ms/iz iptables fix, install nginx, try to use sockets, but not working yet

chef/cookbooks/centos/recipes/main.rb

@@ -16,4 +16,5 @@ harden_ruby("ruby-1.8.7-p302")
 
 include_recipe "centos::image_magick"
 include_recipe "centos::mongo_db"
-include_recipe "common::main"
+include_recipe "common::main"
+include_recipe "centos::nginx"

chef/cookbooks/centos/recipes/nginx.rb

@@ -0,0 +1,4 @@
+execute "pcre dependency" do
+  command "yum install -y pcre-devel"
+end
+include_recipe "common::nginx"

chef/cookbooks/common/files/default/iptables

@@ -9,9 +9,13 @@
 -A RH-Firewall-1-INPUT -i lo -j ACCEPT
 -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT   #SSH
+#SSH
--A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT   #HTTP
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT   
--A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT  #HTTPS
+#HTTP
--A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT #Websocket
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT  
+#HTTPS
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT  
+#Websocket
+-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT 
 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT

chef/cookbooks/common/files/default/thins.yml

@@ -0,0 +1,3 @@
+- socket_id: '1'
+- socket_id: '2'
+- socket_id: '3'

chef/cookbooks/common/recipes/daemontools.rb

@@ -13,11 +13,22 @@ execute "executable" do
   command "chmod -R 755 /service/mongo"
 end
 
-execute "thin run" do
+config = YAML.load_file("/usr/local/app/diaspora/chef/cookbooks/common/files/default/thins.yml")
-  command "mkdir -p /service/thin && echo '#!/bin/sh' > /service/thin/run && echo 'exec /usr/local/bin/ruby /usr/local/bin/thin start -c /usr/local/app/diaspora -p80' >> /service/thin/run"
+
-end
+config.each do |thin|
-execute "executable" do
+  id = thin["socket_id"]
-  command "chmod -R 755 /service/thin"
+  socket = "/tmp/thin_#{id}.sock"
+  dir = "/service/thin_#{id}"
+  flags = []
+  flags << "-c /usr/local/app/diaspora" #directory to run from
+  flags << "-e production" #run in production mode
+  flags << "-S #{socket}"  #use a socket
+  execute "thin run" do
+    command "mkdir -p #{dir} && echo '#!/bin/sh' > #{dir}/run && echo 'exec /usr/local/bin/ruby /usr/local/bin/thin start #{flags.join(" ")}' >> #{dir}/run"
+  end
+  execute "executable" do
+    command "chmod -R 755 " + dir
+  end
 end
 
 execute "websocket run" do
@@ -25,4 +36,11 @@ execute "websocket run" do
 end
 execute "executable" do
   command "chmod -R 755 /service/websocket"
-end
+end
+
+execute "nginx run" do
+  command "mkdir -p /service/nginx && echo '#!/bin/sh' > /service/nginx/run && echo 'exec /usr/local/nginx/sbin/nginx' >> /service/nginx/run"
+end
+execute "executable" do
+  command "chmod -R 755 /service/nginx"
+end

chef/cookbooks/common/recipes/main.rb

@@ -1,4 +1,3 @@
 include_recipe "common::iptables"
 include_recipe "common::daemontools"
 include_recipe "common::secret_token"
-include_recipe "common::nginx"

chef/cookbooks/common/recipes/nginx.rb

@@ -1,5 +1,5 @@
 execute "Get nginx from nginx web site" do
-  command "mkdir -p /tmp/install && curl http://sysoev.ru/nginx/nginx-0.8.53.tar.gz > /tmp/install/" 
+  command "mkdir -p /tmp/install && curl http://sysoev.ru/nginx/nginx-0.8.53.tar.gz > /tmp/install/nginx-0.8.53.tar.gz" 
 end
 
 execute "unzip nginx" do
@@ -17,3 +17,9 @@ end
 execute "install nginx" do
   command "cd /tmp/install/nginx-0.8.53 && make install"
 end
+
+config = YAML.load_file("/usr/local/app/diaspora/chef/cookbooks/common/files/default/thins.yml")
+template "/usr/local/nginx/conf/nginx.conf" do
+  source "nginx.conf.erb"
+  variables :socket_paths => config.map{|thin| "/tmp/thin_#{thin["socket_id"]}.sock"}
+end

chef/cookbooks/common/templates/default/nginx.conf.erb

@@ -0,0 +1,69 @@
+#   Copyright (c) 2010, Diaspora Inc.  This file is
+#   licensed under the Affero General Public License version 3 or later.  See
+#   the COPYRIGHT file.
+
+worker_processes 1;
+daemon off;
+
+events {
+ worker_connections  8192;
+}
+
+http {
+
+ include       mime.types;
+ default_type  application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent "$http_referer" '
+                 '"$http_user_agent" "$http_x_forwarded_for"';
+
+ sendfile        on;
+
+ keepalive_timeout  65;
+
+ gzip              on;
+ gzip_http_version 1.0;
+ gzip_comp_level   2;
+ gzip_proxied      any;
+ gzip_buffers      16 8k;
+  upstream thin_cluster {
+  <% @socket_paths.each do |socket_path| %>
+  server unix:<%=socket_path%>;
+  <% end %>
+  }
+
+  server {
+
+   listen       80;
+   server_name  alpha.joindiaspora.com www.alpha.joindiaspora.com;
+   root /usr/local/app/diaspora;
+
+   location / {
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_redirect off;
+    proxy_buffering off;
+
+    if (-f $request_filename/index.html) { #Something here is for photos, but do we need it all?
+      rewrite (.*) $1/index.html break;
+    }
+    if (-f $request_filename.html) {
+     rewrite (.*) $1.html break;
+    }
+    if (!-f $request_filename) {
+     proxy_pass http://thin_cluster;
+     break;
+   }
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+   root html;
+ }
+
+}
+
+}
+