def ssl_disable(self): block = nginx.loadf(os.path.join("/etc/nginx/sites-available/", self.id)) # If there's an 80-to-443 redirect block, get rid of it if len(block.servers) > 1: for x in block.servers: if not "ssl" in x.filter("Key", "listen")[0].value \ and x.filter("key", "return"): block.remove(x) break # Remove all SSL directives and save server = block.servers[0] listen = server.filter("Key", "listen")[0] if listen.value == "443 ssl": listen.value = "80" else: listen.value = listen.value.rstrip(" ssl") server.remove(*[x for x in server.filter("Key") if x.name.startswith("ssl_")]) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id)) meta = ConfigParser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "ssl", "None") with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Call the website type's SSL disable hook self.disable_ssl()
def _ssl_disable(self): block = nginx.loadf( os.path.join("/etc/nginx/sites-available/", self.id)) # If there's an 80-to-443 redirect block, get rid of it if len(block.servers) > 1: for x in block.servers: if "ssl" not in x.filter("Key", "listen")[0].value \ and x.filter("key", "return"): block.remove(x) break # Remove all SSL directives and save server = block.server listens = server.filter("Key", "listen") for listen in listens: if listen.value.startswith("443"): listen.value = "80" elif listen.value.startswith("[::]:443"): listen.value = "[::]:80" else: listen.value = listen.value.split(" ssl")[0] skeys = [x for x in server.filter("Key") if x.name.startswith("ssl_")] server.remove(*skeys) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id)) meta = configparser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "ssl", "None") with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Call the website type's SSL disable hook self.disable_ssl()
def ssl_disable(self): n = nginx.loadf('/etc/nginx/sites-available/%s' % self.name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.name)
def post_install(self, extra_vars, dbpasswd=""): # Make sure the webapps config points to # the _site directory and generate it. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = \ os.path.join(self.path, '_site') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id)) s = shell('jekyll build --source {0} --destination {1}'.format( self.path, os.path.join(self.path, '_site'))) if s["code"] != 0: raise errors.OperationFailedError( 'Jekyll failed to build: {0}'.format(str(s["stderr"]))) uid, gid = users.get_system("http").uid, groups.get_system("http").gid for r, d, f in os.walk(self.path): for x in d: os.chmod(os.path.join(r, x), 0o755) os.chown(os.path.join(r, x), uid, gid) for x in f: os.chmod(os.path.join(r, x), 0o644) os.chown(os.path.join(r, x), uid, gid) # Return an explicatory message. return 'Jekyll has been setup, with a sample site at {0}. '\ 'Modify these files as you like. To learn how to use Jekyll, '\ 'visit http://jekyllrb.com/docs/usage. After making changes, '\ 'click the site icon to edit, then "Regenerate Site" '\ 'to bring your changes live.'.format(self.path)
def ssl_disable(self, data): name, stype = data.name, data.stype port = '80' s = None c = nginx.loadf('/etc/nginx/sites-available/'+name) if len(c.servers) > 1: for x in c.servers: if not 'ssl' in x.filter('Key', 'listen')[0].value \ and x.filter('key', 'return'): c.remove(x) break s = c.servers[0] l = s.filter('Key', 'listen')[0] if l.value == '443 ssl': l.value = '80' port = '80' else: l.value = l.value.rstrip(' ssl') port = l.value s.remove(*[x for x in s.filter('Key') if x.name.startswith('ssl_')]) g = ConfigParser.SafeConfigParser() g.read(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf')) g.set('website', 'ssl', '') g.write(open(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'), 'w')) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_disable( os.path.join('/srv/http/webapps', name))
def upstream_submit(): upstream_value=request.POST.get('upstream_value', '') upstream_name=request.POST.get('upstream_name', '') path_file_name = request.POST.get("path_file_name", "") c = nginx.loadf(path_file_name) search_upstream=c.filter(btype="Upstream", name=upstream_name) if len(search_upstream): u=search_upstream[0] c.remove(u) new_u = nginx.Upstream(upstream_name, ) for line in upstream_value.split("\n"): if len(line.split(" "))>= 2: # print line.split(" ") new_u.add(nginx.Key(line.split(" ")[0], line.split(" ")[1])) else: new_u = nginx.Upstream(upstream_name, ) for line in upstream_value.split("\n"): if len(line.split(" ")) >= 2: # print line.split(" ") new_u.add(nginx.Key(line.split(" ")[0], line.split(" ")[1])) c.add(new_u) nginx.dumpf(c, path_file_name) print type(upstream_value),path_file_name,upstream_name return upstream_value
def ssl_disable(self, data): name, stype = data.name, data.stype port = '80' s = None c = nginx.loadf('/etc/nginx/sites-available/'+name) if len(c.servers) > 1: for x in c.servers: if not 'ssl' in x.filter('Key', 'listen')[0].value \ and x.filter('key', 'return'): c.remove(x) break s = c.servers[0] l = s.filter('Key', 'listen')[0] if l.value == '443 ssl': l.value = '80' port = '80' else: l.value = l.value.rstrip(' ssl') port = l.value s.remove(*[x for x in s.filter('Key') if x.name.startswith('ssl_')]) c.filter('Comment')[0].comment = 'GENESIS %s http://%s:%s' \ % (stype, data.addr, port) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_disable( os.path.join('/srv/http/webapps', name))
def disable_ssl(self): n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id)
def ssl_enable(self, data, cpath, kpath): name, stype = data.name, data.stype port = '443' c = nginx.loadf('/etc/nginx/sites-available/' + name) l = c.servers[0].filter('Key', 'listen')[0] if l.value == '80': l.value = '443 ssl' port = '443' else: port = l.value.split(' ssl')[0] l.value = l.value.split(' ssl')[0] + ' ssl' if c.servers[0].filter('Key', 'ssl_certificate'): c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_certificate')) if c.servers[0].filter('Key', 'ssl_certificate_key'): c.servers[0].remove( *c.servers[0].filter('Key', 'ssl_certificate_key')) if c.servers[0].filter('Key', 'ssl_protocols'): c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_protocols')) if c.servers[0].filter('Key', 'ssl_ciphers'): c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_ciphers')) c.servers[0].add( nginx.Key('ssl_certificate', cpath), nginx.Key('ssl_certificate_key', kpath), nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'), nginx.Key('ssl_ciphers', 'HIGH:!aNULL:!MD5')) c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \ % (stype, data.addr, port) nginx.dumpf(c, '/etc/nginx/sites-available/' + name) apis.webapps(self.app).get_interface(stype).ssl_enable( os.path.join('/srv/http/webapps', name), cpath, kpath)
def nginx_edit(self, oldsite, site): # Update the nginx serverblock c = nginx.loadf( os.path.join('/etc/nginx/sites-available', oldsite.name)) c.filter('Comment')[0].comment = 'GENESIS %s %s' % (site.stype, ( ('https://' if site.ssl else 'http://') + site.addr + ':' + site.port)) c.servers[0].filter( 'Key', 'listen')[0].value = site.port + ' ssl' if site.ssl else site.port c.servers[0].filter('Key', 'server_name')[0].value = site.addr c.servers[0].filter('Key', 'root')[0].value = site.path c.servers[0].filter( 'Key', 'index')[0].value = 'index.php' if site.php else 'index.html' nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name)) # If the name was changed, rename the folder and files if site.name != oldsite.name: if os.path.exists(os.path.join('/srv/http/webapps', site.name)): shutil.rmtree(os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/srv/http/webapps', oldsite.name), os.path.join('/srv/http/webapps', site.name)) shutil.move( os.path.join('/etc/nginx/sites-available', oldsite.name), os.path.join('/etc/nginx/sites-available', site.name)) self.nginx_disable(oldsite, reload=False) self.nginx_enable(site) self.nginx_reload()
def post_install(self, name, path, vars, dbinfo={}): # Write a basic index file showing that we are here if vars.getvalue('php', '0') == '1': php = True path = os.path.join(path, 'htdocs') os.mkdir(path) c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = path nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) else: php = False if php: phpctl = apis.langassist(self.app).get_interface('PHP') phpctl.enable_mod('xcache') if php and dbinfo and dbinfo['engine'] == 'MariaDB': phpctl.enable_mod('mysql') f = open( os.path.join(path, 'index.' + ('php' if php is True else 'html')), 'w') f.write('<html>\n' '<body>\n' '<h1>Genesis - Custom Site</h1>\n' '<p>Your site is online and available at ' + path + '</p>\n' '<p>Feel free to paste your site files here</p>\n' '</body>\n' '</html>\n') f.close() # Give access to httpd shell('chown -R http:http ' + path)
def edit(self, newname=""): site_dir = config.get("websites", "site_dir") block = nginx.loadf(os.path.join("/etc/nginx/sites-available", self.id)) # If SSL is enabled and the port is changing to 443, create the port 80 redirect server = block.servers[0] if self.cert and self.port == 443: for x in block.servers: if x.filter("Key", "listen")[0].value == "443 ssl": server = x if self.port != 443: for x in block.servers: if not "ssl" in x.filter("Key", "listen")[0].value \ and x.filter("key", "return"): block.remove(x) elif self.port == 443: block.add(nginx.Server( nginx.Key("listen", "80"), nginx.Key("server_name", self.addr), nginx.Key("return", "301 https://%s$request_uri"%self.addr) )) # If the name was changed... if newname and self.id != newname: # rename the folder and files... if self.path.endswith("_site"): self.path = os.path.join(site_dir, newname, "_site") elif self.path.endswith("htdocs"): self.path = os.path.join(site_dir, newname, "htdocs") else: self.path = os.path.join(site_dir, newname) self.path = self.path.encode("utf-8") if os.path.exists(self.path): shutil.rmtree(self.path) self.nginx_disable(reload=False) shutil.move(os.path.join(site_dir, self.id), self.path) os.unlink(os.path.join("/etc/nginx/sites-available", self.id)) signals.emit("websites", "site_removed", self) self.id = newname # then update the site's arkOS metadata file with the new name meta = ConfigParser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "id", self.id) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) self.nginx_enable(reload=False) # Pass any necessary updates to the nginx serverblock and save server.filter("Key", "listen")[0].value = str(self.port)+" ssl" if self.cert else str(self.port) server.filter("Key", "server_name")[0].value = self.addr server.filter("Key", "root")[0].value = self.path server.filter("Key", "index")[0].value = "index.php" if hasattr(self, "php") and self.php else "index.html" nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id)) # Call the site's edited hook, if it has one, then reload nginx signals.emit("websites", "site_loaded", self) if hasattr(self, "site_edited"): self.site_edited() nginx_reload()
def ssl_enable(self, data, cpath, kpath): name, stype = data.name, data.stype port = '443' c = nginx.loadf('/etc/nginx/sites-available/'+name) l = c.servers[0].filter('Key', 'listen')[0] if l.value == '80': l.value = '443 ssl' port = '443' else: port = l.value.split(' ssl')[0] l.value = l.value.split(' ssl')[0] + ' ssl' if c.servers[0].filter('Key', 'ssl_certificate'): c.servers[0].remove(c.servers[0].filter('Key', 'ssl_certificate')) if c.servers[0].filter('Key', 'ssl_certificate_key'): c.servers[0].remove(c.servers[0].filter('Key', 'ssl_certificate_key')) if c.servers[0].filter('Key', 'ssl_protocols'): c.servers[0].remove(c.servers[0].filter('Key', 'ssl_protocols')) if c.servers[0].filter('Key', 'ssl_ciphers'): c.servers[0].remove(c.servers[0].filter('Key', 'ssl_ciphers')) c.servers[0].add( nginx.Key('ssl_certificate', cpath), nginx.Key('ssl_certificate_key', kpath), nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'), nginx.Key('ssl_ciphers', 'HIGH:!aNULL:!MD5') ) c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \ % (stype, data.addr, port) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_enable( os.path.join('/srv/http/webapps', name), cpath, kpath) self.nginx_reload()
def create_acme_dummy(domain): """ Create a dummy directory to use for serving ACME challenge data. This function is used when no website yet exists for the desired domain. :param str domain: Domain name to use :returns: Path to directory for challenge data """ site_dir = os.path.join(config.get("websites", "site_dir"), "acme-" + domain) challenge_dir = os.path.join(site_dir, ".well-known/acme-challenge") conf = nginx.Conf( nginx.Server( nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"), nginx.Key("server_name", domain), nginx.Key("root", site_dir), nginx.Location("/.well-known/acme-challenge/", nginx.Key("root", site_dir)))) origin = os.path.join("/etc/nginx/sites-available", "acme-" + domain) target = os.path.join("/etc/nginx/sites-enabled", "acme-" + domain) uid = users.get_system("http").uid nginx.dumpf(conf, origin) if not os.path.exists(target): os.symlink(origin, target) if not os.path.exists(challenge_dir): os.makedirs(challenge_dir) os.chown(site_dir, uid, -1) os.chown(os.path.join(site_dir, ".well-known"), uid, -1) os.chown(challenge_dir, uid, -1) tracked_services.register("acme", domain, domain + "(ACME Validation)", "globe", [('tcp', 80)], 2) nginx_reload() return challenge_dir
def write_vhost(appinfo): import nginx c = nginx.Conf() s = nginx.Server() s.add( nginx.Comment('SSL conf added by freessl (https://github.com/alihusnainarshad)'), nginx.Key('listen', '443 ssl http2'), nginx.Key('listen', '[::]:443 ssl http2'), nginx.Key('server_name', ' '.join(appinfo.get('valid_domains'))), nginx.Key('brotli', 'on'), nginx.Key('brotli_static', 'off'), nginx.Key('brotli_min_length', '100'), nginx.Key('brotli_buffers', '16 8k'), nginx.Key('brotli_comp_level', '5'), nginx.Key('brotli_types', '*'), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', appinfo.get('cert_path')), nginx.Key('ssl_certificate_key', appinfo.get('key_path')), nginx.Key('ssl_prefer_server_ciphers', 'on'), nginx.Key('ssl_session_timeout', '5m'), nginx.Key('ssl_protocols', 'TLSv1.1 TLSv1.2'), nginx.Key('ssl_stapling', 'on'), nginx.Key('ssl_stapling_verify', 'on'), nginx.Key('resolver', '8.8.8.8 8.8.4.4 valid=86400s'), nginx.Key('resolver_timeout', '5s'), nginx.Key('ssl_ciphers', '"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"'), nginx.Key('ssl_ecdh_curve', 'secp384r1'), nginx.Key('ssl_session_cache', 'shared:SSL:10m'), nginx.Key('ssl_session_tickets', 'off'), nginx.Key('ssl_dhparam', '/etc/nginx-rc/dhparam.pem'), nginx.Key('include', '/etc/nginx-rc/conf.d/{}.d/main.conf'.format(appinfo.get('name'))) ) c.add(s) nginx.dumpf(c, '{}/{}-ssl.conf'.format(appinfo.get('vhostdir'), appinfo.get('name')))
def GenerateNginxInstance(self): serversPath = os.path.join(self.project_templates_paths, 'servers') nginxTemplateFolder = os.path.join(serversPath, 'nginx') folderPath = os.path.normpath( os.path.join(self.outputPath, self.server_options['name'])) nginxPath = os.path.join(folderPath, 'nginx.conf') if os.path.isdir(folderPath): shutil.rmtree(folderPath, ignore_errors=True) shutil.copytree(nginxTemplateFolder, folderPath) api_services_uses_nginx = self.FindApiServicesUsesNginx( self.server_options['name']) clients_uses_nginx = self.FindClientsUsesNginx( self.server_options['name']) identity_uses_nginx = self.FindIdentityServicesUsesNginx( self.server_options['name']) nginxConfig = self.BuildNginxConfiguration(self.server_options, api_services_uses_nginx, clients_uses_nginx, identity_uses_nginx) docker_config = self.BuildNginxDockerOptions(api_services_uses_nginx, clients_uses_nginx, identity_uses_nginx) docker_instance = Docker.getInstance() docker_instance.AddService(self.server_options['name'], docker_config) nginx.dumpf(nginxConfig, nginxPath)
def post_install(self, name, path, vars, dbinfo={}): # Write a basic index file showing that we are here if vars.getvalue('php', '0') == '1': php = True path = os.path.join(path, 'htdocs') os.mkdir(path) c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = path nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) else: php = False if php: phpctl = apis.langassist(self.app).get_interface('PHP') phpctl.enable_mod('xcache') if php and dbinfo and dbinfo['engine'] == 'MariaDB': phpctl.enable_mod('mysql') f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w') f.write( '<html>\n' '<body>\n' '<h1>Genesis - Custom Site</h1>\n' '<p>Your site is online and available at '+path+'</p>\n' '<p>Feel free to paste your site files here</p>\n' '</body>\n' '</html>\n' ) f.close() # Give access to httpd shell('chown -R http:http '+path)
def nginx_add(self, site, add): if site.path == '': site.path = os.path.join('/srv/http/webapps/', site.name) c = nginx.Conf() s = nginx.Server( nginx.Key('listen', site.port), nginx.Key('server_name', site.addr), nginx.Key('root', site.path), nginx.Key('index', 'index.'+('php' if site.php else 'html')) ) if add: s.add(*[x for x in add]) c.add(s) nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name)) # Write configuration file with info Genesis needs to know the site f = open(os.path.join('/etc/nginx/sites-available', '.'+site.name+'.ginf'), 'w') c = ConfigParser.SafeConfigParser() c.add_section('website') c.set('website', 'name', site.name) c.set('website', 'stype', site.stype) c.set('website', 'ssl', '') c.set('website', 'version', site.version if site.version else 'None') c.set('website', 'dbengine', site.dbengine if site.dbengine else '') c.set('website', 'dbname', site.dbname if site.dbname else '') c.set('website', 'dbuser', site.dbuser if site.dbuser else '') c.write(f) f.close()
def nginx_edit(self, oldsite, site): # Update the nginx serverblock c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name)) s = c.servers[0] if oldsite.ssl and oldsite.port == '443': for x in c.servers: if x.filter('Key', 'listen')[0].value == '443 ssl': s = x if site.port != '443': for x in c.servers: if not 'ssl' in x.filter('Key', 'listen')[0].value \ and x.filter('key', 'return'): c.remove(x) elif site.port == '443': c.add(nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', site.addr), nginx.Key('return', '301 https://%s$request_uri'%site.addr) )) s.filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port s.filter('Key', 'server_name')[0].value = site.addr s.filter('Key', 'root')[0].value = site.path s.filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html' nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name)) # If the name was changed, rename the folder and files if site.name != oldsite.name: if os.path.exists(os.path.join('/srv/http/webapps', site.name)): shutil.rmtree(os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/srv/http/webapps', oldsite.name), os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name), os.path.join('/etc/nginx/sites-available', site.name)) self.nginx_disable(oldsite, reload=False) self.nginx_enable(site) self.nginx_reload()
def reconfigure(bind, link, config, gunicorn, nginx, logrotate, supervisor): CONFIG_LOCATION = BASE_DIR + '/cli/configs' if gunicorn: shutil.copy(CONFIG_LOCATION + '/gunicorn.default.conf.py', BASE_DIR + '/gunicorn.conf.py') if bind == 'port': with open(BASE_DIR + '/gunicorn.conf.py', 'r+') as file: contents = file.read() contents = contents.replace( "bind = 'unix:/var/run/hawthorne.sock'", "bind = '127.0.0.1:8000'") file.seek(0) file.truncate() file.write(contents) if supervisor: ini = ConfigParser() ini.read(CONFIG_LOCATION + '/supervisor.default.conf') for section in ini.sections(): if 'directory' in ini[section]: ini[section]['directory'] = BASE_DIR with open(BASE_DIR + '/supervisor.conf', 'w') as file: ini.write(file) if link: try: os.symlink(BASE_DIR + '/supervisor.conf', '/etc/supervisor/conf.d/hawthorne.conf') except Exception as e: click.echo('Symlink to supervisor failed. ({})'.format(e)) run(['supervisorctl', 'reread'], stdout=PIPE, stderr=PIPE) run(['supervisorctl', 'update'], stdout=PIPE, stderr=PIPE) run(['supervisorctl', 'restart', 'hawthorne:*'], stdout=PIPE, stderr=PIPE) if logrotate: try: os.symlink(CONFIG_LOCATION + '/logrotate.default', '/etc/logrotate.d/hawthorne') except Exception as e: click.echo('Symlink to logrotate failed. ({})'.format(e)) if nginx: from panel.settings import ALLOWED_HOSTS import nginx c = nginx.loadf(CONFIG_LOCATION + '/nginx.example.conf') c.server.filter('Key', 'server_name')[0].value = ' '.join(ALLOWED_HOSTS) nginx.dumpf(c, config) run(['nginx', '-s', 'reload'], stdout=PIPE, stderr=PIPE)
def install(self, extra_vars={}, enable=True, message=None): # Set metadata values site_dir = config.get("websites", "site_dir") self.path = self.path.encode("utf-8") or os.path.join(site_dir, self.id).encode("utf-8") try: os.makedirs(self.path) except: pass # If extra data is passed in, set up the serverblock accordingly if extra_vars: if not extra_vars.get("type") or not extra_vars.get("pass"): raise Exception("Must enter ReverseProxy type and location to pass to") elif extra_vars.get("type") in ["fastcgi", "uwsgi"]: self.block = [nginx.Location(extra_vars.get("lregex", "/"), nginx.Key("%s_pass"%extra_vars.get("type"), "%s"%extra_vars.get("pass")), nginx.Key("include", "%s_params"%extra_vars.get("type")) )] else: self.block = [nginx.Location(extra_vars.get("lregex", "/"), nginx.Key("proxy_pass", "%s"%extra_vars.get("pass")), nginx.Key("proxy_redirect", "off"), nginx.Key("proxy_buffering", "off"), nginx.Key("proxy_set_header", "Host $host") )] if extra_vars.get("xrip"): self.block[0].add(nginx.Key("proxy_set_header", "X-Real-IP $remote_addr")) if extra_vars.get("xff") == "1": self.block[0].add(nginx.Key("proxy_set_header", "X-Forwarded-For $proxy_add_x_forwarded_for")) # Create the nginx serverblock and arkOS metadata files block = nginx.Conf() server = nginx.Server( nginx.Key("listen", self.port), nginx.Key("server_name", self.addr), nginx.Key("root", self.base_path or self.path), ) server.add(*[x for x in self.block]) block.add(server) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id)) meta = ConfigParser.SafeConfigParser() meta.add_section("website") meta.set("website", "id", self.id) meta.set("website", "name", self.name) meta.set("website", "type", "ReverseProxy") meta.set("website", "extra", self.type) meta.set("website", "version", "None") meta.set("website", "ssl", self.cert.id if hasattr(self, "cert") and self.cert else "None") with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Track port and reload daemon self.meta = None self.installed = True storage.sites.add("sites", self) signals.emit("websites", "site_installed", self) self.nginx_enable()
def ssl_disable(self, path): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s' % name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % name)
def ssl_disable(self, path): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s'%name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name) s = self.app.get_backend(apis.services.IServiceManager)
def post_install(self, name, path, vars): # Make sure the webapps config points to the _site directory and generate it. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) c.servers[0].filter('Key', 'root')[0].value = os.path.join(path, '_site') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) shell('jekyll build --source '+path+' --destination '+os.path.join(path, '_site')) # Return an explicatory message. return 'Jekyll has been setup, with a sample site at '+path+'. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.'
def post_install(self, extra_vars, dbpasswd=""): # Get around top-level zip restriction (FIXME 0.7.2) if "paperwork-master" in os.listdir(self.path): tmp_path = os.path.abspath(os.path.join(self.path, "../pwrk-tmp")) os.rename(os.path.join(self.path, "paperwork-master/frontend"), tmp_path) os.rename(os.path.join(self.path, ".arkos"), os.path.join(tmp_path, ".arkos")) shutil.rmtree(self.path) os.rename(tmp_path, self.path) # Make sure that the correct PHP settings are enabled php.enable_mod('gd', 'opcache', 'mysql', 'pdo_mysql', 'mcrypt') php.enable_mod('apcu', config_file="/etc/php/conf.d/apcu.ini") dbstr = "mysql, localhost, 3389, {0}, {1}, {0}"\ .format(self.id, dbpasswd) with open(os.path.join(self.path, 'app/storage/db_settings'), 'w') as f: f.write(dbstr) php.composer_install(self.path) nodejs.install("gulp", as_global=True) nodejs.install_from_package(self.path, stat=None) cwd = os.getcwd() os.chdir(self.path) s = shell("bower install --allow-root", stdin='y\n') if s["code"] != 0: raise Exception("Failed to run bower: {0}".format(s["stderr"])) s = shell("gulp") if s["code"] != 0: raise Exception("Failed to run gulp: {0}".format(s["stderr"])) s = shell("php artisan migrate --force") if s["code"] != 0: raise Exception("Failed to run artisan: {0}".format(s["stderr"])) os.chdir(cwd) # Make sure the webapps config points to the public directory. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = \ os.path.join(self.path, 'public') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id)) uid, gid = users.get_system("http").uid, groups.get_system("http").gid for r, d, f in os.walk(os.path.join(self.path, 'app')): for x in d: os.chmod(os.path.join(r, x), 0o755) os.chown(os.path.join(r, x), uid, gid) for x in f: os.chmod(os.path.join(r, x), 0o644) os.chown(os.path.join(r, x), uid, gid) if os.path.exists(os.path.join(self.path, 'app/storage/setup')): os.unlink(os.path.join(self.path, 'app/storage/setup'))
def generate(cls, servers): obj = cls(servers) obj.upstream() obj.base_server() obj.servers(80) obj.servers(443) obj.certificate() # Здесь указать папку куда выгружать конфиг nginx.dumpf(obj.config, f'{BASE_DIR}/etc/nginx.conf') obj.success_message("Настройки сервера обновленны") os.system('nginx -s reload')
def enable_ssl(self, cfile, kfile): n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) self.addtoblock[0].add( nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), ) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id)
def update_nginx_proxy_restriction(): accept_ips = [h for h, in RegisteredHost.query.values(RegisteredHost.host)] current_app.logger.debug( 'UPDATE NGINX PROXY FOR RHOSTS: {}'.format(accept_ips)) for filename in files: conf = nginx.loadf(filename) update_allowed(accept_ips, conf) nginx.dumpf(conf, filename) # Because only root can reload daemons we've created special wrapper # and configure sudo to allow required action subprocess.call('sudo /var/opt/kuberdock/nginx_reload.sh', shell=True)
def ssl_enable(self): # Get server-preferred ciphers if config.get("certificates", "ciphers"): ciphers = config.get("certificates", "ciphers") else: config.set("certificates", "ciphers", ciphers) config.save() block = nginx.loadf(os.path.join("/etc/nginx/sites-available/", self.id)) # If the site is on port 80, setup an HTTP redirect to new port 443 server = block.servers[0] listen = server.filter("Key", "listen")[0] if listen.value == "80": listen.value = "443 ssl" block.add(nginx.Server( nginx.Key("listen", "80"), nginx.Key("server_name", self.addr), nginx.Key("return", "301 https://%s$request_uri" % self.addr) )) for x in block.servers: if x.filter("Key", "listen")[0].value == "443 ssl": server = x break else: listen.value = listen.value.split(" ssl")[0] + " ssl" # Clean up any pre-existing SSL directives that no longer apply for x in server.all(): if type(x) == nginx.Key and x.name.startswith("ssl_"): server.remove(x) # Add the necessary SSL directives to the serverblock and save server.add( nginx.Key("ssl_certificate", self.cert.cert_path), nginx.Key("ssl_certificate_key", self.cert.key_path), nginx.Key("ssl_protocols", "TLSv1 TLSv1.1 TLSv1.2"), nginx.Key("ssl_ciphers", ciphers), nginx.Key("ssl_session_timeout", "5m"), nginx.Key("ssl_prefer_server_ciphers", "on"), nginx.Key("ssl_dhparam", "/etc/arkos/ssl/dh_params.pem"), nginx.Key("ssl_session_cache", "shared:SSL:50m"), ) nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id)) # Set the certificate name in the metadata file meta = ConfigParser.SafeConfigParser() meta.read(os.path.join(self.path, ".arkos")) meta.set("website", "ssl", self.cert.id) with open(os.path.join(self.path, ".arkos"), "w") as f: meta.write(f) # Call the website type's SSL enable hook self.enable_ssl(self.cert.cert_path, self.cert.key_path)
def post_install(self, name, path, vars): # Make sure the webapps config points to the _site directory and generate it. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) c.servers[0].filter('Key', 'root')[0].value = os.path.join(path, '_site') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) shell('jekyll build --source ' + path + ' --destination ' + os.path.join(path, '_site')) # Return an explicatory message. return 'Jekyll has been setup, with a sample site at ' + path + '. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.'
def enable_ssl(self, cfile, kfile): n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) self.addtoblock[0].add( nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), ) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id)
def _edit_nginx_entry(project_root_dir, rev_proxy_container, model_name, hostname, ip_port, old_hostname = None): conf_dir = _copy_down_nginx_conf(project_root_dir, rev_proxy_container) try: conf_file = _build_relative_path(conf_dir,'nginx.conf') c = _nginx.loadf(conf_file) http = c.filter('Http')[0] endpoint_url = '/{}/'.format(model_name) # check for existing upstream entry for item, edit as needed if old_hostname is not None: for ups in http.filter('Upstream'): if ups.value == old_hostname: http.remove(ups) # create new hostname entry upstream = _nginx.Upstream(hostname) upstream.add(_nginx.Key('server', ip_port)) http.add( upstream ) # check for existing location entry and remove if present servers = http.filter('Server') add2http = False if len(servers) > 0: server = servers[0] for loc in server.filter('Location'): if loc.value == endpoint_url: server.remove(loc) else: add2http = True server = _nginx.Server() server.add(_nginx.Key('listen', '5000')) location = _nginx.Location(endpoint_url) location.add( _nginx.Key('proxy_pass', 'http://{}/'.format(hostname)), _nginx.Key('proxy_redirect', 'off'), _nginx.Key('proxy_set_header', 'Host $host'), _nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), _nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), _nginx.Key('proxy_set_header', 'X-Forwarded-Host $server_name') ) server.add(location) if add2http: http.add(server) _nginx.dumpf(c, conf_file) _copy_up_nginx_conf(project_root_dir, conf_dir, rev_proxy_container) # reload nginx on server rev_proxy_container.exec_run('/usr/sbin/nginx', detach = True) rev_proxy_container.exec_run('/usr/sbin/nginx -s reload', detach = True) finally: _shutil.rmtree(conf_dir, ignore_errors=True)
def post_install(self, name, path, vars): # Write a basic index file showing that we are here if vars.getvalue('php', '0') == '1': php = True path = os.path.join(path, 'htdocs') os.mkdir(path) c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = path nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) else: php = False # Create a database if the user wants one if php: phpctl = apis.langassist(self.app).get_interface('PHP') if vars.getvalue('ws-dbsel', 'None') != 'None': dbtype = vars.getvalue('ws-dbsel', '') dbname = vars.getvalue('ws-dbname', '') passwd = vars.getvalue('ws-dbpass', '') dbase = apis.databases(self.app).get_interface(dbtype) if hasattr(dbase, 'connect'): conn = apis.databases(self.app).get_dbconn(dbtype) dbase.add(dbname, conn) dbase.usermod(dbname, 'add', passwd, conn) dbase.chperm(dbname, dbname, 'grant', conn) else: dbase.add(dbname) dbase.usermod(dbname, 'add', passwd) dbase.chperm(dbname, dbname, 'grant') if php: phpctl.enable_mod('mysql') f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w') f.write( '<html>\n' '<body>\n' '<h1>Genesis - Custom Site</h1>\n' '<p>Your site is online and available at '+path+'</p>\n' '<p>Feel free to paste your site files here</p>\n' '</body>\n' '</html>\n' ) f.close() # Give access to httpd shell('chown -R http:http '+path) # Enable xcache if PHP is set if php: phpctl.enable_mod('xcache')
def post_install(self, name, path, vars): # Write a basic index file showing that we are here if vars.getvalue('php', '0') == '1': php = True path = os.path.join(path, 'htdocs') os.mkdir(path) c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = path nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) else: php = False # Create a database if the user wants one if php: phpctl = apis.langassist(self.app).get_interface('PHP') if vars.getvalue('ws-dbsel', 'None') != 'None': dbtype = vars.getvalue('ws-dbsel', '') dbname = vars.getvalue('ws-dbname', '') passwd = vars.getvalue('ws-dbpass', '') dbase = apis.databases(self.app).get_interface(dbtype) if hasattr(dbase, 'connect'): conn = apis.databases(self.app).get_dbconn(dbtype) dbase.add(dbname, conn) dbase.usermod(dbname, 'add', passwd, conn) dbase.chperm(dbname, dbname, 'grant', conn) else: dbase.add(dbname) dbase.usermod(dbname, 'add', passwd) dbase.chperm(dbname, dbname, 'grant') if php: phpctl.enable_mod('mysql') f = open( os.path.join(path, 'index.' + ('php' if php is True else 'html')), 'w') f.write('<html>\n' '<body>\n' '<h1>Genesis - Custom Site</h1>\n' '<p>Your site is online and available at ' + path + '</p>\n' '<p>Feel free to paste your site files here</p>\n' '</body>\n' '</html>\n') f.close() # Give access to httpd shell('chown -R http:http ' + path) # Enable xcache if PHP is set if php: phpctl.enable_mod('xcache')
def write_conf(app): print(bcolors.OKBLUE + 'Writing NGINX vhost file for the app ' + bcolors.BOLD + app.get('appname') + bcolors.ENDC) appname = app.get('appname') root = app.get('root') username = app.get('username', 'serverpilot') confname = vhostsdir + appname + '-ssl.conf' domains = app.get('domains') c = nginx.Conf() s = nginx.Server() s.add( nginx.Comment( 'SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)' ), nginx.Key('listen', '443 ssl http2'), nginx.Key('listen', '[::]:443 ssl http2'), nginx.Key('server_name', ' '.join(domains)), nginx.Key('ssl', 'on'), nginx.Key('ssl_certificate', app.get('certpath') + '/fullchain.pem'), nginx.Key('ssl_certificate_key', app.get('certpath') + '/privkey.pem'), nginx.Key('root', root), nginx.Key( 'access_log', '/srv/users/' + username + '/log/' + appname + '/dev_nginx.access.log main'), nginx.Key( 'error_log', '/srv/users/' + username + '/log/' + appname + '/dev_nginx.error.log'), nginx.Key('proxy_set_header', 'Host $host'), nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'), nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-SSL on'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), nginx.Key('include', '/etc/nginx-sp/vhosts.d/' + appname + '.d/*.conf'), ) c.add(s) try: nginx.dumpf(c, confname) print(bcolors.OKGREEN + 'Virtual host file created!' + bcolors.ENDC) print(bcolors.OKBLUE + 'Reloading NGINX server...' + bcolors.ENDC) reload_nginx_sp() print(bcolors.OKGREEN + 'SSL should have been installed and activated for the app ' + bcolors.BOLD + app.get('appname') + bcolors.ENDC) return True except: print(bcolors.FAIL + 'Virtual host file cannot be created!' + bcolors.ENDC) return False
def certificate(self, servers): for server_data in servers: if server_data.get("is_ssl_certificate", False): domain = server_data.get("domain", "") conf = nginx.Conf() conf.add( nginx.Key("ssl_certificate", f"/var/www/certificate/{domain}-cert.pem")) conf.add( nginx.Key("ssl_certificate_key", f"/var/www/certificate/{domain}-key.pem")) nginx.dumpf( conf, f'/etc/nginx/conf.d/ssl_certificate/{domain}.conf')
def ssl_enable(self, path, cfile, kfile): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s'%name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) self.addtoblock[0].add( nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'), ) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name) s = self.app.get_backend(apis.services.IServiceManager)
def post_install(self, vars, dbpasswd=""): # Get around top-level zip restriction (FIXME 0.7.2) if "paperwork-master" in os.listdir(self.path): tmp_path = os.path.abspath(os.path.join(self.path, "../pwrk-tmp")) os.rename(os.path.join(self.path, "paperwork-master/frontend"), tmp_path) os.rename(os.path.join(self.path, ".arkos"), os.path.join(tmp_path, ".arkos")) shutil.rmtree(self.path) os.rename(tmp_path, self.path) # Make sure that the correct PHP settings are enabled php.enable_mod('gd', 'opcache', 'mysql', 'pdo_mysql', 'mcrypt') php.enable_mod('apcu', config_file="/etc/php/conf.d/apcu.ini") dbstr = "mysql, localhost, 3389, {0}, {1}, {0}".format(self.id, dbpasswd) with open(os.path.join(self.path, 'app/storage/db_settings'), 'w') as f: f.write(dbstr) php.composer_install(self.path) nodejs.install("gulp", as_global=True) nodejs.install_from_package(self.path, stat=None) cwd = os.getcwd() os.chdir(self.path) s = shell("bower install --allow-root", stdin='y\n') if s["code"] != 0: raise Exception("Failed to run bower: %s" % s["stderr"]) s = shell("gulp") if s["code"] != 0: raise Exception("Failed to run gulp: %s" % s["stderr"]) s = shell("php artisan migrate --force") if s["code"] != 0: raise Exception("Failed to run artisan: %s" % s["stderr"]) os.chdir(cwd) # Make sure the webapps config points to the public directory. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = os.path.join(self.path, 'public') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id)) uid, gid = users.get_system("http").uid, groups.get_system("http").gid for r, d, f in os.walk(os.path.join(self.path, 'app')): for x in d: os.chmod(os.path.join(r, x), 0755) os.chown(os.path.join(r, x), uid, gid) for x in f: os.chmod(os.path.join(r, x), 0644) os.chown(os.path.join(r, x), uid, gid) if os.path.exists(os.path.join(self.path, 'app/storage/setup')): os.unlink(os.path.join(self.path, 'app/storage/setup'))
def disable_ssl(self): n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id) with open(os.path.join(self.path, 'config.js'), 'r') as f: data = f.read() data = data.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') with open(os.path.join(self.path, 'config.js'), 'w') as f: f.write(data) services.get(self.id).restart()
def disable_ssl(self): n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id) with open(os.path.join(self.path, 'config.js'), 'r') as f: data = f.read() data = data.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') with open(os.path.join(self.path, 'config.js'), 'w') as f: f.write(data) services.get(self.id).restart()
def nginxConfGenerator(instances, options): c = nginx.Conf() for instance in instances: s = nginx.Server() s.add( nginx.Key('listen', '80'), nginx.Key('server_name', 'nxt-mq-' + instance[1] + '.ies.inventec'), nginx.Location('/', nginx.Key('proxy_pass', 'http://' + instance[0] + ':15672')), ) c.add(s) nginx.dumpf(c, os.path.dirname(os.path.abspath(__file__)) + '/nginx.conf') return
def nginx_add(self, site, add): if site.path == '': site.path = os.path.join('/srv/http/webapps/', site.name) c = nginx.Conf() c.add(nginx.Comment('GENESIS %s %s' % (site.stype, 'http://'+site.addr+':'+site.port))) s = nginx.Server( nginx.Key('listen', site.port), nginx.Key('server_name', site.addr), nginx.Key('root', site.path), nginx.Key('index', 'index.'+('php' if site.php else 'html')) ) if add: s.add(*[x for x in add]) c.add(s) nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
def generate_nginx_config(self): c = nginx.Conf() u = nginx.Upstream('loadbalancer', nginx.Key('least_conn', '')) ip_addr = get_ip_address() for server_idx in range(self.n_endpoints): u.add( nginx.Key('server', f'{ip_addr}:{self.src_port + server_idx}')) s = nginx.Server( nginx.Location('/', nginx.Key('proxy_pass', 'http://loadbalancer'))) loc = nginx.Location('/favicon.ico', nginx.Key('log_not_found', 'off'), nginx.Key('access_log', 'off')) c.add(u) s.add(loc) c.add(s) nginx.dumpf(c, 'dockerfiles/loadbalancer/nginx.conf')
def ssl_disable(self, path): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s' % name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s' % name) f = open(os.path.join(path, 'config.js'), 'r').read() with open(os.path.join(path, 'config.js'), 'w') as config_file: f = f.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') config_file.write(f) config_file.close() s = self.app.get_backend(apis.services.IServiceManager) s.restart('ghost', 'supervisor')
def ssl_disable(self, path): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s'%name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name) f = open(os.path.join(path, 'config.js'), 'r').read() with open(os.path.join(path, 'config.js'), 'w') as config_file: f = f.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') config_file.write(f) config_file.close() s = self.app.get_backend(apis.services.IServiceManager) s.restart('ghost', 'supervisor')
def enable_ssl(self, cfile, kfile): n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id) for x in n.servers: if x.filter('Location', '/'): x.filter('Location', '/')[0].add( nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme') ) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id) with open(os.path.join(self.path, 'config.js'), 'r') as f: data = f.read() data = data.replace('production: {\n url: \'http://', 'production: {\n url: \'https://') with open(os.path.join(self.path, 'config.js'), 'w') as f: f.write(data) services.get(self.id).restart()
def add_server(app_name, app_server_ip_addr): c = nginx.loadf(CONFIG_DIR + app_name + '/nginx.conf') h = c.filter('Http')[0] c.remove(h) u = h.filter('Upstream')[0] h.remove(u) u.add(nginx.Key('server', str(app_server_ip_addr) + ':3000')) h.add(u) c.add(h) nginx.dumpf(c, CONFIG_DIR + app_name + '/nginx.conf')
def server_submit(): server_name=request.POST.get('server_name', '') server_value=request.POST.get('server_value', '') path_file_name=request.POST.get("path_file_name","") c = nginx.loadf(path_file_name) servers = c.filter("Server") for i in servers: if server_name == i.filter("key", "server_name")[0].value: c.remove(i) new_c=nginx.loads(server_value) new_server=new_c.filter('Server')[0] c.add(new_server) # print "remove ok" # c.add(myserver) nginx.dumpf(c, path_file_name) # print myserver return server_value
def ssl_disable(self, path): name = os.path.basename(path) n = nginx.loadf('/etc/nginx/sites-available/%s'%name) for x in n.servers: if x.filter('Location', '/'): x.remove(x.filter('Location', '/')[0]) x.add(self.addtoblock[0]) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name) f = open(os.path.join(path, 'config.js'), 'r').read() with open(os.path.join(path, 'config.js'), 'w') as config_file: f = f.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') config_file.write(f) config_file.close() s = apis.orders(self.app).get_interface('supervisor') if s: s[0].order('rel', 'ghost')
def disable_ssl(self): n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id) for x in n.servers: if x.filter('Location', '/'): toremove = [] for y in x.filter('Location', '/')[0].all(): if y.value == 'X-Forwarded-For $proxy_add_x_forwarded_for' or \ y.value == 'X-Forwarded-Proto $scheme': toremove.append(y) for y in toremove: x.filter('Location', '/')[0].remove(y) nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id) with open(os.path.join(self.path, 'config.js'), 'r') as f: data = f.read() data = data.replace('production: {\n url: \'https://', 'production: {\n url: \'http://') with open(os.path.join(self.path, 'config.js'), 'w') as f: f.write(data) services.get(self.id).restart()
def nginx_edit(self, oldsite, site): # Update the nginx serverblock c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name)) c.filter('Comment')[0].comment = 'GENESIS %s %s' % (site.stype, (('https://' if site.ssl else 'http://')+site.addr+':'+site.port)) c.servers[0].filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port c.servers[0].filter('Key', 'server_name')[0].value = site.addr c.servers[0].filter('Key', 'root')[0].value = site.path c.servers[0].filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html' nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name)) # If the name was changed, rename the folder and files if site.name != oldsite.name: if os.path.exists(os.path.join('/srv/http/webapps', site.name)): shutil.rmtree(os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/srv/http/webapps', oldsite.name), os.path.join('/srv/http/webapps', site.name)) shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name), os.path.join('/etc/nginx/sites-available', site.name)) self.nginx_disable(oldsite, reload=False) self.nginx_enable(site) self.nginx_reload()
def post_install(self, name, path, vars, dbinfo={}): # Make sure the webapps config points to the _site directory and generate it. c = nginx.loadf(os.path.join("/etc/nginx/sites-available", name)) for x in c.servers: if x.filter("Key", "root"): x.filter("Key", "root")[0].value = os.path.join(path, "_site") nginx.dumpf(c, os.path.join("/etc/nginx/sites-available", name)) s = shell_cs("jekyll build --source " + path + " --destination " + os.path.join(path, "_site"), stderr=True) if s[0] != 0: raise Exception("Jekyll failed to build: %s" % str(s[1])) shell("chmod 755 $(find %s -type d)" % path) shell("chmod 644 $(find %s -type f)" % path) shell("chown -R http:http %s" % path) # Return an explicatory message. return ( "Jekyll has been setup, with a sample site at " + path + '. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.' )
def post_install(self, vars, dbpasswd=""): # Make sure the webapps config points to the _site directory and generate it. c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id)) for x in c.servers: if x.filter('Key', 'root'): x.filter('Key', 'root')[0].value = os.path.join(self.path, '_site') nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id)) s = shell('jekyll build --source '+self.path+' --destination '+os.path.join(self.path, '_site')) if s["code"] != 0: raise Exception('Jekyll failed to build: %s'%str(s["stderr"])) uid, gid = users.get_system("http").uid, groups.get_system("http").gid for r, d, f in os.walk(self.path): for x in d: os.chmod(os.path.join(r, x), 0755) os.chown(os.path.join(r, x), uid, gid) for x in f: os.chmod(os.path.join(r, x), 0644) os.chown(os.path.join(r, x), uid, gid) # Return an explicatory message. return 'Jekyll has been setup, with a sample site at '+self.path+'. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Edit button for the site, then "Regenerate Site" to bring your changes live.'
def post_install(self, name, path, vars): # Create a database if the user wants one if vars.getvalue('ws-dbsel', 'None') != 'None': dbtype = vars.getvalue('ws-dbsel', '') dbname = vars.getvalue('ws-dbname', '') passwd = vars.getvalue('ws-dbpass', '') dbase = apis.databases(self.app).get_interface(dbtype) dbase.add(dbname) dbase.usermod(dbname, 'add', passwd) dbase.chperm(dbname, dbname, 'grant') shell('sed -i s/\;extension=mysql.so/extension=mysql.so/g /etc/php/php.ini') # Write a basic index file showing that we are here if vars.getvalue('php', '0') == '1': php = True path = os.path.join(path, 'htdocs') os.mkdir(path) c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name)) c.servers[0].filter('Key', 'root')[0].value = path nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name)) else: php = False f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w') f.write( '<html>\n' '<body>\n' '<h1>Genesis - Custom Site</h1>\n' '<p>Your site is online and available at '+path+'</p>\n' '<p>Feel free to paste your site files here</p>\n' '</body>\n' '</html>\n' ) f.close() # Give access to httpd shell('chown -R http:http '+path) # Enable xcache if PHP is set if php: shell('sed -i s/\;extension=xcache.so/extension=xcache.so/g /etc/php/conf.d/xcache.ini')
def ssl_disable(self, data): name, stype = data.name, data.stype port = '80' c = nginx.loadf('/etc/nginx/sites-available/'+name) l = c.servers[0].filter('Key', 'listen')[0] if l.value == '443 ssl': l.value = '80' port = '80' else: l.value = l.value.rstrip(' ssl') port = l.value c.servers[0].remove( c.servers[0].filter('Key', 'ssl_certificate')[0], c.servers[0].filter('Key', 'ssl_certificate_key')[0], c.servers[0].filter('Key', 'ssl_protocols')[0], c.servers[0].filter('Key', 'ssl_ciphers')[0] ) c.filter('Comment')[0].comment = 'GENESIS %s http://%s:%s' \ % (stype, data.addr, port) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_disable( os.path.join('/srv/http/webapps', name))
def generate_config(sitename): c = nginx.Conf() u = nginx.Upstream('php', nginx.Key('server', 'unix://tmp/php-fcgi.socket') ) c.add(u) s = nginx.Server() s.add( nginx.Key('listen', '80'), nginx.Key('root', '/var/www/%s/htdocs' % sitename), nginx.Key('index', 'index.php'), nginx.Location('= /robots.txt', nginx.Key('allow', 'all'), nginx.Key('log_not_found', 'off'), nginx.Key('access_log', 'off') ), nginx.Location('~ \.php$', nginx.Key('include', 'fastcgi.conf'), nginx.Key('fastcgi_intercept_errors', 'on'), nginx.Key('fastcgi_pass', 'php') ) ) c.add(s) return nginx.dumpf(c, '%s.conf' % string.replace(sitename, '.', '_'))
def ssl_enable(self, data, cpath, kpath): # If no cipher preferences set, use the default ones # As per Mozilla recommendations, but substituting 3DES for RC4 from genesis.plugins.certificates.backend import CertControl ciphers = ':'.join([ 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'kEDH+AESGCM', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES256-SHA384', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA', 'ECDHE-ECDSA-AES256-SHA', 'DHE-RSA-AES128-SHA256', 'DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256', 'DHE-DSS-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'ECDHE-RSA-DES-CBC3-SHA', 'ECDHE-ECDSA-DES-CBC3-SHA', 'EDH-RSA-DES-CBC3-SHA', 'EDH-DSS-DES-CBC3-SHA', 'DES-CBC3-SHA', 'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES', '!RC4', '!MD5', '!PSK' ]) cfg = self.app.get_config(CertControl(self.app)) if hasattr(cfg, 'ciphers') and cfg.ciphers: ciphers = cfg.ciphers elif hasattr(cfg, 'ciphers'): cfg.ciphers = ciphers cfg.save() name, stype = data.name, data.stype port = '443' c = nginx.loadf('/etc/nginx/sites-available/'+name) s = c.servers[0] l = s.filter('Key', 'listen')[0] if l.value == '80': l.value = '443 ssl' port = '443' c.add(nginx.Server( nginx.Key('listen', '80'), nginx.Key('server_name', data.addr), nginx.Key('return', '301 https://%s$request_uri'%data.addr) )) for x in c.servers: if x.filter('Key', 'listen')[0].value == '443 ssl': s = x break else: port = l.value.split(' ssl')[0] l.value = l.value.split(' ssl')[0] + ' ssl' for x in s.all(): if type(x) == nginx.Key and x.name.startswith('ssl_'): s.remove(x) s.add( nginx.Key('ssl_certificate', cpath), nginx.Key('ssl_certificate_key', kpath), nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'), nginx.Key('ssl_ciphers', ciphers), nginx.Key('ssl_session_timeout', '5m'), nginx.Key('ssl_prefer_server_ciphers', 'on'), nginx.Key('ssl_session_cache', 'shared:SSL:50m'), ) c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \ % (stype, data.addr, port) nginx.dumpf(c, '/etc/nginx/sites-available/'+name) apis.webapps(self.app).get_interface(stype).ssl_enable( os.path.join('/srv/http/webapps', name), cpath, kpath)