def create_nginx_config_for_domain(domain, subdomains, subdomain_dir,
forward_others, use_ssl, cert_dir):
c = nginx.Conf()
c.add(nginx.Comment(generation_comment('NGINX config', domain)))
for subdomain in subdomains:
c.add(
nginx.Key('include',
str(subdomain_dir / '{}.cfg'.format(subdomain))))
if forward_others is not None:
others = nginx.Server()
others.add(
nginx.Comment('Forward remaining (sub)domains to ' +
forward_others),
nginx.Key('server_name',
'{domain} *.{domain}'.format(domain=domain)),
nginx.Key('return', '302 {}$request_uri'.format(forward_others)),
nginx.Key('listen', '80'))
if use_ssl:
others.add(
nginx.Comment('use_ssl = True'),
nginx.Key('listen', '443 ssl'), nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate',
str(cert_dir / 'certificate.crt')),
nginx.Key('ssl_certificate_key',
str(cert_dir / 'certificate.key')))
c.add(others)
return c
def write_vhost(appinfo):
import nginx
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment('SSL conf added by freessl (https://github.com/alihusnainarshad)'),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(appinfo.get('valid_domains'))),
nginx.Key('brotli', 'on'),
nginx.Key('brotli_static', 'off'),
nginx.Key('brotli_min_length', '100'),
nginx.Key('brotli_buffers', '16 8k'),
nginx.Key('brotli_comp_level', '5'),
nginx.Key('brotli_types', '*'),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate', appinfo.get('cert_path')),
nginx.Key('ssl_certificate_key', appinfo.get('key_path')),
nginx.Key('ssl_prefer_server_ciphers', 'on'),
nginx.Key('ssl_session_timeout', '5m'),
nginx.Key('ssl_protocols', 'TLSv1.1 TLSv1.2'),
nginx.Key('ssl_stapling', 'on'),
nginx.Key('ssl_stapling_verify', 'on'),
nginx.Key('resolver', '8.8.8.8 8.8.4.4 valid=86400s'),
nginx.Key('resolver_timeout', '5s'),
nginx.Key('ssl_ciphers', '"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"'),
nginx.Key('ssl_ecdh_curve', 'secp384r1'),
nginx.Key('ssl_session_cache', 'shared:SSL:10m'),
nginx.Key('ssl_session_tickets', 'off'),
nginx.Key('ssl_dhparam', '/etc/nginx-rc/dhparam.pem'),
nginx.Key('include', '/etc/nginx-rc/conf.d/{}.d/main.conf'.format(appinfo.get('name')))
)
c.add(s)
nginx.dumpf(c, '{}/{}-ssl.conf'.format(appinfo.get('vhostdir'), appinfo.get('name')))
def test():
return nginx.Conf(
nginx.Server(
nginx.Comment('This is a test comment'),
nginx.Key('server_name', 'localhost'),
nginx.Key('root', '/var/www'),
nginx.Location('/', nginx.Key('test', 'true'),
nginx.Key('test2', 'false'))))
def create_nginx_config_for_subdomain(domain, subdomain, destination, use_ssl,
force_ssl, cert_dir):
full_domain = '{sub}.{main}'.format(main=domain, sub=subdomain)
c = nginx.Conf()
c.add(nginx.Comment(generation_comment('NGINX config', full_domain)))
if use_ssl and force_ssl:
non_ssl = nginx.Server()
non_ssl.add(nginx.Comment('force_ssl = True'),
nginx.Key('listen', '80'),
nginx.Key('server_name', full_domain),
nginx.Key('return', '301 https://$host$request_uri'))
c.add(non_ssl)
main = nginx.Server()
if not force_ssl:
main.add(nginx.Comment('force_ssl = False'), nginx.Key('listen', '80'))
proto = 'http'
if use_ssl:
proto = 'https'
main.add(
nginx.Comment('use_ssl = True'), nginx.Key('listen', '443 ssl'),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate', str(cert_dir / 'certificate.crt')),
nginx.Key('ssl_certificate_key',
str(cert_dir / 'certificate.key')))
main.add(
nginx.Key('server_name', full_domain),
nginx.Location(
'/', nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection $connection_upgrade'),
nginx.Key('proxy_pass', destination),
nginx.Key('proxy_read_timeout', '90'),
nginx.Key(
'proxy_redirect',
'{dst} {proto}://{full}'.format(dst=destination,
full=full_domain,
proto=proto))))
c.add(main)
return c
def write_conf(app):
print(bcolors.OKBLUE + 'Writing NGINX vhost file for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
appname = app.get('appname')
root = app.get('root')
username = app.get('username', 'serverpilot')
confname = vhostsdir + appname + '-ssl.conf'
domains = app.get('domains')
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment(
'SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)'
),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(domains)),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate',
app.get('certpath') + '/fullchain.pem'),
nginx.Key('ssl_certificate_key',
app.get('certpath') + '/privkey.pem'),
nginx.Key('root', root),
nginx.Key(
'access_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.access.log main'),
nginx.Key(
'error_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.error.log'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-SSL on'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
nginx.Key('include',
'/etc/nginx-sp/vhosts.d/' + appname + '.d/*.conf'),
)
c.add(s)
try:
nginx.dumpf(c, confname)
print(bcolors.OKGREEN + 'Virtual host file created!' + bcolors.ENDC)
print(bcolors.OKBLUE + 'Reloading NGINX server...' + bcolors.ENDC)
reload_nginx_sp()
print(bcolors.OKGREEN +
'SSL should have been installed and activated for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
return True
except:
print(bcolors.FAIL + 'Virtual host file cannot be created!' +
bcolors.ENDC)
return False
def nginx_add(self, site, add):
if site.path == '':
site.path = os.path.join('/srv/http/webapps/', site.name)
c = nginx.Conf()
c.add(
nginx.Comment(
'GENESIS %s %s' %
(site.stype, 'http://' + site.addr + ':' + site.port)))
s = nginx.Server(
nginx.Key('listen', site.port), nginx.Key('server_name',
site.addr),
nginx.Key('root', site.path),
nginx.Key('index', 'index.' + ('php' if site.php else 'html')))
if add:
s.add(*[x for x in add])
c.add(s)
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
def test_create():
c = nginx.Conf()
u = nginx.Upstream('php', nginx.Key('server', 'unix:/tmp/php-fcgi.socket'),
nginx.Key('server', '10.0.2.1'))
u.add(nginx.Key('server', '101.0.2.1'))
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Comment('Yes, python-nginx can read/write comments!'),
nginx.Key('server_name', 'localhost 127.0.0.1'),
nginx.Key('root', '/srv/http'), nginx.Key('index', 'index.php'),
nginx.Location('= /robots.txt', nginx.Key('allow', 'all'),
nginx.Key('log_not_found', 'off'),
nginx.Key('access_log', 'off')),
nginx.Location('~ \.php$', nginx.Key('include', 'fastcgi.conf'),
nginx.Key('fastcgi_intercept_errors', 'on'),
nginx.Key('fastcgi_pass', 'php')))
c.add(s)
nginx.dumpf(c, 'mysite')
# find out the IP address of the task via env NOMAD_IP_nginx1_http
env_var = 'NOMAD_ADDR_%s_%s' % (task, label)
url = os.getenv(env_var)
if not url:
print "ERROR: Environment variable %s does not exist, exiting..." % env_var
sys.exit(1)
upstream_args.append(nginx.Key('server', url))
u = nginx.Upstream(*upstream_args)
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Comment(
'Autogenerated configuration from build_config_run_nginx.py'),
nginx.Key('server_name', 'localhost'),
nginx.Key('root', '/usr/share/nginx/html'),
nginx.Key('index', 'index.html'),
nginx.Location('/', nginx.Key('proxy_pass', 'http://tasks')))
c.add(s)
print nginx.dumps(c)
nginx.dumpf(c, '/etc/nginx/conf.d/default.conf')
nginx = subprocess.Popen(["nginx", "-g", "daemon off;"],
stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
def rebuild_sites(self):
""" Turns jack's site json files into useable nginx configuration files """
for uuid, site_config in self.configs.items():
maintenance_mode = 'maintenance' in site_config and site_config['maintenance']
nginx_config = nginx.Conf()
# Add some comments so anyone who looks in the nginx config
# knows what's going on
nginx_config.add(nginx.Comment('Generated by Prism CP. Any changes will be overwritten!'))
nginx_config.add(nginx.Comment('Site ID: %s' % site_config['id']))
server_block = nginx.Server()
if 'listen' in site_config:
for port in site_config['listen']:
server_block.add(nginx.Key('listen', port))
if 'hostname' in site_config:
server_block.add(nginx.Key('server_name', site_config['hostname']))
site_folder = os.path.join(self._jack_plugin.site_files_location, uuid)
# Sets the root and logs to the site's folder
server_block.add(nginx.Key('access_log', os.path.join(site_folder, 'access.log')))
server_block.add(nginx.Key('error_log', os.path.join(site_folder, 'error.log')))
if 'root' in site_config:
root_folder = os.path.join(site_folder, site_config['root'])
if not os.path.exists(root_folder):
os.makedirs(root_folder)
server_block.add(nginx.Key('root', root_folder))
if 'index' in site_config:
server_block.add(nginx.Key('index', site_config['index']))
# If the site is in maintenance mode, redirect everything to 503
if maintenance_mode:
server_block.add(nginx.Location('/',
nginx.Key('return', 503)))
else:
for path, items in site_config['locations'].items():
location_items = []
for item, content in items.items():
if isinstance(content, tuple) or isinstance(content, list):
for c in content:
location_items.append(nginx.Key(item, c))
else:
location_items.append(nginx.Key(item, content))
server_block.add(nginx.Location(path, *location_items))
# Error page blocks
server_block.add(nginx.Key('error_page', '400 /error/400.html'))
server_block.add(nginx.Key('error_page', '403 /error/403.html'))
server_block.add(nginx.Key('error_page', '404 /error/404.html'))
server_block.add(nginx.Key('error_page', '408 /error/408.html'))
server_block.add(nginx.Key('error_page', '500 /error/500.html'))
server_block.add(nginx.Key('error_page', '502 /error/502.html'))
server_block.add(nginx.Key('error_page', '503 /error/503.html'))
server_block.add(nginx.Location('^~ /error/',
nginx.Key('root', self.sites_default),
nginx.Key('internal', '')))
nginx_config.add(server_block)
# Dump to nginx's config location
nginx.dumpf(nginx_config, os.path.join(self.config_location, site_config['uuid'] + '.conf'))
# Reload nginx so it picks up the changes
prism.os_command('systemctl reload nginx.service')
forward_others, use_ssl,
domain_cert)
nginx.dumpf(main_cfg, str(domain_nginx / 'main.cfg'))
domain_names.append(domain)
except:
print(
'{t.normal}Processing failed for domain {t.bold}{t.magenta}{domain}{t.normal}.\n{t.red}{error}{t.normal}'
.format(t=Terminal(), domain=domain, error=traceback.format_exc()))
# Generate main revprox NGINX config file
if generate_config:
rp_config = nginx.Conf()
map = nginx.Map('$http_upgrade $connection_upgrade')
map.add(nginx.Key('default', 'upgrade'), nginx.Key('\'\'', 'close'))
rp_config.add(
nginx.Comment(generation_comment('Main configuration', 'NGINX')),
nginx.Comment(
'This file needs to be included in your NGINX configuration.'),
map)
for domain in domain_names:
rp_config.add(
nginx.Key('include', str(nginx_path / domain / 'main.cfg')))
nginx.dumpf(rp_config, str(nginx_path / 'revprox.cfg'))
# Clean up old, unused configuration files
# TODO clean up
# Validate new configuration
nginx_exec = which('nginx')
if nginx_exec is not None:
if os.system('{exec} -t'.format(exec=nginx_exec)) > 0:
