def ssl_disable(self):
block = nginx.loadf(os.path.join("/etc/nginx/sites-available/", self.id))
# If there's an 80-to-443 redirect block, get rid of it
if len(block.servers) > 1:
for x in block.servers:
if not "ssl" in x.filter("Key", "listen")[0].value \
and x.filter("key", "return"):
block.remove(x)
break
# Remove all SSL directives and save
server = block.servers[0]
listen = server.filter("Key", "listen")[0]
if listen.value == "443 ssl":
listen.value = "80"
else:
listen.value = listen.value.rstrip(" ssl")
server.remove(*[x for x in server.filter("Key") if x.name.startswith("ssl_")])
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id))
meta = ConfigParser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "ssl", "None")
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Call the website type's SSL disable hook
self.disable_ssl()
def _ssl_disable(self):
block = nginx.loadf(
os.path.join("/etc/nginx/sites-available/", self.id))
# If there's an 80-to-443 redirect block, get rid of it
if len(block.servers) > 1:
for x in block.servers:
if "ssl" not in x.filter("Key", "listen")[0].value \
and x.filter("key", "return"):
block.remove(x)
break
# Remove all SSL directives and save
server = block.server
listens = server.filter("Key", "listen")
for listen in listens:
if listen.value.startswith("443"):
listen.value = "80"
elif listen.value.startswith("[::]:443"):
listen.value = "[::]:80"
else:
listen.value = listen.value.split(" ssl")[0]
skeys = [x for x in server.filter("Key") if x.name.startswith("ssl_")]
server.remove(*skeys)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/",
self.id))
meta = configparser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "ssl", "None")
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Call the website type's SSL disable hook
self.disable_ssl()
def ssl_disable(self):
n = nginx.loadf('/etc/nginx/sites-available/%s' % self.name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.name)
def post_install(self, extra_vars, dbpasswd=""):
# Make sure the webapps config points to
# the _site directory and generate it.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = \
os.path.join(self.path, '_site')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id))
s = shell('jekyll build --source {0} --destination {1}'.format(
self.path, os.path.join(self.path, '_site')))
if s["code"] != 0:
raise errors.OperationFailedError(
'Jekyll failed to build: {0}'.format(str(s["stderr"])))
uid, gid = users.get_system("http").uid, groups.get_system("http").gid
for r, d, f in os.walk(self.path):
for x in d:
os.chmod(os.path.join(r, x), 0o755)
os.chown(os.path.join(r, x), uid, gid)
for x in f:
os.chmod(os.path.join(r, x), 0o644)
os.chown(os.path.join(r, x), uid, gid)
# Return an explicatory message.
return 'Jekyll has been setup, with a sample site at {0}. '\
'Modify these files as you like. To learn how to use Jekyll, '\
'visit http://jekyllrb.com/docs/usage. After making changes, '\
'click the site icon to edit, then "Regenerate Site" '\
'to bring your changes live.'.format(self.path)
def ssl_disable(self, data):
name, stype = data.name, data.stype
port = '80'
s = None
c = nginx.loadf('/etc/nginx/sites-available/'+name)
if len(c.servers) > 1:
for x in c.servers:
if not 'ssl' in x.filter('Key', 'listen')[0].value \
and x.filter('key', 'return'):
c.remove(x)
break
s = c.servers[0]
l = s.filter('Key', 'listen')[0]
if l.value == '443 ssl':
l.value = '80'
port = '80'
else:
l.value = l.value.rstrip(' ssl')
port = l.value
s.remove(*[x for x in s.filter('Key') if x.name.startswith('ssl_')])
g = ConfigParser.SafeConfigParser()
g.read(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'))
g.set('website', 'ssl', '')
g.write(open(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'), 'w'))
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_disable(
os.path.join('/srv/http/webapps', name))
def upstream_submit():
upstream_value=request.POST.get('upstream_value', '')
upstream_name=request.POST.get('upstream_name', '')
path_file_name = request.POST.get("path_file_name", "")
c = nginx.loadf(path_file_name)
search_upstream=c.filter(btype="Upstream", name=upstream_name)
if len(search_upstream):
u=search_upstream[0]
c.remove(u)
new_u = nginx.Upstream(upstream_name, )
for line in upstream_value.split("\n"):
if len(line.split(" "))>= 2:
# print line.split(" ")
new_u.add(nginx.Key(line.split(" ")[0], line.split(" ")[1]))
else:
new_u = nginx.Upstream(upstream_name, )
for line in upstream_value.split("\n"):
if len(line.split(" ")) >= 2:
# print line.split(" ")
new_u.add(nginx.Key(line.split(" ")[0], line.split(" ")[1]))
c.add(new_u)
nginx.dumpf(c, path_file_name)
print type(upstream_value),path_file_name,upstream_name
return upstream_value
def ssl_disable(self, data):
name, stype = data.name, data.stype
port = '80'
s = None
c = nginx.loadf('/etc/nginx/sites-available/'+name)
if len(c.servers) > 1:
for x in c.servers:
if not 'ssl' in x.filter('Key', 'listen')[0].value \
and x.filter('key', 'return'):
c.remove(x)
break
s = c.servers[0]
l = s.filter('Key', 'listen')[0]
if l.value == '443 ssl':
l.value = '80'
port = '80'
else:
l.value = l.value.rstrip(' ssl')
port = l.value
s.remove(*[x for x in s.filter('Key') if x.name.startswith('ssl_')])
c.filter('Comment')[0].comment = 'GENESIS %s http://%s:%s' \
% (stype, data.addr, port)
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_disable(
os.path.join('/srv/http/webapps', name))
def disable_ssl(self):
n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id)
def ssl_enable(self, data, cpath, kpath):
name, stype = data.name, data.stype
port = '443'
c = nginx.loadf('/etc/nginx/sites-available/' + name)
l = c.servers[0].filter('Key', 'listen')[0]
if l.value == '80':
l.value = '443 ssl'
port = '443'
else:
port = l.value.split(' ssl')[0]
l.value = l.value.split(' ssl')[0] + ' ssl'
if c.servers[0].filter('Key', 'ssl_certificate'):
c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_certificate'))
if c.servers[0].filter('Key', 'ssl_certificate_key'):
c.servers[0].remove(
*c.servers[0].filter('Key', 'ssl_certificate_key'))
if c.servers[0].filter('Key', 'ssl_protocols'):
c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_protocols'))
if c.servers[0].filter('Key', 'ssl_ciphers'):
c.servers[0].remove(*c.servers[0].filter('Key', 'ssl_ciphers'))
c.servers[0].add(
nginx.Key('ssl_certificate', cpath),
nginx.Key('ssl_certificate_key', kpath),
nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'),
nginx.Key('ssl_ciphers', 'HIGH:!aNULL:!MD5'))
c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \
% (stype, data.addr, port)
nginx.dumpf(c, '/etc/nginx/sites-available/' + name)
apis.webapps(self.app).get_interface(stype).ssl_enable(
os.path.join('/srv/http/webapps', name), cpath, kpath)
def nginx_edit(self, oldsite, site):
# Update the nginx serverblock
c = nginx.loadf(
os.path.join('/etc/nginx/sites-available', oldsite.name))
c.filter('Comment')[0].comment = 'GENESIS %s %s' % (site.stype, (
('https://' if site.ssl else 'http://') + site.addr + ':' +
site.port))
c.servers[0].filter(
'Key',
'listen')[0].value = site.port + ' ssl' if site.ssl else site.port
c.servers[0].filter('Key', 'server_name')[0].value = site.addr
c.servers[0].filter('Key', 'root')[0].value = site.path
c.servers[0].filter(
'Key',
'index')[0].value = 'index.php' if site.php else 'index.html'
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available',
oldsite.name))
# If the name was changed, rename the folder and files
if site.name != oldsite.name:
if os.path.exists(os.path.join('/srv/http/webapps', site.name)):
shutil.rmtree(os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/srv/http/webapps', oldsite.name),
os.path.join('/srv/http/webapps', site.name))
shutil.move(
os.path.join('/etc/nginx/sites-available', oldsite.name),
os.path.join('/etc/nginx/sites-available', site.name))
self.nginx_disable(oldsite, reload=False)
self.nginx_enable(site)
self.nginx_reload()
def post_install(self, name, path, vars, dbinfo={}):
# Write a basic index file showing that we are here
if vars.getvalue('php', '0') == '1':
php = True
path = os.path.join(path, 'htdocs')
os.mkdir(path)
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = path
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
else:
php = False
if php:
phpctl = apis.langassist(self.app).get_interface('PHP')
phpctl.enable_mod('xcache')
if php and dbinfo and dbinfo['engine'] == 'MariaDB':
phpctl.enable_mod('mysql')
f = open(
os.path.join(path, 'index.' + ('php' if php is True else 'html')),
'w')
f.write('<html>\n'
'<body>\n'
'<h1>Genesis - Custom Site</h1>\n'
'<p>Your site is online and available at ' + path + '</p>\n'
'<p>Feel free to paste your site files here</p>\n'
'</body>\n'
'</html>\n')
f.close()
# Give access to httpd
shell('chown -R http:http ' + path)
def edit(self, newname=""):
site_dir = config.get("websites", "site_dir")
block = nginx.loadf(os.path.join("/etc/nginx/sites-available", self.id))
# If SSL is enabled and the port is changing to 443, create the port 80 redirect
server = block.servers[0]
if self.cert and self.port == 443:
for x in block.servers:
if x.filter("Key", "listen")[0].value == "443 ssl":
server = x
if self.port != 443:
for x in block.servers:
if not "ssl" in x.filter("Key", "listen")[0].value \
and x.filter("key", "return"):
block.remove(x)
elif self.port == 443:
block.add(nginx.Server(
nginx.Key("listen", "80"),
nginx.Key("server_name", self.addr),
nginx.Key("return", "301 https://%s$request_uri"%self.addr)
))
# If the name was changed...
if newname and self.id != newname:
# rename the folder and files...
if self.path.endswith("_site"):
self.path = os.path.join(site_dir, newname, "_site")
elif self.path.endswith("htdocs"):
self.path = os.path.join(site_dir, newname, "htdocs")
else:
self.path = os.path.join(site_dir, newname)
self.path = self.path.encode("utf-8")
if os.path.exists(self.path):
shutil.rmtree(self.path)
self.nginx_disable(reload=False)
shutil.move(os.path.join(site_dir, self.id), self.path)
os.unlink(os.path.join("/etc/nginx/sites-available", self.id))
signals.emit("websites", "site_removed", self)
self.id = newname
# then update the site's arkOS metadata file with the new name
meta = ConfigParser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "id", self.id)
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
self.nginx_enable(reload=False)
# Pass any necessary updates to the nginx serverblock and save
server.filter("Key", "listen")[0].value = str(self.port)+" ssl" if self.cert else str(self.port)
server.filter("Key", "server_name")[0].value = self.addr
server.filter("Key", "root")[0].value = self.path
server.filter("Key", "index")[0].value = "index.php" if hasattr(self, "php") and self.php else "index.html"
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id))
# Call the site's edited hook, if it has one, then reload nginx
signals.emit("websites", "site_loaded", self)
if hasattr(self, "site_edited"):
self.site_edited()
nginx_reload()
def ssl_enable(self, data, cpath, kpath):
name, stype = data.name, data.stype
port = '443'
c = nginx.loadf('/etc/nginx/sites-available/'+name)
l = c.servers[0].filter('Key', 'listen')[0]
if l.value == '80':
l.value = '443 ssl'
port = '443'
else:
port = l.value.split(' ssl')[0]
l.value = l.value.split(' ssl')[0] + ' ssl'
if c.servers[0].filter('Key', 'ssl_certificate'):
c.servers[0].remove(c.servers[0].filter('Key', 'ssl_certificate'))
if c.servers[0].filter('Key', 'ssl_certificate_key'):
c.servers[0].remove(c.servers[0].filter('Key', 'ssl_certificate_key'))
if c.servers[0].filter('Key', 'ssl_protocols'):
c.servers[0].remove(c.servers[0].filter('Key', 'ssl_protocols'))
if c.servers[0].filter('Key', 'ssl_ciphers'):
c.servers[0].remove(c.servers[0].filter('Key', 'ssl_ciphers'))
c.servers[0].add(
nginx.Key('ssl_certificate', cpath),
nginx.Key('ssl_certificate_key', kpath),
nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'),
nginx.Key('ssl_ciphers', 'HIGH:!aNULL:!MD5')
)
c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \
% (stype, data.addr, port)
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_enable(
os.path.join('/srv/http/webapps', name), cpath, kpath)
self.nginx_reload()
def create_acme_dummy(domain):
"""
Create a dummy directory to use for serving ACME challenge data.
This function is used when no website yet exists for the desired domain.
:param str domain: Domain name to use
:returns: Path to directory for challenge data
"""
site_dir = os.path.join(config.get("websites", "site_dir"),
"acme-" + domain)
challenge_dir = os.path.join(site_dir, ".well-known/acme-challenge")
conf = nginx.Conf(
nginx.Server(
nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"),
nginx.Key("server_name", domain), nginx.Key("root", site_dir),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", site_dir))))
origin = os.path.join("/etc/nginx/sites-available", "acme-" + domain)
target = os.path.join("/etc/nginx/sites-enabled", "acme-" + domain)
uid = users.get_system("http").uid
nginx.dumpf(conf, origin)
if not os.path.exists(target):
os.symlink(origin, target)
if not os.path.exists(challenge_dir):
os.makedirs(challenge_dir)
os.chown(site_dir, uid, -1)
os.chown(os.path.join(site_dir, ".well-known"), uid, -1)
os.chown(challenge_dir, uid, -1)
tracked_services.register("acme", domain, domain + "(ACME Validation)",
"globe", [('tcp', 80)], 2)
nginx_reload()
return challenge_dir
def write_vhost(appinfo):
import nginx
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment('SSL conf added by freessl (https://github.com/alihusnainarshad)'),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(appinfo.get('valid_domains'))),
nginx.Key('brotli', 'on'),
nginx.Key('brotli_static', 'off'),
nginx.Key('brotli_min_length', '100'),
nginx.Key('brotli_buffers', '16 8k'),
nginx.Key('brotli_comp_level', '5'),
nginx.Key('brotli_types', '*'),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate', appinfo.get('cert_path')),
nginx.Key('ssl_certificate_key', appinfo.get('key_path')),
nginx.Key('ssl_prefer_server_ciphers', 'on'),
nginx.Key('ssl_session_timeout', '5m'),
nginx.Key('ssl_protocols', 'TLSv1.1 TLSv1.2'),
nginx.Key('ssl_stapling', 'on'),
nginx.Key('ssl_stapling_verify', 'on'),
nginx.Key('resolver', '8.8.8.8 8.8.4.4 valid=86400s'),
nginx.Key('resolver_timeout', '5s'),
nginx.Key('ssl_ciphers', '"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"'),
nginx.Key('ssl_ecdh_curve', 'secp384r1'),
nginx.Key('ssl_session_cache', 'shared:SSL:10m'),
nginx.Key('ssl_session_tickets', 'off'),
nginx.Key('ssl_dhparam', '/etc/nginx-rc/dhparam.pem'),
nginx.Key('include', '/etc/nginx-rc/conf.d/{}.d/main.conf'.format(appinfo.get('name')))
)
c.add(s)
nginx.dumpf(c, '{}/{}-ssl.conf'.format(appinfo.get('vhostdir'), appinfo.get('name')))
def GenerateNginxInstance(self):
serversPath = os.path.join(self.project_templates_paths, 'servers')
nginxTemplateFolder = os.path.join(serversPath, 'nginx')
folderPath = os.path.normpath(
os.path.join(self.outputPath, self.server_options['name']))
nginxPath = os.path.join(folderPath, 'nginx.conf')
if os.path.isdir(folderPath):
shutil.rmtree(folderPath, ignore_errors=True)
shutil.copytree(nginxTemplateFolder, folderPath)
api_services_uses_nginx = self.FindApiServicesUsesNginx(
self.server_options['name'])
clients_uses_nginx = self.FindClientsUsesNginx(
self.server_options['name'])
identity_uses_nginx = self.FindIdentityServicesUsesNginx(
self.server_options['name'])
nginxConfig = self.BuildNginxConfiguration(self.server_options,
api_services_uses_nginx,
clients_uses_nginx,
identity_uses_nginx)
docker_config = self.BuildNginxDockerOptions(api_services_uses_nginx,
clients_uses_nginx,
identity_uses_nginx)
docker_instance = Docker.getInstance()
docker_instance.AddService(self.server_options['name'], docker_config)
nginx.dumpf(nginxConfig, nginxPath)
def post_install(self, name, path, vars, dbinfo={}):
# Write a basic index file showing that we are here
if vars.getvalue('php', '0') == '1':
php = True
path = os.path.join(path, 'htdocs')
os.mkdir(path)
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = path
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
else:
php = False
if php:
phpctl = apis.langassist(self.app).get_interface('PHP')
phpctl.enable_mod('xcache')
if php and dbinfo and dbinfo['engine'] == 'MariaDB':
phpctl.enable_mod('mysql')
f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w')
f.write(
'<html>\n'
'<body>\n'
'<h1>Genesis - Custom Site</h1>\n'
'<p>Your site is online and available at '+path+'</p>\n'
'<p>Feel free to paste your site files here</p>\n'
'</body>\n'
'</html>\n'
)
f.close()
# Give access to httpd
shell('chown -R http:http '+path)
def nginx_add(self, site, add):
if site.path == '':
site.path = os.path.join('/srv/http/webapps/', site.name)
c = nginx.Conf()
s = nginx.Server(
nginx.Key('listen', site.port),
nginx.Key('server_name', site.addr),
nginx.Key('root', site.path),
nginx.Key('index', 'index.'+('php' if site.php else 'html'))
)
if add:
s.add(*[x for x in add])
c.add(s)
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
# Write configuration file with info Genesis needs to know the site
f = open(os.path.join('/etc/nginx/sites-available', '.'+site.name+'.ginf'), 'w')
c = ConfigParser.SafeConfigParser()
c.add_section('website')
c.set('website', 'name', site.name)
c.set('website', 'stype', site.stype)
c.set('website', 'ssl', '')
c.set('website', 'version', site.version if site.version else 'None')
c.set('website', 'dbengine', site.dbengine if site.dbengine else '')
c.set('website', 'dbname', site.dbname if site.dbname else '')
c.set('website', 'dbuser', site.dbuser if site.dbuser else '')
c.write(f)
f.close()
def nginx_edit(self, oldsite, site):
# Update the nginx serverblock
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name))
s = c.servers[0]
if oldsite.ssl and oldsite.port == '443':
for x in c.servers:
if x.filter('Key', 'listen')[0].value == '443 ssl':
s = x
if site.port != '443':
for x in c.servers:
if not 'ssl' in x.filter('Key', 'listen')[0].value \
and x.filter('key', 'return'):
c.remove(x)
elif site.port == '443':
c.add(nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name', site.addr),
nginx.Key('return', '301 https://%s$request_uri'%site.addr)
))
s.filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port
s.filter('Key', 'server_name')[0].value = site.addr
s.filter('Key', 'root')[0].value = site.path
s.filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html'
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name))
# If the name was changed, rename the folder and files
if site.name != oldsite.name:
if os.path.exists(os.path.join('/srv/http/webapps', site.name)):
shutil.rmtree(os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/srv/http/webapps', oldsite.name),
os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name),
os.path.join('/etc/nginx/sites-available', site.name))
self.nginx_disable(oldsite, reload=False)
self.nginx_enable(site)
self.nginx_reload()
def reconfigure(bind, link, config, gunicorn, nginx, logrotate, supervisor):
CONFIG_LOCATION = BASE_DIR + '/cli/configs'
if gunicorn:
shutil.copy(CONFIG_LOCATION + '/gunicorn.default.conf.py',
BASE_DIR + '/gunicorn.conf.py')
if bind == 'port':
with open(BASE_DIR + '/gunicorn.conf.py', 'r+') as file:
contents = file.read()
contents = contents.replace(
"bind = 'unix:/var/run/hawthorne.sock'",
"bind = '127.0.0.1:8000'")
file.seek(0)
file.truncate()
file.write(contents)
if supervisor:
ini = ConfigParser()
ini.read(CONFIG_LOCATION + '/supervisor.default.conf')
for section in ini.sections():
if 'directory' in ini[section]:
ini[section]['directory'] = BASE_DIR
with open(BASE_DIR + '/supervisor.conf', 'w') as file:
ini.write(file)
if link:
try:
os.symlink(BASE_DIR + '/supervisor.conf',
'/etc/supervisor/conf.d/hawthorne.conf')
except Exception as e:
click.echo('Symlink to supervisor failed. ({})'.format(e))
run(['supervisorctl', 'reread'], stdout=PIPE, stderr=PIPE)
run(['supervisorctl', 'update'], stdout=PIPE, stderr=PIPE)
run(['supervisorctl', 'restart', 'hawthorne:*'],
stdout=PIPE,
stderr=PIPE)
if logrotate:
try:
os.symlink(CONFIG_LOCATION + '/logrotate.default',
'/etc/logrotate.d/hawthorne')
except Exception as e:
click.echo('Symlink to logrotate failed. ({})'.format(e))
if nginx:
from panel.settings import ALLOWED_HOSTS
import nginx
c = nginx.loadf(CONFIG_LOCATION + '/nginx.example.conf')
c.server.filter('Key',
'server_name')[0].value = ' '.join(ALLOWED_HOSTS)
nginx.dumpf(c, config)
run(['nginx', '-s', 'reload'], stdout=PIPE, stderr=PIPE)
def install(self, extra_vars={}, enable=True, message=None):
# Set metadata values
site_dir = config.get("websites", "site_dir")
self.path = self.path.encode("utf-8") or os.path.join(site_dir, self.id).encode("utf-8")
try:
os.makedirs(self.path)
except:
pass
# If extra data is passed in, set up the serverblock accordingly
if extra_vars:
if not extra_vars.get("type") or not extra_vars.get("pass"):
raise Exception("Must enter ReverseProxy type and location to pass to")
elif extra_vars.get("type") in ["fastcgi", "uwsgi"]:
self.block = [nginx.Location(extra_vars.get("lregex", "/"),
nginx.Key("%s_pass"%extra_vars.get("type"),
"%s"%extra_vars.get("pass")),
nginx.Key("include", "%s_params"%extra_vars.get("type"))
)]
else:
self.block = [nginx.Location(extra_vars.get("lregex", "/"),
nginx.Key("proxy_pass", "%s"%extra_vars.get("pass")),
nginx.Key("proxy_redirect", "off"),
nginx.Key("proxy_buffering", "off"),
nginx.Key("proxy_set_header", "Host $host")
)]
if extra_vars.get("xrip"):
self.block[0].add(nginx.Key("proxy_set_header", "X-Real-IP $remote_addr"))
if extra_vars.get("xff") == "1":
self.block[0].add(nginx.Key("proxy_set_header", "X-Forwarded-For $proxy_add_x_forwarded_for"))
# Create the nginx serverblock and arkOS metadata files
block = nginx.Conf()
server = nginx.Server(
nginx.Key("listen", self.port),
nginx.Key("server_name", self.addr),
nginx.Key("root", self.base_path or self.path),
)
server.add(*[x for x in self.block])
block.add(server)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id))
meta = ConfigParser.SafeConfigParser()
meta.add_section("website")
meta.set("website", "id", self.id)
meta.set("website", "name", self.name)
meta.set("website", "type", "ReverseProxy")
meta.set("website", "extra", self.type)
meta.set("website", "version", "None")
meta.set("website", "ssl", self.cert.id if hasattr(self, "cert") and self.cert else "None")
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Track port and reload daemon
self.meta = None
self.installed = True
storage.sites.add("sites", self)
signals.emit("websites", "site_installed", self)
self.nginx_enable()
def ssl_disable(self, path):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s' % name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % name)
def ssl_disable(self, path):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s'%name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name)
s = self.app.get_backend(apis.services.IServiceManager)
def post_install(self, name, path, vars):
# Make sure the webapps config points to the _site directory and generate it.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
c.servers[0].filter('Key', 'root')[0].value = os.path.join(path, '_site')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
shell('jekyll build --source '+path+' --destination '+os.path.join(path, '_site'))
# Return an explicatory message.
return 'Jekyll has been setup, with a sample site at '+path+'. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.'
def post_install(self, extra_vars, dbpasswd=""):
# Get around top-level zip restriction (FIXME 0.7.2)
if "paperwork-master" in os.listdir(self.path):
tmp_path = os.path.abspath(os.path.join(self.path, "../pwrk-tmp"))
os.rename(os.path.join(self.path, "paperwork-master/frontend"),
tmp_path)
os.rename(os.path.join(self.path, ".arkos"),
os.path.join(tmp_path, ".arkos"))
shutil.rmtree(self.path)
os.rename(tmp_path, self.path)
# Make sure that the correct PHP settings are enabled
php.enable_mod('gd', 'opcache', 'mysql', 'pdo_mysql', 'mcrypt')
php.enable_mod('apcu', config_file="/etc/php/conf.d/apcu.ini")
dbstr = "mysql, localhost, 3389, {0}, {1}, {0}"\
.format(self.id, dbpasswd)
with open(os.path.join(self.path, 'app/storage/db_settings'),
'w') as f:
f.write(dbstr)
php.composer_install(self.path)
nodejs.install("gulp", as_global=True)
nodejs.install_from_package(self.path, stat=None)
cwd = os.getcwd()
os.chdir(self.path)
s = shell("bower install --allow-root", stdin='y\n')
if s["code"] != 0:
raise Exception("Failed to run bower: {0}".format(s["stderr"]))
s = shell("gulp")
if s["code"] != 0:
raise Exception("Failed to run gulp: {0}".format(s["stderr"]))
s = shell("php artisan migrate --force")
if s["code"] != 0:
raise Exception("Failed to run artisan: {0}".format(s["stderr"]))
os.chdir(cwd)
# Make sure the webapps config points to the public directory.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = \
os.path.join(self.path, 'public')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id))
uid, gid = users.get_system("http").uid, groups.get_system("http").gid
for r, d, f in os.walk(os.path.join(self.path, 'app')):
for x in d:
os.chmod(os.path.join(r, x), 0o755)
os.chown(os.path.join(r, x), uid, gid)
for x in f:
os.chmod(os.path.join(r, x), 0o644)
os.chown(os.path.join(r, x), uid, gid)
if os.path.exists(os.path.join(self.path, 'app/storage/setup')):
os.unlink(os.path.join(self.path, 'app/storage/setup'))
def generate(cls, servers):
obj = cls(servers)
obj.upstream()
obj.base_server()
obj.servers(80)
obj.servers(443)
obj.certificate()
# Здесь указать папку куда выгружать конфиг
nginx.dumpf(obj.config, f'{BASE_DIR}/etc/nginx.conf')
obj.success_message("Настройки сервера обновленны")
os.system('nginx -s reload')
def enable_ssl(self, cfile, kfile):
n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
self.addtoblock[0].add(
nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
)
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id)
def update_nginx_proxy_restriction():
accept_ips = [h for h, in RegisteredHost.query.values(RegisteredHost.host)]
current_app.logger.debug(
'UPDATE NGINX PROXY FOR RHOSTS: {}'.format(accept_ips))
for filename in files:
conf = nginx.loadf(filename)
update_allowed(accept_ips, conf)
nginx.dumpf(conf, filename)
# Because only root can reload daemons we've created special wrapper
# and configure sudo to allow required action
subprocess.call('sudo /var/opt/kuberdock/nginx_reload.sh', shell=True)
def ssl_enable(self):
# Get server-preferred ciphers
if config.get("certificates", "ciphers"):
ciphers = config.get("certificates", "ciphers")
else:
config.set("certificates", "ciphers", ciphers)
config.save()
block = nginx.loadf(os.path.join("/etc/nginx/sites-available/", self.id))
# If the site is on port 80, setup an HTTP redirect to new port 443
server = block.servers[0]
listen = server.filter("Key", "listen")[0]
if listen.value == "80":
listen.value = "443 ssl"
block.add(nginx.Server(
nginx.Key("listen", "80"),
nginx.Key("server_name", self.addr),
nginx.Key("return", "301 https://%s$request_uri" % self.addr)
))
for x in block.servers:
if x.filter("Key", "listen")[0].value == "443 ssl":
server = x
break
else:
listen.value = listen.value.split(" ssl")[0] + " ssl"
# Clean up any pre-existing SSL directives that no longer apply
for x in server.all():
if type(x) == nginx.Key and x.name.startswith("ssl_"):
server.remove(x)
# Add the necessary SSL directives to the serverblock and save
server.add(
nginx.Key("ssl_certificate", self.cert.cert_path),
nginx.Key("ssl_certificate_key", self.cert.key_path),
nginx.Key("ssl_protocols", "TLSv1 TLSv1.1 TLSv1.2"),
nginx.Key("ssl_ciphers", ciphers),
nginx.Key("ssl_session_timeout", "5m"),
nginx.Key("ssl_prefer_server_ciphers", "on"),
nginx.Key("ssl_dhparam", "/etc/arkos/ssl/dh_params.pem"),
nginx.Key("ssl_session_cache", "shared:SSL:50m"),
)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/", self.id))
# Set the certificate name in the metadata file
meta = ConfigParser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "ssl", self.cert.id)
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Call the website type's SSL enable hook
self.enable_ssl(self.cert.cert_path, self.cert.key_path)
def post_install(self, name, path, vars):
# Make sure the webapps config points to the _site directory and generate it.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
c.servers[0].filter('Key',
'root')[0].value = os.path.join(path, '_site')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
shell('jekyll build --source ' + path + ' --destination ' +
os.path.join(path, '_site'))
# Return an explicatory message.
return 'Jekyll has been setup, with a sample site at ' + path + '. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.'
def enable_ssl(self, cfile, kfile):
n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
self.addtoblock[0].add(
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
)
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id)
def _edit_nginx_entry(project_root_dir, rev_proxy_container, model_name, hostname, ip_port, old_hostname = None):
conf_dir = _copy_down_nginx_conf(project_root_dir, rev_proxy_container)
try:
conf_file = _build_relative_path(conf_dir,'nginx.conf')
c = _nginx.loadf(conf_file)
http = c.filter('Http')[0]
endpoint_url = '/{}/'.format(model_name)
# check for existing upstream entry for item, edit as needed
if old_hostname is not None:
for ups in http.filter('Upstream'):
if ups.value == old_hostname:
http.remove(ups)
# create new hostname entry
upstream = _nginx.Upstream(hostname)
upstream.add(_nginx.Key('server', ip_port))
http.add(
upstream
)
# check for existing location entry and remove if present
servers = http.filter('Server')
add2http = False
if len(servers) > 0:
server = servers[0]
for loc in server.filter('Location'):
if loc.value == endpoint_url:
server.remove(loc)
else:
add2http = True
server = _nginx.Server()
server.add(_nginx.Key('listen', '5000'))
location = _nginx.Location(endpoint_url)
location.add(
_nginx.Key('proxy_pass', 'http://{}/'.format(hostname)),
_nginx.Key('proxy_redirect', 'off'),
_nginx.Key('proxy_set_header', 'Host $host'),
_nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
_nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
_nginx.Key('proxy_set_header', 'X-Forwarded-Host $server_name')
)
server.add(location)
if add2http:
http.add(server)
_nginx.dumpf(c, conf_file)
_copy_up_nginx_conf(project_root_dir, conf_dir, rev_proxy_container)
# reload nginx on server
rev_proxy_container.exec_run('/usr/sbin/nginx', detach = True)
rev_proxy_container.exec_run('/usr/sbin/nginx -s reload', detach = True)
finally:
_shutil.rmtree(conf_dir, ignore_errors=True)
def post_install(self, name, path, vars):
# Write a basic index file showing that we are here
if vars.getvalue('php', '0') == '1':
php = True
path = os.path.join(path, 'htdocs')
os.mkdir(path)
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = path
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
else:
php = False
# Create a database if the user wants one
if php:
phpctl = apis.langassist(self.app).get_interface('PHP')
if vars.getvalue('ws-dbsel', 'None') != 'None':
dbtype = vars.getvalue('ws-dbsel', '')
dbname = vars.getvalue('ws-dbname', '')
passwd = vars.getvalue('ws-dbpass', '')
dbase = apis.databases(self.app).get_interface(dbtype)
if hasattr(dbase, 'connect'):
conn = apis.databases(self.app).get_dbconn(dbtype)
dbase.add(dbname, conn)
dbase.usermod(dbname, 'add', passwd, conn)
dbase.chperm(dbname, dbname, 'grant', conn)
else:
dbase.add(dbname)
dbase.usermod(dbname, 'add', passwd)
dbase.chperm(dbname, dbname, 'grant')
if php:
phpctl.enable_mod('mysql')
f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w')
f.write(
'<html>\n'
'<body>\n'
'<h1>Genesis - Custom Site</h1>\n'
'<p>Your site is online and available at '+path+'</p>\n'
'<p>Feel free to paste your site files here</p>\n'
'</body>\n'
'</html>\n'
)
f.close()
# Give access to httpd
shell('chown -R http:http '+path)
# Enable xcache if PHP is set
if php:
phpctl.enable_mod('xcache')
def post_install(self, name, path, vars):
# Write a basic index file showing that we are here
if vars.getvalue('php', '0') == '1':
php = True
path = os.path.join(path, 'htdocs')
os.mkdir(path)
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = path
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
else:
php = False
# Create a database if the user wants one
if php:
phpctl = apis.langassist(self.app).get_interface('PHP')
if vars.getvalue('ws-dbsel', 'None') != 'None':
dbtype = vars.getvalue('ws-dbsel', '')
dbname = vars.getvalue('ws-dbname', '')
passwd = vars.getvalue('ws-dbpass', '')
dbase = apis.databases(self.app).get_interface(dbtype)
if hasattr(dbase, 'connect'):
conn = apis.databases(self.app).get_dbconn(dbtype)
dbase.add(dbname, conn)
dbase.usermod(dbname, 'add', passwd, conn)
dbase.chperm(dbname, dbname, 'grant', conn)
else:
dbase.add(dbname)
dbase.usermod(dbname, 'add', passwd)
dbase.chperm(dbname, dbname, 'grant')
if php:
phpctl.enable_mod('mysql')
f = open(
os.path.join(path, 'index.' + ('php' if php is True else 'html')),
'w')
f.write('<html>\n'
'<body>\n'
'<h1>Genesis - Custom Site</h1>\n'
'<p>Your site is online and available at ' + path + '</p>\n'
'<p>Feel free to paste your site files here</p>\n'
'</body>\n'
'</html>\n')
f.close()
# Give access to httpd
shell('chown -R http:http ' + path)
# Enable xcache if PHP is set
if php:
phpctl.enable_mod('xcache')
def write_conf(app):
print(bcolors.OKBLUE + 'Writing NGINX vhost file for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
appname = app.get('appname')
root = app.get('root')
username = app.get('username', 'serverpilot')
confname = vhostsdir + appname + '-ssl.conf'
domains = app.get('domains')
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment(
'SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)'
),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(domains)),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate',
app.get('certpath') + '/fullchain.pem'),
nginx.Key('ssl_certificate_key',
app.get('certpath') + '/privkey.pem'),
nginx.Key('root', root),
nginx.Key(
'access_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.access.log main'),
nginx.Key(
'error_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.error.log'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-SSL on'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
nginx.Key('include',
'/etc/nginx-sp/vhosts.d/' + appname + '.d/*.conf'),
)
c.add(s)
try:
nginx.dumpf(c, confname)
print(bcolors.OKGREEN + 'Virtual host file created!' + bcolors.ENDC)
print(bcolors.OKBLUE + 'Reloading NGINX server...' + bcolors.ENDC)
reload_nginx_sp()
print(bcolors.OKGREEN +
'SSL should have been installed and activated for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
return True
except:
print(bcolors.FAIL + 'Virtual host file cannot be created!' +
bcolors.ENDC)
return False
def certificate(self, servers):
for server_data in servers:
if server_data.get("is_ssl_certificate", False):
domain = server_data.get("domain", "")
conf = nginx.Conf()
conf.add(
nginx.Key("ssl_certificate",
f"/var/www/certificate/{domain}-cert.pem"))
conf.add(
nginx.Key("ssl_certificate_key",
f"/var/www/certificate/{domain}-key.pem"))
nginx.dumpf(
conf, f'/etc/nginx/conf.d/ssl_certificate/{domain}.conf')
def ssl_enable(self, path, cfile, kfile):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s'%name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
self.addtoblock[0].add(
nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
)
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name)
s = self.app.get_backend(apis.services.IServiceManager)
def post_install(self, vars, dbpasswd=""):
# Get around top-level zip restriction (FIXME 0.7.2)
if "paperwork-master" in os.listdir(self.path):
tmp_path = os.path.abspath(os.path.join(self.path, "../pwrk-tmp"))
os.rename(os.path.join(self.path, "paperwork-master/frontend"), tmp_path)
os.rename(os.path.join(self.path, ".arkos"),
os.path.join(tmp_path, ".arkos"))
shutil.rmtree(self.path)
os.rename(tmp_path, self.path)
# Make sure that the correct PHP settings are enabled
php.enable_mod('gd', 'opcache', 'mysql', 'pdo_mysql', 'mcrypt')
php.enable_mod('apcu', config_file="/etc/php/conf.d/apcu.ini")
dbstr = "mysql, localhost, 3389, {0}, {1}, {0}".format(self.id, dbpasswd)
with open(os.path.join(self.path, 'app/storage/db_settings'), 'w') as f:
f.write(dbstr)
php.composer_install(self.path)
nodejs.install("gulp", as_global=True)
nodejs.install_from_package(self.path, stat=None)
cwd = os.getcwd()
os.chdir(self.path)
s = shell("bower install --allow-root", stdin='y\n')
if s["code"] != 0:
raise Exception("Failed to run bower: %s" % s["stderr"])
s = shell("gulp")
if s["code"] != 0:
raise Exception("Failed to run gulp: %s" % s["stderr"])
s = shell("php artisan migrate --force")
if s["code"] != 0:
raise Exception("Failed to run artisan: %s" % s["stderr"])
os.chdir(cwd)
# Make sure the webapps config points to the public directory.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = os.path.join(self.path, 'public')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id))
uid, gid = users.get_system("http").uid, groups.get_system("http").gid
for r, d, f in os.walk(os.path.join(self.path, 'app')):
for x in d:
os.chmod(os.path.join(r, x), 0755)
os.chown(os.path.join(r, x), uid, gid)
for x in f:
os.chmod(os.path.join(r, x), 0644)
os.chown(os.path.join(r, x), uid, gid)
if os.path.exists(os.path.join(self.path, 'app/storage/setup')):
os.unlink(os.path.join(self.path, 'app/storage/setup'))
def disable_ssl(self):
n = nginx.loadf('/etc/nginx/sites-available/%s' % self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % self.id)
with open(os.path.join(self.path, 'config.js'), 'r') as f:
data = f.read()
data = data.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
with open(os.path.join(self.path, 'config.js'), 'w') as f:
f.write(data)
services.get(self.id).restart()
def disable_ssl(self):
n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id)
with open(os.path.join(self.path, 'config.js'), 'r') as f:
data = f.read()
data = data.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
with open(os.path.join(self.path, 'config.js'), 'w') as f:
f.write(data)
services.get(self.id).restart()
def nginxConfGenerator(instances, options):
c = nginx.Conf()
for instance in instances:
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Key('server_name',
'nxt-mq-' + instance[1] + '.ies.inventec'),
nginx.Location('/', nginx.Key('proxy_pass',
'http://' + instance[0] + ':15672')),
)
c.add(s)
nginx.dumpf(c, os.path.dirname(os.path.abspath(__file__)) + '/nginx.conf')
return
def nginx_add(self, site, add):
if site.path == '':
site.path = os.path.join('/srv/http/webapps/', site.name)
c = nginx.Conf()
c.add(nginx.Comment('GENESIS %s %s' % (site.stype, 'http://'+site.addr+':'+site.port)))
s = nginx.Server(
nginx.Key('listen', site.port),
nginx.Key('server_name', site.addr),
nginx.Key('root', site.path),
nginx.Key('index', 'index.'+('php' if site.php else 'html'))
)
if add:
s.add(*[x for x in add])
c.add(s)
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
def generate_nginx_config(self):
c = nginx.Conf()
u = nginx.Upstream('loadbalancer', nginx.Key('least_conn', ''))
ip_addr = get_ip_address()
for server_idx in range(self.n_endpoints):
u.add(
nginx.Key('server', f'{ip_addr}:{self.src_port + server_idx}'))
s = nginx.Server(
nginx.Location('/', nginx.Key('proxy_pass',
'http://loadbalancer')))
loc = nginx.Location('/favicon.ico', nginx.Key('log_not_found', 'off'),
nginx.Key('access_log', 'off'))
c.add(u)
s.add(loc)
c.add(s)
nginx.dumpf(c, 'dockerfiles/loadbalancer/nginx.conf')
def ssl_disable(self, path):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s' % name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s' % name)
f = open(os.path.join(path, 'config.js'), 'r').read()
with open(os.path.join(path, 'config.js'), 'w') as config_file:
f = f.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
config_file.write(f)
config_file.close()
s = self.app.get_backend(apis.services.IServiceManager)
s.restart('ghost', 'supervisor')
def ssl_disable(self, path):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s'%name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name)
f = open(os.path.join(path, 'config.js'), 'r').read()
with open(os.path.join(path, 'config.js'), 'w') as config_file:
f = f.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
config_file.write(f)
config_file.close()
s = self.app.get_backend(apis.services.IServiceManager)
s.restart('ghost', 'supervisor')
def enable_ssl(self, cfile, kfile):
n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id)
for x in n.servers:
if x.filter('Location', '/'):
x.filter('Location', '/')[0].add(
nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme')
)
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id)
with open(os.path.join(self.path, 'config.js'), 'r') as f:
data = f.read()
data = data.replace('production: {\n url: \'http://',
'production: {\n url: \'https://')
with open(os.path.join(self.path, 'config.js'), 'w') as f:
f.write(data)
services.get(self.id).restart()
def add_server(app_name, app_server_ip_addr):
c = nginx.loadf(CONFIG_DIR + app_name + '/nginx.conf')
h = c.filter('Http')[0]
c.remove(h)
u = h.filter('Upstream')[0]
h.remove(u)
u.add(nginx.Key('server', str(app_server_ip_addr) + ':3000'))
h.add(u)
c.add(h)
nginx.dumpf(c, CONFIG_DIR + app_name + '/nginx.conf')
def server_submit():
server_name=request.POST.get('server_name', '')
server_value=request.POST.get('server_value', '')
path_file_name=request.POST.get("path_file_name","")
c = nginx.loadf(path_file_name)
servers = c.filter("Server")
for i in servers:
if server_name == i.filter("key", "server_name")[0].value:
c.remove(i)
new_c=nginx.loads(server_value)
new_server=new_c.filter('Server')[0]
c.add(new_server)
# print "remove ok"
# c.add(myserver)
nginx.dumpf(c, path_file_name)
# print myserver
return server_value
def ssl_disable(self, path):
name = os.path.basename(path)
n = nginx.loadf('/etc/nginx/sites-available/%s'%name)
for x in n.servers:
if x.filter('Location', '/'):
x.remove(x.filter('Location', '/')[0])
x.add(self.addtoblock[0])
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%name)
f = open(os.path.join(path, 'config.js'), 'r').read()
with open(os.path.join(path, 'config.js'), 'w') as config_file:
f = f.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
config_file.write(f)
config_file.close()
s = apis.orders(self.app).get_interface('supervisor')
if s:
s[0].order('rel', 'ghost')
def disable_ssl(self):
n = nginx.loadf('/etc/nginx/sites-available/%s'%self.id)
for x in n.servers:
if x.filter('Location', '/'):
toremove = []
for y in x.filter('Location', '/')[0].all():
if y.value == 'X-Forwarded-For $proxy_add_x_forwarded_for' or \
y.value == 'X-Forwarded-Proto $scheme':
toremove.append(y)
for y in toremove:
x.filter('Location', '/')[0].remove(y)
nginx.dumpf(n, '/etc/nginx/sites-available/%s'%self.id)
with open(os.path.join(self.path, 'config.js'), 'r') as f:
data = f.read()
data = data.replace('production: {\n url: \'https://',
'production: {\n url: \'http://')
with open(os.path.join(self.path, 'config.js'), 'w') as f:
f.write(data)
services.get(self.id).restart()
def nginx_edit(self, oldsite, site):
# Update the nginx serverblock
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name))
c.filter('Comment')[0].comment = 'GENESIS %s %s' % (site.stype, (('https://' if site.ssl else 'http://')+site.addr+':'+site.port))
c.servers[0].filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port
c.servers[0].filter('Key', 'server_name')[0].value = site.addr
c.servers[0].filter('Key', 'root')[0].value = site.path
c.servers[0].filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html'
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name))
# If the name was changed, rename the folder and files
if site.name != oldsite.name:
if os.path.exists(os.path.join('/srv/http/webapps', site.name)):
shutil.rmtree(os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/srv/http/webapps', oldsite.name),
os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name),
os.path.join('/etc/nginx/sites-available', site.name))
self.nginx_disable(oldsite, reload=False)
self.nginx_enable(site)
self.nginx_reload()
def post_install(self, name, path, vars, dbinfo={}):
# Make sure the webapps config points to the _site directory and generate it.
c = nginx.loadf(os.path.join("/etc/nginx/sites-available", name))
for x in c.servers:
if x.filter("Key", "root"):
x.filter("Key", "root")[0].value = os.path.join(path, "_site")
nginx.dumpf(c, os.path.join("/etc/nginx/sites-available", name))
s = shell_cs("jekyll build --source " + path + " --destination " + os.path.join(path, "_site"), stderr=True)
if s[0] != 0:
raise Exception("Jekyll failed to build: %s" % str(s[1]))
shell("chmod 755 $(find %s -type d)" % path)
shell("chmod 644 $(find %s -type f)" % path)
shell("chown -R http:http %s" % path)
# Return an explicatory message.
return (
"Jekyll has been setup, with a sample site at "
+ path
+ '. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Configure button next to the site, then "Regenerate Site" to bring your changes live.'
)
def post_install(self, vars, dbpasswd=""):
# Make sure the webapps config points to the _site directory and generate it.
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', self.id))
for x in c.servers:
if x.filter('Key', 'root'):
x.filter('Key', 'root')[0].value = os.path.join(self.path, '_site')
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', self.id))
s = shell('jekyll build --source '+self.path+' --destination '+os.path.join(self.path, '_site'))
if s["code"] != 0:
raise Exception('Jekyll failed to build: %s'%str(s["stderr"]))
uid, gid = users.get_system("http").uid, groups.get_system("http").gid
for r, d, f in os.walk(self.path):
for x in d:
os.chmod(os.path.join(r, x), 0755)
os.chown(os.path.join(r, x), uid, gid)
for x in f:
os.chmod(os.path.join(r, x), 0644)
os.chown(os.path.join(r, x), uid, gid)
# Return an explicatory message.
return 'Jekyll has been setup, with a sample site at '+self.path+'. Modify these files as you like. To learn how to use Jekyll, visit http://jekyllrb.com/docs/usage. After making changes, click the Edit button for the site, then "Regenerate Site" to bring your changes live.'
def post_install(self, name, path, vars):
# Create a database if the user wants one
if vars.getvalue('ws-dbsel', 'None') != 'None':
dbtype = vars.getvalue('ws-dbsel', '')
dbname = vars.getvalue('ws-dbname', '')
passwd = vars.getvalue('ws-dbpass', '')
dbase = apis.databases(self.app).get_interface(dbtype)
dbase.add(dbname)
dbase.usermod(dbname, 'add', passwd)
dbase.chperm(dbname, dbname, 'grant')
shell('sed -i s/\;extension=mysql.so/extension=mysql.so/g /etc/php/php.ini')
# Write a basic index file showing that we are here
if vars.getvalue('php', '0') == '1':
php = True
path = os.path.join(path, 'htdocs')
os.mkdir(path)
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', name))
c.servers[0].filter('Key', 'root')[0].value = path
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', name))
else:
php = False
f = open(os.path.join(path, 'index.'+('php' if php is True else 'html')), 'w')
f.write(
'<html>\n'
'<body>\n'
'<h1>Genesis - Custom Site</h1>\n'
'<p>Your site is online and available at '+path+'</p>\n'
'<p>Feel free to paste your site files here</p>\n'
'</body>\n'
'</html>\n'
)
f.close()
# Give access to httpd
shell('chown -R http:http '+path)
# Enable xcache if PHP is set
if php:
shell('sed -i s/\;extension=xcache.so/extension=xcache.so/g /etc/php/conf.d/xcache.ini')
def ssl_disable(self, data):
name, stype = data.name, data.stype
port = '80'
c = nginx.loadf('/etc/nginx/sites-available/'+name)
l = c.servers[0].filter('Key', 'listen')[0]
if l.value == '443 ssl':
l.value = '80'
port = '80'
else:
l.value = l.value.rstrip(' ssl')
port = l.value
c.servers[0].remove(
c.servers[0].filter('Key', 'ssl_certificate')[0],
c.servers[0].filter('Key', 'ssl_certificate_key')[0],
c.servers[0].filter('Key', 'ssl_protocols')[0],
c.servers[0].filter('Key', 'ssl_ciphers')[0]
)
c.filter('Comment')[0].comment = 'GENESIS %s http://%s:%s' \
% (stype, data.addr, port)
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_disable(
os.path.join('/srv/http/webapps', name))
def generate_config(sitename):
c = nginx.Conf()
u = nginx.Upstream('php',
nginx.Key('server', 'unix://tmp/php-fcgi.socket')
)
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Key('root', '/var/www/%s/htdocs' % sitename),
nginx.Key('index', 'index.php'),
nginx.Location('= /robots.txt',
nginx.Key('allow', 'all'),
nginx.Key('log_not_found', 'off'),
nginx.Key('access_log', 'off')
),
nginx.Location('~ \.php$',
nginx.Key('include', 'fastcgi.conf'),
nginx.Key('fastcgi_intercept_errors', 'on'),
nginx.Key('fastcgi_pass', 'php')
)
)
c.add(s)
return nginx.dumpf(c, '%s.conf' % string.replace(sitename, '.', '_'))
def ssl_enable(self, data, cpath, kpath):
# If no cipher preferences set, use the default ones
# As per Mozilla recommendations, but substituting 3DES for RC4
from genesis.plugins.certificates.backend import CertControl
ciphers = ':'.join([
'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384',
'kEDH+AESGCM', 'ECDHE-RSA-AES128-SHA256',
'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA',
'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA',
'ECDHE-ECDSA-AES256-SHA', 'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384',
'ECDHE-RSA-DES-CBC3-SHA', 'ECDHE-ECDSA-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA', 'EDH-DSS-DES-CBC3-SHA',
'DES-CBC3-SHA', 'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES',
'!RC4', '!MD5', '!PSK'
])
cfg = self.app.get_config(CertControl(self.app))
if hasattr(cfg, 'ciphers') and cfg.ciphers:
ciphers = cfg.ciphers
elif hasattr(cfg, 'ciphers'):
cfg.ciphers = ciphers
cfg.save()
name, stype = data.name, data.stype
port = '443'
c = nginx.loadf('/etc/nginx/sites-available/'+name)
s = c.servers[0]
l = s.filter('Key', 'listen')[0]
if l.value == '80':
l.value = '443 ssl'
port = '443'
c.add(nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name', data.addr),
nginx.Key('return', '301 https://%s$request_uri'%data.addr)
))
for x in c.servers:
if x.filter('Key', 'listen')[0].value == '443 ssl':
s = x
break
else:
port = l.value.split(' ssl')[0]
l.value = l.value.split(' ssl')[0] + ' ssl'
for x in s.all():
if type(x) == nginx.Key and x.name.startswith('ssl_'):
s.remove(x)
s.add(
nginx.Key('ssl_certificate', cpath),
nginx.Key('ssl_certificate_key', kpath),
nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'),
nginx.Key('ssl_ciphers', ciphers),
nginx.Key('ssl_session_timeout', '5m'),
nginx.Key('ssl_prefer_server_ciphers', 'on'),
nginx.Key('ssl_session_cache', 'shared:SSL:50m'),
)
c.filter('Comment')[0].comment = 'GENESIS %s https://%s:%s' \
% (stype, data.addr, port)
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_enable(
os.path.join('/srv/http/webapps', name), cpath, kpath)
