def write_vhost(appinfo): import nginx c = nginx.Conf() s = nginx.Server() s.add( nginx.Comment('SSL conf added by freessl (https://github.com/alihusnainarshad)'), nginx.Key('listen', '443 ssl http2'), nginx.Key('listen', '[::]:443 ssl http2'), nginx.Key('server_name', ' '.join(appinfo.get('valid_domains'))), nginx.Key('brotli', 'on'), nginx.Key('brotli_static', 'off'), nginx.Key('brotli_min_length', '100'), nginx.Key('brotli_buffers', '16 8k'), nginx.Key('brotli_comp_level', '5'), nginx.Key('brotli_types', '*'), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', appinfo.get('cert_path')), nginx.Key('ssl_certificate_key', appinfo.get('key_path')), nginx.Key('ssl_prefer_server_ciphers', 'on'), nginx.Key('ssl_session_timeout', '5m'), nginx.Key('ssl_protocols', 'TLSv1.1 TLSv1.2'), nginx.Key('ssl_stapling', 'on'), nginx.Key('ssl_stapling_verify', 'on'), nginx.Key('resolver', '8.8.8.8 8.8.4.4 valid=86400s'), nginx.Key('resolver_timeout', '5s'), nginx.Key('ssl_ciphers', '"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"'), nginx.Key('ssl_ecdh_curve', 'secp384r1'), nginx.Key('ssl_session_cache', 'shared:SSL:10m'), nginx.Key('ssl_session_tickets', 'off'), nginx.Key('ssl_dhparam', '/etc/nginx-rc/dhparam.pem'), nginx.Key('include', '/etc/nginx-rc/conf.d/{}.d/main.conf'.format(appinfo.get('name'))) ) c.add(s) nginx.dumpf(c, '{}/{}-ssl.conf'.format(appinfo.get('vhostdir'), appinfo.get('name')))
def base_server(self): server = nginx.Server() server.add( nginx.Key('server_name', '0.0.0.0'), nginx.Location('/', nginx.Key("try_files", "$uri @proxy_to_app")), nginx.Location( '@proxy_to_app', nginx.Key('proxy_set_header', "X-Forwarded-For $proxy_add_x_forwarded_for"), nginx.Key('proxy_set_header', "X-Forwarded-Proto $scheme"), nginx.Key('proxy_set_header', "Host $http_host"), nginx.Key('proxy_redirect', "off"), nginx.Key('add_header', "Last-Modified $date_gmt"), nginx.Key( 'add_header', "Cache-Control 'no-store, no-cache, must-revalidate, " "proxy-revalidate, max-age=0'"), nginx.Key('if_modified_since', "off"), nginx.Key('expires', "off"), nginx.Key('etag', "off"), nginx.Key('proxy_no_cache', "1"), nginx.Key('proxy_cache_bypass', "1"), nginx.Key('proxy_pass', f"http://base_server"), ), nginx.Location("/static/", nginx.Key('autoindex', 'on'), nginx.Key('alias', '/var/www/static/'), nginx.Key('add_header', 'Cache-Control no-cache')), nginx.Location("/media/", nginx.Key('autoindex', 'on'), nginx.Key('alias', '/var/www/media/'), nginx.Key('add_header', 'Cache-Control no-cache')), ) server.add(nginx.Key("listen", '8018')) server.add(nginx.Key("listen", '[::]:8018')) self.config.add(server)
def create_acme_dummy(domain): """ Create a dummy directory to use for serving ACME challenge data. This function is used when no website yet exists for the desired domain. :param str domain: Domain name to use :returns: Path to directory for challenge data """ site_dir = os.path.join(config.get("websites", "site_dir"), "acme-" + domain) challenge_dir = os.path.join(site_dir, ".well-known/acme-challenge") conf = nginx.Conf( nginx.Server( nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"), nginx.Key("server_name", domain), nginx.Key("root", site_dir), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", site_dir)))) origin = os.path.join("/etc/nginx/sites-available", "acme-" + domain) target = os.path.join("/etc/nginx/sites-enabled", "acme-" + domain) uid = users.get_system("http").uid nginx.dumpf(conf, origin) if not os.path.exists(target): os.symlink(origin, target) if not os.path.exists(challenge_dir): os.makedirs(challenge_dir) os.chown(site_dir, uid, -1) os.chown(os.path.join(site_dir, ".well-known"), uid, -1) os.chown(challenge_dir, uid, -1) tracked_services.register("acme", domain, domain + "(ACME Validation)", "globe", [('tcp', 80)], 2) nginx_reload() return challenge_dir
def nginx_add(self, site, add): if site.path == '': site.path = os.path.join('/srv/http/webapps/', site.name) c = nginx.Conf() s = nginx.Server( nginx.Key('listen', site.port), nginx.Key('server_name', site.addr), nginx.Key('root', site.path), nginx.Key('index', 'index.'+('php' if site.php else 'html')) ) if add: s.add(*[x for x in add]) c.add(s) nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name)) # Write configuration file with info Genesis needs to know the site f = open(os.path.join('/etc/nginx/sites-available', '.'+site.name+'.ginf'), 'w') c = ConfigParser.SafeConfigParser() c.add_section('website') c.set('website', 'name', site.name) c.set('website', 'stype', site.stype) c.set('website', 'ssl', '') c.set('website', 'version', site.version if site.version else 'None') c.set('website', 'dbengine', site.dbengine if site.dbengine else '') c.set('website', 'dbname', site.dbname if site.dbname else '') c.set('website', 'dbuser', site.dbuser if site.dbuser else '') c.write(f) f.close()
def create_nginx_config_for_domain(domain, subdomains, subdomain_dir, forward_others, use_ssl, cert_dir): c = nginx.Conf() c.add(nginx.Comment(generation_comment('NGINX config', domain))) for subdomain in subdomains: c.add( nginx.Key('include', str(subdomain_dir / '{}.cfg'.format(subdomain)))) if forward_others is not None: others = nginx.Server() others.add( nginx.Comment('Forward remaining (sub)domains to ' + forward_others), nginx.Key('server_name', '{domain} *.{domain}'.format(domain=domain)), nginx.Key('return', '302 {}$request_uri'.format(forward_others)), nginx.Key('listen', '80')) if use_ssl: others.add( nginx.Comment('use_ssl = True'), nginx.Key('listen', '443 ssl'), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', str(cert_dir / 'certificate.crt')), nginx.Key('ssl_certificate_key', str(cert_dir / 'certificate.key'))) c.add(others) return c
def nginx_edit(self, oldsite, site): # Update the nginx serverblock c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name)) s = c.servers[0] if oldsite.ssl and oldsite.port == '443': for x in c.servers: if x.filter('Key', 'listen')[0].value == '443 ssl': s = x if site.port != '443': for x in c.servers: if not 'ssl' in x.filter('Key', 'listen')[0].value \ and x.filter('key', 'return'): c.remove(x) elif site.port == '443': c.add(nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', site.addr), nginx.Key('return', '301 https://%s$request_uri'%site.addr) )) s.filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port s.filter('Key', 'server_name')[0].value = site.addr s.filter('Key', 'root')[0].value = site.path s.filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html' nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name)) # If the name was changed, rename the folder and files if site.name != oldsite.name: if os.path.exists(os.path.join('/srv/http/webapps', site.name)): shutil.rmtree(os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/srv/http/webapps', oldsite.name), os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name), os.path.join('/etc/nginx/sites-available', site.name)) self.nginx_disable(oldsite, reload=False) self.nginx_enable(site) self.nginx_reload()
def test(): return nginx.Conf( nginx.Server( nginx.Comment('This is a test comment'), nginx.Key('server_name', 'localhost'), nginx.Key('root', '/var/www'), nginx.Location('/', nginx.Key('test', 'true'), nginx.Key('test2', 'false'))))
def servers(self, port): for server_data in self.servers: server = nginx.Server() domain = server_data.get("domain", "") if port == 80 and server_data.get("is_ssl_certificate", False): server.add( nginx.Key('server_name', domain), nginx.Key('return', "301 https://$host$request_uri"), ) server.add(nginx.Key("listen", f'{port}')) server.add(nginx.Key("listen", f'[::]:{port}')) else: if server_data.get("is_ssl_certificate", False): server.add( nginx.Key( 'include', f'/etc/nginx/conf.d/ssl_certificate/{domain}.*'), ) server.add( nginx.Key('server_name', domain), nginx.Location( '/', nginx.Key("try_files", "$uri @proxy_to_app")), nginx.Location( '@proxy_to_app', nginx.Key('rewrite', f"^ /{domain}$request_uri break"), nginx.Key( 'proxy_set_header', "X-Forwarded-For $proxy_add_x_forwarded_for"), nginx.Key('proxy_set_header', "X-Forwarded-Proto $scheme"), nginx.Key('proxy_set_header', "Host $http_host"), nginx.Key('add_header', "Last-Modified $date_gmt"), nginx.Key( 'add_header', "Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'" ), nginx.Key('if_modified_since', "off"), nginx.Key('expires', "off"), nginx.Key('etag', "off"), nginx.Key('proxy_no_cache', "1"), nginx.Key('proxy_cache_bypass', "1"), nginx.Key('proxy_redirect', "off"), nginx.Key('proxy_pass', f"http://base_server"), ), nginx.Location( "/static/", nginx.Key('autoindex', 'on'), nginx.Key('alias', '/var/www/static/'), nginx.Key('add_header', 'Cache-Control no-cache')), nginx.Location( "/media/", nginx.Key('autoindex', 'on'), nginx.Key('alias', '/var/www/media/'), nginx.Key('add_header', 'Cache-Control no-cache')), ) server.add(nginx.Key("listen", f'{port} ssl')) server.add(nginx.Key("listen", f'[::]:{port}')) self.config.add(server)
def create_nginx_config_for_subdomain(domain, subdomain, destination, use_ssl, force_ssl, cert_dir): full_domain = '{sub}.{main}'.format(main=domain, sub=subdomain) c = nginx.Conf() c.add(nginx.Comment(generation_comment('NGINX config', full_domain))) if use_ssl and force_ssl: non_ssl = nginx.Server() non_ssl.add(nginx.Comment('force_ssl = True'), nginx.Key('listen', '80'), nginx.Key('server_name', full_domain), nginx.Key('return', '301 https://$host$request_uri')) c.add(non_ssl) main = nginx.Server() if not force_ssl: main.add(nginx.Comment('force_ssl = False'), nginx.Key('listen', '80')) proto = 'http' if use_ssl: proto = 'https' main.add( nginx.Comment('use_ssl = True'), nginx.Key('listen', '443 ssl'), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', str(cert_dir / 'certificate.crt')), nginx.Key('ssl_certificate_key', str(cert_dir / 'certificate.key'))) main.add( nginx.Key('server_name', full_domain), nginx.Location( '/', nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection $connection_upgrade'), nginx.Key('proxy_pass', destination), nginx.Key('proxy_read_timeout', '90'), nginx.Key( 'proxy_redirect', '{dst} {proto}://{full}'.format(dst=destination, full=full_domain, proto=proto)))) c.add(main) return c
def _edit_nginx_entry(project_root_dir, rev_proxy_container, model_name, hostname, ip_port, old_hostname = None): conf_dir = _copy_down_nginx_conf(project_root_dir, rev_proxy_container) try: conf_file = _build_relative_path(conf_dir,'nginx.conf') c = _nginx.loadf(conf_file) http = c.filter('Http')[0] endpoint_url = '/{}/'.format(model_name) # check for existing upstream entry for item, edit as needed if old_hostname is not None: for ups in http.filter('Upstream'): if ups.value == old_hostname: http.remove(ups) # create new hostname entry upstream = _nginx.Upstream(hostname) upstream.add(_nginx.Key('server', ip_port)) http.add( upstream ) # check for existing location entry and remove if present servers = http.filter('Server') add2http = False if len(servers) > 0: server = servers[0] for loc in server.filter('Location'): if loc.value == endpoint_url: server.remove(loc) else: add2http = True server = _nginx.Server() server.add(_nginx.Key('listen', '5000')) location = _nginx.Location(endpoint_url) location.add( _nginx.Key('proxy_pass', 'http://{}/'.format(hostname)), _nginx.Key('proxy_redirect', 'off'), _nginx.Key('proxy_set_header', 'Host $host'), _nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), _nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), _nginx.Key('proxy_set_header', 'X-Forwarded-Host $server_name') ) server.add(location) if add2http: http.add(server) _nginx.dumpf(c, conf_file) _copy_up_nginx_conf(project_root_dir, conf_dir, rev_proxy_container) # reload nginx on server rev_proxy_container.exec_run('/usr/sbin/nginx', detach = True) rev_proxy_container.exec_run('/usr/sbin/nginx -s reload', detach = True) finally: _shutil.rmtree(conf_dir, ignore_errors=True)
def write_conf(app): print(bcolors.OKBLUE + 'Writing NGINX vhost file for the app ' + bcolors.BOLD + app.get('appname') + bcolors.ENDC) appname = app.get('appname') root = app.get('root') username = app.get('username', 'serverpilot') confname = vhostsdir + appname + '-ssl.conf' domains = app.get('domains') c = nginx.Conf() s = nginx.Server() s.add( nginx.Comment( 'SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)' ), nginx.Key('listen', '443 ssl http2'), nginx.Key('listen', '[::]:443 ssl http2'), nginx.Key('server_name', ' '.join(domains)), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', app.get('certpath') + '/fullchain.pem'), nginx.Key('ssl_certificate_key', app.get('certpath') + '/privkey.pem'), nginx.Key('root', root), nginx.Key( 'access_log', '/srv/users/' + username + '/log/' + appname + '/dev_nginx.access.log main'), nginx.Key( 'error_log', '/srv/users/' + username + '/log/' + appname + '/dev_nginx.error.log'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-SSL on'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), nginx.Key('include', '/etc/nginx-sp/vhosts.d/' + appname + '.d/*.conf'), ) c.add(s) try: nginx.dumpf(c, confname) print(bcolors.OKGREEN + 'Virtual host file created!' + bcolors.ENDC) print(bcolors.OKBLUE + 'Reloading NGINX server...' + bcolors.ENDC) reload_nginx_sp() print(bcolors.OKGREEN + 'SSL should have been installed and activated for the app ' + bcolors.BOLD + app.get('appname') + bcolors.ENDC) return True except: print(bcolors.FAIL + 'Virtual host file cannot be created!' + bcolors.ENDC) return False
def nginxConfGenerator(instances, options): c = nginx.Conf() for instance in instances: s = nginx.Server() s.add( nginx.Key('listen', '80'), nginx.Key('server_name', 'nxt-mq-' + instance[1] + '.ies.inventec'), nginx.Location('/', nginx.Key('proxy_pass', 'http://' + instance[0] + ':15672')), ) c.add(s) nginx.dumpf(c, os.path.dirname(os.path.abspath(__file__)) + '/nginx.conf') return
def generate_nginx_config(self): c = nginx.Conf() u = nginx.Upstream('loadbalancer', nginx.Key('least_conn', '')) ip_addr = get_ip_address() for server_idx in range(self.n_endpoints): u.add( nginx.Key('server', f'{ip_addr}:{self.src_port + server_idx}')) s = nginx.Server( nginx.Location('/', nginx.Key('proxy_pass', 'http://loadbalancer'))) loc = nginx.Location('/favicon.ico', nginx.Key('log_not_found', 'off'), nginx.Key('access_log', 'off')) c.add(u) s.add(loc) c.add(s) nginx.dumpf(c, 'dockerfiles/loadbalancer/nginx.conf')
def nginx_add(self, site, add): if site.path == '': site.path = os.path.join('/srv/http/webapps/', site.name) c = nginx.Conf() c.add( nginx.Comment( 'GENESIS %s %s' % (site.stype, 'http://' + site.addr + ':' + site.port))) s = nginx.Server( nginx.Key('listen', site.port), nginx.Key('server_name', site.addr), nginx.Key('root', site.path), nginx.Key('index', 'index.' + ('php' if site.php else 'html'))) if add: s.add(*[x for x in add]) c.add(s) nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
def add(): data = request.get_json() input_port = data['input_port'] upstream = data['upstream'] + ":" + data['upstream_port'] path = "/config/" + input_port + ".conf" c = nginx.Conf() s = nginx.Server() s.add( nginx.Key('listen', input_port), nginx.Key('proxy_pass', upstream), nginx.Key('proxy_protocol', 'on'), ) c.add(s) nginx.dumpf(c, path) return "Done!"
def test_create(): c = nginx.Conf() u = nginx.Upstream('php', nginx.Key('server', 'unix:/tmp/php-fcgi.socket'), nginx.Key('server', '10.0.2.1')) u.add(nginx.Key('server', '101.0.2.1')) c.add(u) s = nginx.Server() s.add( nginx.Key('listen', '80'), nginx.Comment('Yes, python-nginx can read/write comments!'), nginx.Key('server_name', 'localhost 127.0.0.1'), nginx.Key('root', '/srv/http'), nginx.Key('index', 'index.php'), nginx.Location('= /robots.txt', nginx.Key('allow', 'all'), nginx.Key('log_not_found', 'off'), nginx.Key('access_log', 'off')), nginx.Location('~ \.php$', nginx.Key('include', 'fastcgi.conf'), nginx.Key('fastcgi_intercept_errors', 'on'), nginx.Key('fastcgi_pass', 'php'))) c.add(s) nginx.dumpf(c, 'mysite')
def create_nginx_config(nginx_port, app_name): c = nginx.Conf() e = nginx.Events() e.add(nginx.Key('worker_connections', '1024')) c.add(e) h = nginx.Http() u = nginx.Upstream(app_name) h.add(u) s = nginx.Server() s.add( nginx.Key('listen', str(nginx_port)), nginx.Key('server_name', app_name), nginx.Location('/', nginx.Key('proxy_pass', 'http://' + app_name), nginx.Key('proxy_set_header', 'Host $host'))) h.add(s) c.add(h) nginx.dumpf(c, nginx_configs_dir + "/" + app_name + '/nginx.conf')
def ssl_enable(self, data, cname, cpath, kpath): # If no cipher preferences set, use the default ones # As per Mozilla recommendations, but substituting 3DES for RC4 from genesis.plugins.certificates.backend import CertControl ciphers = ':'.join([ 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'kEDH+AESGCM', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256', 'DHE-DSS-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'ECDHE-RSA-DES-CBC3-SHA', 'ECDHE-ECDSA-DES-CBC3-SHA', 'EDH-RSA-DES-CBC3-SHA', 'EDH-DSS-DES-CBC3-SHA', 'DES-CBC3-SHA', 'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES', '!RC4', '!MD5', '!PSK' ]) cfg = self.app.get_config(CertControl(self.app)) if hasattr(cfg, 'ciphers') and cfg.ciphers: ciphers = cfg.ciphers elif hasattr(cfg, 'ciphers'): cfg.ciphers = ciphers cfg.save() name, stype = data.name, data.stype port = '443' c = nginx.loadf('/etc/nginx/sites-available/'+name) s = c.servers[0] l = s.filter('Key', 'listen')[0] if l.value == '80': l.value = '443 ssl' port = '443' c.add(nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', data.addr), nginx.Key('return', '301 https://%s$request_uri'%data.addr) )) for x in c.servers: if x.filter('Key', 'listen')[0].value == '443 ssl': s = x break else: port = l.value.split(' ssl')[0] l.value = l.value.split(' ssl')[0] + ' ssl' for x in s.all(): if type(x) == nginx.Key and x.name.startswith('ssl_'): s.remove(x) s.add( nginx.Key('ssl_certificate', cpath), nginx.Key('ssl_certificate_key', kpath), nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'), nginx.Key('ssl_ciphers', ciphers), nginx.Key('ssl_session_timeout', '5m'), nginx.Key('ssl_prefer_server_ciphers', 'on'), nginx.Key('ssl_session_cache', 'shared:SSL:50m'), ) g = ConfigParser.SafeConfigParser() g.read(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf')) g.set('website', 'ssl', cname) g.write(open(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'), 'w')) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_enable( os.path.join('/srv/http/webapps', name), cpath, kpath)
def start(args): global path global conPicDict global firstTimeNginx global firstTimeNetcat processDocker = subprocess.Popen(["docker", "start"]+ [args[1]], stdout = subprocess.PIPE) output = processDocker.communicate() #get the image_name and the Cmds processCmd = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Cmd}}'", ""+ args[1]], stdout = subprocess.PIPE) cmd = processCmd.communicate()[0] cmd = cmd.split("'")[1] processImageName = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Image}}'", ""+ args[1]], stdout = subprocess.PIPE) imageName = processImageName.communicate()[0] imageName = imageName.split("'")[1] #conPicDict[args[1]] = ["docker","start"] + [args[1]] conPicDict[args[1]] = [imageName,cmd] + [args[1]] #args[1] is gonna be the worker name, ex: worker1 isNginx = False if(imageName == 'nginx:alpine'): isNginx = True #if both firstimes are false we add the server to both upstreams so it runs c = nginx.loadf(path+'/load-balancer/nginx.conf') HttpFilter = ((c.filter('Http')[0])) if(isNginx): if(firstTimeNginx == False): #make upstream make worker add worker to upstream add upstream #to the http nginxUpstream = nginx.Upstream('nginx') worker = nginx.Key('server', args[1]+":80") nginxUpstream.add(worker) HttpFilter.add(nginxUpstream) #when we make upstream for first time we also make server server s = nginx.Server() s.add(nginx.Key('listen','8100'),nginx.Location('/' , nginx.Key('proxy_pass','http://nginx'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name'))) HttpFilter.add(s) #dumping firstTimeNginx = True nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: upstreamSearch = HttpFilter.filter('Upstream') j = 0 found = False for key in upstreamSearch: if(((key.as_dict).keys())[0] == 'upstream nginx'): found = True break j = j + 1 worker = nginx.Key('server', args[1]+":80") if(found): upstreamSearch[j].add(worker) nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: if(firstTimeNetcat == False): #make upstream make worker add worker to upstream add upstream #to the http nginxUpstream = nginx.Upstream('netcat') worker = nginx.Key('server', args[1]+":80") nginxUpstream.add(worker) HttpFilter.add(nginxUpstream) #when we make upstream for first time we also make server server s = nginx.Server() s.add(nginx.Key('listen','8101'),nginx.Location('/' , nginx.Key('proxy_pass','http://netcat'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name'))) HttpFilter.add(s) #dumping firstTimeNetcat = True nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: upstreamSearch = HttpFilter.filter('Upstream') j = 0 found = False for key in upstreamSearch: if(((key.as_dict).keys())[0] == 'upstream netcat'): found = True break j = j + 1 worker = nginx.Key('server', args[1]+":80") if(found): upstreamSearch[j].add(worker) nginx.dumpf(c, path+'/load-balancer/nginx.conf') #now kill,rm,build,run loadBalReset()
def run(args): global conPicDict global workerCounter global firstTimeNginx global firstTimeNetcat global path #args[1] is image name #args[2] is container name #args[3]+ is the commands processDocker = subprocess.Popen(["docker","run","--name", "worker"+str(workerCounter)] + args[1:], stdout = subprocess.PIPE) output = processDocker.communicate() #connect container to network bridge conNet processNetConnect = subprocess.Popen(["docker","network","connect", "conNet","worker"+str(workerCounter)], stdout = subprocess.PIPE) output = processNetConnect.communicate() #get the image_name and the Cmds processCmd = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Cmd}}'", "worker"+str(workerCounter)], stdout = subprocess.PIPE) cmd = processCmd.communicate()[0] cmd = cmd.split("'")[1] processImageName = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Image}}'", "worker"+str(workerCounter)], stdout = subprocess.PIPE) imageName = processImageName.communicate()[0] imageName = imageName.split("'")[1] conPicDict["worker"+str(workerCounter)] = [imageName,cmd] + ["worker"+str(workerCounter)] conPicDict['count'] = workerCounter #everytime we run a container we add it to the load balancer by editing #the nginx.conf file then we have to kill, rm, rebuild and rerun loadBal #checks if its nginx or netcat(anything else) isNginx = False if(imageName == 'nginx:alpine'): isNginx = True #if both firstimes are false we add the server to both upstreams so it runs c = nginx.loadf(path+'/load-balancer/nginx.conf') HttpFilter = ((c.filter('Http')[0])) if(isNginx): if(firstTimeNginx == False): #make upstream make worker add worker to upstream add upstream #to the http nginxUpstream = nginx.Upstream('nginx') worker = nginx.Key('server', "worker"+str(workerCounter)+":80") nginxUpstream.add(worker) HttpFilter.add(nginxUpstream) #when we make upstream for first time we also make server server s = nginx.Server() s.add(nginx.Key('listen','8100'),nginx.Location('/' , nginx.Key('proxy_pass','http://nginx'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name'))) HttpFilter.add(s) #dumping firstTimeNginx = True nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: upstreamSearch = HttpFilter.filter('Upstream') j = 0 found = False for key in upstreamSearch: if(((key.as_dict).keys())[0] == 'upstream nginx'): found = True break j = j + 1 worker = nginx.Key('server', "worker"+str(workerCounter)+":80") if(found): upstreamSearch[j].add(worker) nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: if(firstTimeNetcat == False): #make upstream make worker add worker to upstream add upstream #to the http nginxUpstream = nginx.Upstream('netcat') worker = nginx.Key('server', "worker"+str(workerCounter)+":80") nginxUpstream.add(worker) HttpFilter.add(nginxUpstream) #when we make upstream for first time we also make server server s = nginx.Server() s.add(nginx.Key('listen','8101'),nginx.Location('/' , nginx.Key('proxy_pass','http://netcat'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name'))) HttpFilter.add(s) #dumping firstTimeNetcat = True nginx.dumpf(c, path+'/load-balancer/nginx.conf') else: upstreamSearch = HttpFilter.filter('Upstream') j = 0 found = False for key in upstreamSearch: if(((key.as_dict).keys())[0] == 'upstream netcat'): found = True break j = j + 1 worker = nginx.Key('server', "worker"+str(workerCounter)+":80") if(found): upstreamSearch[j].add(worker) nginx.dumpf(c, path+'/load-balancer/nginx.conf') #now kill,rm,build,run loadBalReset() #increment workerCounter workerCounter = workerCounter + 1
def _execute(command): config = FileUtils.get_instance('config.ini') nginx_conf_dir = config.get_prop("nginx-config", "nginx_conf_dir") nginx_conf_dir_bak = config.get_prop("nginx-config", "nginx_conf_dir_bak") os.system('mkdir -p ' + nginx_conf_dir) os.system('cp -r ' + nginx_conf_dir + nginx_conf_dir_bak) os.system('rm -rf ' + nginx_conf_dir + '*') state = '0' try: for k1 in command: upstreamName = k1["upstreamName"] upstreamNode = json.loads(k1["upstreamNode"]) fileName = nginx_conf_dir + upstreamName + '.conf' os.system('touch ' + fileName) c = nginx.Conf() LogUtil.info("Node信息:%s" % (upstreamNode)) t = '' for k2 in range(len(upstreamNode)): if (k2 == 0): t = 'server' + ' ' + upstreamNode[k2][ "ipAdress"] + ' ' + upstreamNode[k2]["strategy"] + ';\n' if (0 < k2 < len(upstreamNode) - 1): t = t + ' ' + 'server' + ' ' + upstreamNode[k2][ "ipAdress"] + ' ' + upstreamNode[k2]["strategy"] + ';\n' if (k2 == len(upstreamNode) - 1): t = t + ' ' + 'server' + ' ' + upstreamNode[k2][ "ipAdress"] + ' ' + upstreamNode[k2]["strategy"] ipHash = k1["ipHash"] if (ipHash == '1'): u = nginx.Upstream(upstreamName, nginx.Key('', t), nginx.Key('', 'ip_hash')) c.add(u) if (ipHash == '0'): u = nginx.Upstream(upstreamName, nginx.Key('', t)) c.add(u) s = nginx.Server() s.add( nginx.Key('listen', k1["nginxListenPort"]), nginx.Key('server_name', k1["nginxServerName"]), nginx.Key('access_log', k1["accessLog"]), nginx.Location( '= /', nginx.Key('proxy_pass', 'http://' + k1["upstreamName"]), nginx.Key('proxy_redirect', 'off'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'))) c.add(s) nginx.dumpf(c, fileName) LogUtil.info("完成Nginx配置") output = os.popen('service nginx restart').read() state = '1' param = [ "{\"mac\":\"" + MachineUtil.get_mac_address() + "\",\"state\":\"" + state + "\",\"msg\":\"" + output + "\"}" ] os.system('rm -rf ' + nginx_conf_dir_bak) AosServerService.route_service("ThriftApiService", "nginxLog", param) except Exception, ex: LogUtil.error(ex) os.system('rm -rf ' + nginx_conf_dir) os.system('mv ' + nginx_conf_dir_bak + nginx_conf_dir) os.system('service nginx restart') output = ex.message state = '2' param = [ "{\"mac\":\"" + MachineUtil.get_mac_address() + "\",\"state\":\"" + state + "\",\"msg\":\"" + output + "\"}" ] AosServerService.route_service("ThriftApiService", "nginxLog", param)
def rebuild_sites(self): """ Turns jack's site json files into useable nginx configuration files """ for uuid, site_config in self.configs.items(): maintenance_mode = 'maintenance' in site_config and site_config['maintenance'] nginx_config = nginx.Conf() # Add some comments so anyone who looks in the nginx config # knows what's going on nginx_config.add(nginx.Comment('Generated by Prism CP. Any changes will be overwritten!')) nginx_config.add(nginx.Comment('Site ID: %s' % site_config['id'])) server_block = nginx.Server() if 'listen' in site_config: for port in site_config['listen']: server_block.add(nginx.Key('listen', port)) if 'hostname' in site_config: server_block.add(nginx.Key('server_name', site_config['hostname'])) site_folder = os.path.join(self._jack_plugin.site_files_location, uuid) # Sets the root and logs to the site's folder server_block.add(nginx.Key('access_log', os.path.join(site_folder, 'access.log'))) server_block.add(nginx.Key('error_log', os.path.join(site_folder, 'error.log'))) if 'root' in site_config: root_folder = os.path.join(site_folder, site_config['root']) if not os.path.exists(root_folder): os.makedirs(root_folder) server_block.add(nginx.Key('root', root_folder)) if 'index' in site_config: server_block.add(nginx.Key('index', site_config['index'])) # If the site is in maintenance mode, redirect everything to 503 if maintenance_mode: server_block.add(nginx.Location('/', nginx.Key('return', 503))) else: for path, items in site_config['locations'].items(): location_items = [] for item, content in items.items(): if isinstance(content, tuple) or isinstance(content, list): for c in content: location_items.append(nginx.Key(item, c)) else: location_items.append(nginx.Key(item, content)) server_block.add(nginx.Location(path, *location_items)) # Error page blocks server_block.add(nginx.Key('error_page', '400 /error/400.html')) server_block.add(nginx.Key('error_page', '403 /error/403.html')) server_block.add(nginx.Key('error_page', '404 /error/404.html')) server_block.add(nginx.Key('error_page', '408 /error/408.html')) server_block.add(nginx.Key('error_page', '500 /error/500.html')) server_block.add(nginx.Key('error_page', '502 /error/502.html')) server_block.add(nginx.Key('error_page', '503 /error/503.html')) server_block.add(nginx.Location('^~ /error/', nginx.Key('root', self.sites_default), nginx.Key('internal', ''))) nginx_config.add(server_block) # Dump to nginx's config location nginx.dumpf(nginx_config, os.path.join(self.config_location, site_config['uuid'] + '.conf')) # Reload nginx so it picks up the changes prism.os_command('systemctl reload nginx.service')
def BuildNginxConfiguration(self, server, api_services, clients, identity_services): print("Configuring Nginx Server") serverConfig = server['config'] config = nginx.Conf() # Add Root Configurations for key, value in serverConfig.items(): if (not isinstance(value, dict)): config.add(nginx.Key(key, value)) events = nginx.Events() httpConf = nginx.Http() # Add Event Configurations if ('events' in serverConfig): for key, value in serverConfig['events'].items(): events.add(nginx.Key(key, value)) config.add(events) # Add Http Configurations if ('http' in serverConfig): for key, value in serverConfig['http'].items(): httpConf.add(nginx.Key(key, value)) # Add Services To Http for api_service in api_services: nginxServer = nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', str.lower(api_service['name']) + '.localhost'), ) proxy_pass = '******' + api_service['name'] + ':' + str( api_service['port']) + '/' location = nginx.Location( '/', nginx.Key('proxy_http_version', '1.1'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection keep-alive'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-NginX-Proxy true'), nginx.Key('proxy_pass', proxy_pass)) nginxServer.add(location) httpConf.add(nginxServer) for i_service in identity_services: nginxServer = nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', str.lower(i_service['name']) + '.localhost'), ) #pylint: disable-msg=E1121 proxy_pass = '******' + i_service['name'] + ':' + str( i_service['port']) + '/' location = nginx.Location( '/', nginx.Key('proxy_http_version', '1.1'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection keep-alive'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-NginX-Proxy true'), nginx.Key('proxy_pass', proxy_pass)) nginxServer.add(location) httpConf.add(nginxServer) for client in clients: nginxServer = nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', str.lower(client['name']) + '.localhost'), ) #pylint: disable-msg=E1121 proxy_pass = '******' + client['name'] + ':' + str( client['port']) + '/' location = nginx.Location( '/', nginx.Key('proxy_http_version', '1.1'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection keep-alive'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-NginX-Proxy true'), nginx.Key('proxy_pass', proxy_pass)) nginxServer.add(location) httpConf.add(nginxServer) config.add(httpConf) return config
def _ssl_enable(self): # Get server-preferred ciphers if config.get("certificates", "ciphers"): ciphers = config.get("certificates", "ciphers") else: config.set("certificates", "ciphers", ciphers) config.save() block = nginx.loadf( os.path.join("/etc/nginx/sites-available/", self.id)) # If the site is on port 80, setup an HTTP redirect to new port 443 server = block.server listens = server.filter("Key", "listen") for listen in listens: httport = "80" sslport = "443" if listen.value.startswith("[::]"): # IPv6 httport = "[::]:80" sslport = "[::]:443" if listen.value == httport: listen.value = (sslport + " ssl http2") block.add( nginx.Server( nginx.Key("listen", httport), nginx.Key("server_name", self.domain), nginx.Location( "/", nginx.Key("return", "301 https://$host$request_uri")), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", self.path)))) for x in block.servers: if " ssl" in x.filter("Key", "listen")[0].value: server = x break else: listen.value = listen.value.split(" ssl")[0] + " ssl http2" # Clean up any pre-existing SSL directives that no longer apply to_remove = [x for x in server.keys if x.name.startswith("ssl_")] server.remove(*to_remove) # Add the necessary SSL directives to the serverblock and save server.add( nginx.Key("ssl_certificate", self.cert.cert_path), nginx.Key("ssl_certificate_key", self.cert.key_path), nginx.Key("ssl_protocols", "TLSv1 TLSv1.1 TLSv1.2"), nginx.Key("ssl_ciphers", ciphers), nginx.Key("ssl_session_timeout", "5m"), nginx.Key("ssl_prefer_server_ciphers", "on"), nginx.Key("ssl_dhparam", "/etc/arkos/ssl/dh_params.pem"), nginx.Key("ssl_session_cache", "shared:SSL:50m"), ) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id)) # Set the certificate name in the metadata file if not os.path.exists(os.path.join(self.path, ".arkos")): raise errors.InvalidConfigError("Could not find metadata file") meta = configparser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "ssl", self.cert.id) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Call the website type's SSL enable hook self.enable_ssl(self.cert.cert_path, self.cert.key_path)
def _edit(self, newname): site_dir = config.get("websites", "site_dir") block = nginx.loadf(os.path.join("/etc/nginx/sites-available", self.id)) # If SSL is enabled and the port is changing to 443, # create the port 80 redirect server = block.server if self.cert and self.port == 443: for x in block.servers: if "443 ssl" in x.filter("Key", "listen")[0].value: server = x if self.port != 443: for x in block.servers: if "ssl" not in x.filter("Key", "listen")[0].value\ and x.filter("key", "return"): block.remove(x) elif self.port == 443: block.add( nginx.Server( nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"), nginx.Key("server_name", self.domain), nginx.Location( "/", nginx.Key("return", "301 https://$host$request_uri")), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", self.path)))) # If the name was changed... if newname and self.id != newname: # rename the folder and files... self.path = os.path.join(site_dir, newname) if os.path.exists(self.path): shutil.rmtree(self.path) self.nginx_disable(reload=False) shutil.move(os.path.join(site_dir, self.id), self.path) os.unlink(os.path.join("/etc/nginx/sites-available", self.id)) signals.emit("websites", "site_removed", self) self.id = newname # then update the site's arkOS metadata file with the new name meta = configparser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "id", self.id) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) self.nginx_enable(reload=False) # Pass any necessary updates to the nginx serverblock and save port = "{0} ssl".format(self.port) if self.cert else str(self.port) for listen in server.filter("Key", "listen"): if listen.value.startswith("[::]:"): listen.value = "[::]:" + str(port) else: listen.value = str(port) if hasattr(self.app, "website_root") and self.app.website_root: webroot = os.path.join(self.path, self.app.website_root) else: webroot = self.path server.filter("Key", "server_name")[0].value = self.domain server.filter("Key", "root")[0].value = webroot server.filter("Key", "index")[0].value = "index.php" \ if getattr(self, "php", False) else "index.html" nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id)) # Call the site's edited hook, if it has one, then reload nginx signals.emit("websites", "site_loaded", self) if hasattr(self, "site_edited"): self.site_edited() nginx_reload()
def set_conf(request, proxy): config = nginx.Conf() serverHTTP = nginx.Server() serverHTTPS = nginx.Server() print(proxy.domain) print(proxy.ssl) print(proxy.letsencrypt) print(proxy.rewriteHTTPS) print(proxy.proxypass) serverHTTP.add( nginx.Key('listen', '*:80'), nginx.Key('server_name', proxy.domain), ) if proxy.rewriteHTTPS: serverHTTP.add( nginx.Key('return', '302 https://$server_name$request_uri'), ) else: serverHTTP.add( nginx.Location( '/', nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection '"upgrade"), nginx.Key('proxy_http_version', '1.1'), nginx.Key('proxy_pass', proxy.proxypass), ) ) if proxy.ssl: letsencrypt.generate_cert(request, proxy) serverHTTPS.add( nginx.Key('server_name', proxy.domain), nginx.Key('listen', '*:443 ssl'), nginx.Key('ssl_protocols', 'TLSv1 TLSv1.1 TLSv1.2'), nginx.Key('ssl_certificate', '/etc/letsencrypt/live/'+proxy.domain+'/fullchain.pem'), nginx.Key('ssl_certificate_key', '/etc/letsencrypt/live/'+proxy.domain+'/privkey.pem'), ) serverHTTPS.add( nginx.Location( '/', nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'), nginx.Key('proxy_set_header', 'Connection '"upgrade"), nginx.Key('proxy_http_version', '1.1'), nginx.Key('proxy_pass', proxy.proxypass), ) ) config.add(serverHTTP) config.add(serverHTTPS) nginx.dumpf(config, '/etc/nginx/conf.d/' + proxy.domain + '.conf') shell.restart_nginx(request) return True
NOMAD_ADDR_nginx1_http=10.123.26.15:22707 """ # find out the IP address of the task via env NOMAD_IP_nginx1_http env_var = 'NOMAD_ADDR_%s_%s' % (task, label) url = os.getenv(env_var) if not url: print "ERROR: Environment variable %s does not exist, exiting..." % env_var sys.exit(1) upstream_args.append(nginx.Key('server', url)) u = nginx.Upstream(*upstream_args) c.add(u) s = nginx.Server() s.add( nginx.Key('listen', '80'), nginx.Comment( 'Autogenerated configuration from build_config_run_nginx.py'), nginx.Key('server_name', 'localhost'), nginx.Key('root', '/usr/share/nginx/html'), nginx.Key('index', 'index.html'), nginx.Location('/', nginx.Key('proxy_pass', 'http://tasks'))) c.add(s) print nginx.dumps(c) nginx.dumpf(c, '/etc/nginx/conf.d/default.conf')
def _install(self, extra_vars, enable, nthread): nthread.title = "Installing website" msg = Notification("info", "Webs", "Preparing to install...") nthread.update(msg) # Make sure the chosen port is indeed open if not tracked_services.is_open_port(self.port, self.domain): cname = "({0})".format(self.app.id) raise errors.InvalidConfigError(cname, nthread)\ from tracked_services.PortConflictError(self.port, self.domain) # Set some metadata values specialmsg, dbpasswd = "", "" site_dir = config.get("websites", "site_dir") path = (self.path or os.path.join(site_dir, self.id)) self.path = path self.php = extra_vars.get("php") or self.php \ or self.app.uses_php or False self.version = self.app.version.rsplit("-", 1)[0] \ if self.app.website_updates else None # Classify the source package type if not self.app.download_url: ending = "" elif self.app.download_url.endswith(".tar.gz"): ending = ".tar.gz" elif self.app.download_url.endswith(".tgz"): ending = ".tgz" elif self.app.download_url.endswith(".tar.bz2"): ending = ".tar.bz2" elif self.app.download_url.endswith(".zip"): ending = ".zip" elif self.app.download_url.endswith(".git"): ending = ".git" else: raise errors.InvalidConfigError( "Invalid source archive format in {0}".format(self.app.id)) msg = "Running pre-installation..." uid, gid = users.get_system("http").uid, groups.get_system("http").gid nthread.update(Notification("info", "Webs", msg)) # Call website type's pre-install hook self.pre_install(extra_vars) # If needs DB and user didn't select an engine, choose one for them if len(self.app.database_engines) > 1 \ and extra_vars.get("dbengine", None): self.app.selected_dbengine = extra_vars.get("dbengine") if not getattr(self.app, "selected_dbengine", None)\ and self.app.database_engines: self.app.selected_dbengine = self.app.database_engines[0] # Create DB and/or DB user as necessary if getattr(self.app, "selected_dbengine", None): msg = "Creating database..." nthread.update(Notification("info", "Webs", msg)) mgr = databases.get_managers(self.app.selected_dbengine) if not mgr: estr = "No manager found for {0}" raise errors.InvalidConfigError( estr.format(self.app.selected_dbengine)) # Make sure DB daemon is running if it has one if not mgr.state: svc = services.get(mgr.meta.database_service) svc.restart() self.db = mgr.add_db(self.id) if hasattr(self.db, "path"): os.chmod(self.db.path, 0o660) os.chown(self.db.path, -1, gid) # If multiuser DB type, create user if mgr.meta.database_multiuser: dbpasswd = random_string(16) db_user = mgr.add_user(self.id, dbpasswd) db_user.chperm("grant", self.db) # Make sure the target directory exists, but is empty pkg_path = os.path.join("/tmp", self.id + ending) if os.path.isdir(self.path): shutil.rmtree(self.path) os.makedirs(self.path) # Download and extract the source repo / package msg = "Downloading website source..." nthread.update(Notification("info", "Webs", msg)) if self.app.download_url and ending == ".git": g = git.Repo.clone_from(self.app.download_url, self.path) if hasattr(self.app, "download_at_tag"): g = git.Git(self.path) g.checkout(self.app.download_git_tag) elif self.app.download_url: download(self.app.download_url, file=pkg_path, crit=True) # Format extraction command according to type msg = "Extracting source..." nthread.update(Notification("info", "Webs", msg)) if ending in [".tar.gz", ".tgz", ".tar.bz2"]: arch = tarfile.open(pkg_path, "r:gz") r = (x for x in arch.getnames() if re.match("^[^/]*$", x)) toplvl = next(r, None) if not toplvl: raise errors.OperationFailedError( "Malformed source archive") arch.extractall(site_dir) os.rename(os.path.join(site_dir, toplvl), self.path) else: arch = zipfile.ZipFile(pkg_path) r = (x for x in arch.namelist() if re.match("^[^/]*/$", x)) toplvl = next(r, None) if not toplvl: raise errors.OperationFailedError( "Malformed source archive") arch.extractall(site_dir) os.rename(os.path.join(site_dir, toplvl.rstrip("/")), self.path) os.remove(pkg_path) # Set proper starting permissions on source directory os.chmod(self.path, 0o755) os.chown(self.path, uid, gid) for r, d, f in os.walk(self.path): for x in d: os.chmod(os.path.join(r, x), 0o755) os.chown(os.path.join(r, x), uid, gid) for x in f: os.chmod(os.path.join(r, x), 0o644) os.chown(os.path.join(r, x), uid, gid) # If there is a custom path for the data directory, set it up if getattr(self.app, "website_datapaths", None) \ and extra_vars.get("datadir"): self.data_path = extra_vars["datadir"] if not os.path.exists(self.data_path): os.makedirs(self.data_path) os.chmod(self.data_path, 0o755) os.chown(self.data_path, uid, gid) elif hasattr(self, "website_default_data_subdir"): self.data_path = os.path.join(self.path, self.website_default_data_subdir) else: self.data_path = self.path # Create the nginx serverblock addtoblock = self.addtoblock or [] if extra_vars.get("addtoblock"): addtoblock += nginx.loads(extra_vars.get("addtoblock"), False) default_index = "index." + ("php" if self.php else "html") if hasattr(self.app, "website_root"): webroot = os.path.join(self.path, self.app.website_root) else: webroot = self.path block = nginx.Conf() server = nginx.Server( nginx.Key("listen", str(self.port)), nginx.Key("listen", "[::]:" + str(self.port)), nginx.Key("server_name", self.domain), nginx.Key("root", webroot), nginx.Key( "index", getattr(self.app, "website_index", None) or default_index), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", self.path))) if addtoblock: server.add(*[x for x in addtoblock]) block.add(server) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id)) challenge_dir = os.path.join(self.path, ".well-known/acme-challenge/") if not os.path.exists(challenge_dir): os.makedirs(challenge_dir) # Create arkOS metadata file meta = configparser.SafeConfigParser() meta.add_section("website") meta.set("website", "id", self.id) meta.set("website", "app", self.app.id) meta.set("website", "ssl", self.cert.id if getattr(self, "cert", None) else "None") meta.set("website", "version", self.version or "None") if getattr(self.app, "website_datapaths", None) \ and self.data_path: meta.set("website", "data_path", self.data_path) meta.set("website", "dbengine", "") meta.set("website", "dbengine", getattr(self.app, "selected_dbengine", "")) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Call site type's post-installation hook msg = "Running post-installation. This may take a few minutes..." nthread.update(Notification("info", "Webs", msg)) specialmsg = self.post_install(extra_vars, dbpasswd) # Cleanup and reload daemons msg = "Finishing..." nthread.update(Notification("info", "Webs", msg)) self.installed = True storage.websites[self.id] = self if self.port == 80: cleanup_acme_dummy(self.domain) signals.emit("websites", "site_installed", self) if enable: self.nginx_enable() if enable and self.php: php.open_basedir("add", "/srv/http/") php_reload() msg = "{0} site installed successfully".format(self.app.name) nthread.complete(Notification("success", "Webs", msg)) if specialmsg: return specialmsg
# Read the INI file config.read(file) # Generate required socket and set it socket = host + ":" + port config.set('uwsgi', 'socket', socket) # Write the updates to the file with open(file, 'w') as configfile: config.write(configfile) configfile.close() # Add server module to the nginx file object server = nginx.Server() server.add( nginx.Key('listen', port + " " + "ssl"), nginx.Key('ssl_certificate', "/etc/nginx/" + subdir + "_cert.crt"), nginx.Key('ssl_certificate_key', "/etc/nginx/" + subdir + "_cert.key"), nginx.Location('/', nginx.Key('include', 'uwsgi_params'), nginx.Key('uwsgi_pass', subdir + ":" + port))) nginx_config.add(server) # Hardcoded redirect for base localhost # server = nginx.Server() # server.add( # nginx.Key('listen', "80"), # nginx.Key('listen', "8080"), # nginx.Key('server_name', "localhost"), # nginx.Key('return', "307 https://github.com/oscar-king/A-Decentralised-Digital-Identity-Architecture$request_uri")
def _install(self, extra_vars, enable, nthread): # Set metadata values site_dir = config.get("websites", "site_dir") path = (self.path or os.path.join(site_dir, self.id)) self.path = path if os.path.isdir(self.path): shutil.rmtree(self.path) os.makedirs(self.path) # If extra data is passed in, set up the serverblock accordingly uwsgi_block = [ nginx.Location( extra_vars.get("lregex", "/"), nginx.Key("{0}_pass".format(extra_vars.get("type")), extra_vars.get("pass", "")), nginx.Key("include", "{0}_params".format(extra_vars.get("type")))) ] default_block = [ nginx.Location(extra_vars.get("lregex", "/"), nginx.Key("proxy_pass", extra_vars.get("pass", "")), nginx.Key("proxy_redirect", "off"), nginx.Key("proxy_buffering", "off"), nginx.Key("proxy_set_header", "Host $host")) ] if extra_vars: if not extra_vars.get("type") or not extra_vars.get("pass"): raise errors.InvalidConfigError( "Must enter ReverseProxy type and location to pass to") elif extra_vars.get("type") in ["fastcgi", "uwsgi"]: self.block = uwsgi_block else: self.block = default_block if extra_vars.get("xrip"): self.block[0].add( nginx.Key("proxy_set_header", "X-Real-IP $remote_addr")) if extra_vars.get("xff") == "1": xff_key = "X-Forwarded-For $proxy_add_x_forwarded_for" self.block[0].add(nginx.Key("proxy_set_header", xff_key)) # Create the nginx serverblock and arkOS metadata files block = nginx.Conf() server = nginx.Server( nginx.Key("listen", self.port), nginx.Key("listen", "[::]:" + str(self.port)), nginx.Key("server_name", self.domain), nginx.Key("root", self.base_path or self.path), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", self.path))) server.add(*[x for x in self.block]) block.add(server) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id)) challenge_dir = os.path.join(self.path, ".well-known/acme-challenge/") if not os.path.exists(challenge_dir): os.makedirs(challenge_dir) meta = configparser.SafeConfigParser() ssl = self.cert.id if getattr(self, "cert", None) else "None" meta.add_section("website") meta.set("website", "id", self.id) meta.set("website", "app", self.app.id if self.app else "None") meta.set("website", "version", "None") meta.set("website", "ssl", ssl) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Track port and reload daemon self.installed = True storage.websites[self.id] = self signals.emit("websites", "site_installed", self) self.nginx_enable()