:00 2001 From: zhitomirskiyi Date: Tue, 9 Nov 2010 21:29:57 -0800 Subject: [PATCH] ms/iz iptables fix, install nginx, try to use sockets, but not working yet --- chef/cookbooks/centos/recipes/main.rb | 3 +- chef/cookbooks/centos/recipes/nginx.rb | 4 ++ chef/cookbooks/common/files/default/iptables | 12 ++-- chef/cookbooks/common/files/default/thins.yml | 3 + chef/cookbooks/common/recipes/daemontools.rb | 30 ++++++-- chef/cookbooks/common/recipes/main.rb | 1 - chef/cookbooks/common/recipes/nginx.rb | 8 ++- .../common/templates/default/nginx.conf.erb | 69 +++++++++++++++++++ 8 files changed, 117 insertions(+), 13 deletions(-) create mode 100644 chef/cookbooks/centos/recipes/nginx.rb create mode 100644 chef/cookbooks/common/files/default/thins.yml create mode 100644 chef/cookbooks/common/templates/default/nginx.conf.erb diff --git a/chef/cookbooks/centos/recipes/main.rb b/chef/cookbooks/centos/recipes/main.rb index 7665d9952..10ba973ab 100644 --- a/chef/cookbooks/centos/recipes/main.rb +++ b/chef/cookbooks/centos/recipes/main.rb @@ -16,4 +16,5 @@ harden_ruby("ruby-1.8.7-p302") include_recipe "centos::image_magick" include_recipe "centos::mongo_db" -include_recipe "common::main" \ No newline at end of file +include_recipe "common::main" +include_recipe "centos::nginx" diff --git a/chef/cookbooks/centos/recipes/nginx.rb b/chef/cookbooks/centos/recipes/nginx.rb new file mode 100644 index 000000000..d7061e198 --- /dev/null +++ b/chef/cookbooks/centos/recipes/nginx.rb @@ -0,0 +1,4 @@ +execute "pcre dependency" do + command "yum install -y pcre-devel" +end +include_recipe "common::nginx" diff --git a/chef/cookbooks/common/files/default/iptables b/chef/cookbooks/common/files/default/iptables index 448134384..a97d77142 100644 --- a/chef/cookbooks/common/files/default/iptables +++ b/chef/cookbooks/common/files/default/iptables @@ -9,9 +9,13 @@ -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT --A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #SSH --A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #HTTP --A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #HTTPS --A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT #Websocket +#SSH +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +#HTTP +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT +#HTTPS +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT +#Websocket +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT diff --git a/chef/cookbooks/common/files/default/thins.yml b/chef/cookbooks/common/files/default/thins.yml new file mode 100644 index 000000000..31bd3d893 --- /dev/null +++ b/chef/cookbooks/common/files/default/thins.yml @@ -0,0 +1,3 @@ +- socket_id: '1' +- socket_id: '2' +- socket_id: '3' diff --git a/chef/cookbooks/common/recipes/daemontools.rb b/chef/cookbooks/common/recipes/daemontools.rb index 2f2664eb7..ed2e6980a 100644 --- a/chef/cookbooks/common/recipes/daemontools.rb +++ b/chef/cookbooks/common/recipes/daemontools.rb @@ -13,11 +13,22 @@ execute "executable" do command "chmod -R 755 /service/mongo" end -execute "thin run" do - command "mkdir -p /service/thin && echo '#!/bin/sh' > /service/thin/run && echo 'exec /usr/local/bin/ruby /usr/local/bin/thin start -c /usr/local/app/diaspora -p80' >> /service/thin/run" -end -execute "executable" do - command "chmod -R 755 /service/thin" +config = YAML.load_file("/usr/local/app/diaspora/chef/cookbooks/common/files/default/thins.yml") + +config.each do |thin| + id = thin["socket_id"] + socket = "/tmp/thin_#{id}.sock" + dir = "/service/thin_#{id}" + flags = [] + flags << "-c /usr/local/app/diaspora" #directory to run from + flags << "-e production" #run in production mode + flags << "-S #{socket}" #use a socket + execute "thin run" do + command "mkdir -p #{dir} && echo '#!/bin/sh' > #{dir}/run && echo 'exec /usr/local/bin/ruby /usr/local/bin/thin start #{flags.join(" ")}' >> #{dir}/run" + end + execute "executable" do + command "chmod -R 755 " + dir + end end execute "websocket run" do @@ -25,4 +36,11 @@ execute "websocket run" do end execute "executable" do command "chmod -R 755 /service/websocket" -end \ No newline at end of file +end + +execute "nginx run" do + command "mkdir -p /service/nginx && echo '#!/bin/sh' > /service/nginx/run && echo 'exec /usr/local/nginx/sbin/nginx' >> /service/nginx/run" +end +execute "executable" do + command "chmod -R 755 /service/nginx" +end diff --git a/chef/cookbooks/common/recipes/main.rb b/chef/cookbooks/common/recipes/main.rb index 6ba5a9172..fad3593ed 100644 --- a/chef/cookbooks/common/recipes/main.rb +++ b/chef/cookbooks/common/recipes/main.rb @@ -1,4 +1,3 @@ include_recipe "common::iptables" include_recipe "common::daemontools" include_recipe "common::secret_token" -include_recipe "common::nginx" diff --git a/chef/cookbooks/common/recipes/nginx.rb b/chef/cookbooks/common/recipes/nginx.rb index ade59003d..f4719f74b 100644 --- a/chef/cookbooks/common/recipes/nginx.rb +++ b/chef/cookbooks/common/recipes/nginx.rb @@ -1,5 +1,5 @@ execute "Get nginx from nginx web site" do - command "mkdir -p /tmp/install && curl http://sysoev.ru/nginx/nginx-0.8.53.tar.gz > /tmp/install/" + command "mkdir -p /tmp/install && curl http://sysoev.ru/nginx/nginx-0.8.53.tar.gz > /tmp/install/nginx-0.8.53.tar.gz" end execute "unzip nginx" do @@ -17,3 +17,9 @@ end execute "install nginx" do command "cd /tmp/install/nginx-0.8.53 && make install" end + +config = YAML.load_file("/usr/local/app/diaspora/chef/cookbooks/common/files/default/thins.yml") +template "/usr/local/nginx/conf/nginx.conf" do + source "nginx.conf.erb" + variables :socket_paths => config.map{|thin| "/tmp/thin_#{thin["socket_id"]}.sock"} +end diff --git a/chef/cookbooks/common/templates/default/nginx.conf.erb b/chef/cookbooks/common/templates/default/nginx.conf.erb new file mode 100644 index 000000000..8a4f0b888 --- /dev/null +++ b/chef/cookbooks/common/templates/default/nginx.conf.erb @@ -0,0 +1,69 @@ +# Copyright (c) 2010, Diaspora Inc. This file is +# licensed under the Affero General Public License version 3 or later. See +# the COPYRIGHT file. + +worker_processes 1; +daemon off; + +events { + worker_connections 8192; +} + +http { + + include mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + sendfile on; + + keepalive_timeout 65; + + gzip on; + gzip_http_version 1.0; + gzip_comp_level 2; + gzip_proxied any; + gzip_buffers 16 8k; + upstream thin_cluster { + <% @socket_paths.each do |socket_path| %> + server unix:<%=socket_path%>; + <% end %> + } + + server { + + listen 80; + server_name alpha.joindiaspora.com www.alpha.joindiaspora.com; + root /usr/local/app/diaspora; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_buffering off; + + if (-f $request_filename/index.html) { #Something here is for photos, but do we need it all? + rewrite (.*) $1/index.html break; + } + if (-f $request_filename.html) { + rewrite (.*) $1.html break; + } + if (!-f $request_filename) { + proxy_pass http://thin_cluster; + break; + } + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } + +} + +} +