def write_vhost(appinfo):
import nginx
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment('SSL conf added by freessl (https://github.com/alihusnainarshad)'),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(appinfo.get('valid_domains'))),
nginx.Key('brotli', 'on'),
nginx.Key('brotli_static', 'off'),
nginx.Key('brotli_min_length', '100'),
nginx.Key('brotli_buffers', '16 8k'),
nginx.Key('brotli_comp_level', '5'),
nginx.Key('brotli_types', '*'),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate', appinfo.get('cert_path')),
nginx.Key('ssl_certificate_key', appinfo.get('key_path')),
nginx.Key('ssl_prefer_server_ciphers', 'on'),
nginx.Key('ssl_session_timeout', '5m'),
nginx.Key('ssl_protocols', 'TLSv1.1 TLSv1.2'),
nginx.Key('ssl_stapling', 'on'),
nginx.Key('ssl_stapling_verify', 'on'),
nginx.Key('resolver', '8.8.8.8 8.8.4.4 valid=86400s'),
nginx.Key('resolver_timeout', '5s'),
nginx.Key('ssl_ciphers', '"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"'),
nginx.Key('ssl_ecdh_curve', 'secp384r1'),
nginx.Key('ssl_session_cache', 'shared:SSL:10m'),
nginx.Key('ssl_session_tickets', 'off'),
nginx.Key('ssl_dhparam', '/etc/nginx-rc/dhparam.pem'),
nginx.Key('include', '/etc/nginx-rc/conf.d/{}.d/main.conf'.format(appinfo.get('name')))
)
c.add(s)
nginx.dumpf(c, '{}/{}-ssl.conf'.format(appinfo.get('vhostdir'), appinfo.get('name')))
def base_server(self):
server = nginx.Server()
server.add(
nginx.Key('server_name', '0.0.0.0'),
nginx.Location('/', nginx.Key("try_files", "$uri @proxy_to_app")),
nginx.Location(
'@proxy_to_app',
nginx.Key('proxy_set_header',
"X-Forwarded-For $proxy_add_x_forwarded_for"),
nginx.Key('proxy_set_header', "X-Forwarded-Proto $scheme"),
nginx.Key('proxy_set_header', "Host $http_host"),
nginx.Key('proxy_redirect', "off"),
nginx.Key('add_header', "Last-Modified $date_gmt"),
nginx.Key(
'add_header',
"Cache-Control 'no-store, no-cache, must-revalidate, "
"proxy-revalidate, max-age=0'"),
nginx.Key('if_modified_since', "off"),
nginx.Key('expires', "off"),
nginx.Key('etag', "off"),
nginx.Key('proxy_no_cache', "1"),
nginx.Key('proxy_cache_bypass', "1"),
nginx.Key('proxy_pass', f"http://base_server"),
),
nginx.Location("/static/", nginx.Key('autoindex', 'on'),
nginx.Key('alias', '/var/www/static/'),
nginx.Key('add_header', 'Cache-Control no-cache')),
nginx.Location("/media/", nginx.Key('autoindex', 'on'),
nginx.Key('alias', '/var/www/media/'),
nginx.Key('add_header', 'Cache-Control no-cache')),
)
server.add(nginx.Key("listen", '8018'))
server.add(nginx.Key("listen", '[::]:8018'))
self.config.add(server)
def create_acme_dummy(domain):
"""
Create a dummy directory to use for serving ACME challenge data.
This function is used when no website yet exists for the desired domain.
:param str domain: Domain name to use
:returns: Path to directory for challenge data
"""
site_dir = os.path.join(config.get("websites", "site_dir"),
"acme-" + domain)
challenge_dir = os.path.join(site_dir, ".well-known/acme-challenge")
conf = nginx.Conf(
nginx.Server(
nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"),
nginx.Key("server_name", domain), nginx.Key("root", site_dir),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", site_dir))))
origin = os.path.join("/etc/nginx/sites-available", "acme-" + domain)
target = os.path.join("/etc/nginx/sites-enabled", "acme-" + domain)
uid = users.get_system("http").uid
nginx.dumpf(conf, origin)
if not os.path.exists(target):
os.symlink(origin, target)
if not os.path.exists(challenge_dir):
os.makedirs(challenge_dir)
os.chown(site_dir, uid, -1)
os.chown(os.path.join(site_dir, ".well-known"), uid, -1)
os.chown(challenge_dir, uid, -1)
tracked_services.register("acme", domain, domain + "(ACME Validation)",
"globe", [('tcp', 80)], 2)
nginx_reload()
return challenge_dir
def nginx_add(self, site, add):
if site.path == '':
site.path = os.path.join('/srv/http/webapps/', site.name)
c = nginx.Conf()
s = nginx.Server(
nginx.Key('listen', site.port),
nginx.Key('server_name', site.addr),
nginx.Key('root', site.path),
nginx.Key('index', 'index.'+('php' if site.php else 'html'))
)
if add:
s.add(*[x for x in add])
c.add(s)
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
# Write configuration file with info Genesis needs to know the site
f = open(os.path.join('/etc/nginx/sites-available', '.'+site.name+'.ginf'), 'w')
c = ConfigParser.SafeConfigParser()
c.add_section('website')
c.set('website', 'name', site.name)
c.set('website', 'stype', site.stype)
c.set('website', 'ssl', '')
c.set('website', 'version', site.version if site.version else 'None')
c.set('website', 'dbengine', site.dbengine if site.dbengine else '')
c.set('website', 'dbname', site.dbname if site.dbname else '')
c.set('website', 'dbuser', site.dbuser if site.dbuser else '')
c.write(f)
f.close()
def create_nginx_config_for_domain(domain, subdomains, subdomain_dir,
forward_others, use_ssl, cert_dir):
c = nginx.Conf()
c.add(nginx.Comment(generation_comment('NGINX config', domain)))
for subdomain in subdomains:
c.add(
nginx.Key('include',
str(subdomain_dir / '{}.cfg'.format(subdomain))))
if forward_others is not None:
others = nginx.Server()
others.add(
nginx.Comment('Forward remaining (sub)domains to ' +
forward_others),
nginx.Key('server_name',
'{domain} *.{domain}'.format(domain=domain)),
nginx.Key('return', '302 {}$request_uri'.format(forward_others)),
nginx.Key('listen', '80'))
if use_ssl:
others.add(
nginx.Comment('use_ssl = True'),
nginx.Key('listen', '443 ssl'), nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate',
str(cert_dir / 'certificate.crt')),
nginx.Key('ssl_certificate_key',
str(cert_dir / 'certificate.key')))
c.add(others)
return c
def nginx_edit(self, oldsite, site):
# Update the nginx serverblock
c = nginx.loadf(os.path.join('/etc/nginx/sites-available', oldsite.name))
s = c.servers[0]
if oldsite.ssl and oldsite.port == '443':
for x in c.servers:
if x.filter('Key', 'listen')[0].value == '443 ssl':
s = x
if site.port != '443':
for x in c.servers:
if not 'ssl' in x.filter('Key', 'listen')[0].value \
and x.filter('key', 'return'):
c.remove(x)
elif site.port == '443':
c.add(nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name', site.addr),
nginx.Key('return', '301 https://%s$request_uri'%site.addr)
))
s.filter('Key', 'listen')[0].value = site.port+' ssl' if site.ssl else site.port
s.filter('Key', 'server_name')[0].value = site.addr
s.filter('Key', 'root')[0].value = site.path
s.filter('Key', 'index')[0].value = 'index.php' if site.php else 'index.html'
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', oldsite.name))
# If the name was changed, rename the folder and files
if site.name != oldsite.name:
if os.path.exists(os.path.join('/srv/http/webapps', site.name)):
shutil.rmtree(os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/srv/http/webapps', oldsite.name),
os.path.join('/srv/http/webapps', site.name))
shutil.move(os.path.join('/etc/nginx/sites-available', oldsite.name),
os.path.join('/etc/nginx/sites-available', site.name))
self.nginx_disable(oldsite, reload=False)
self.nginx_enable(site)
self.nginx_reload()
def test():
return nginx.Conf(
nginx.Server(
nginx.Comment('This is a test comment'),
nginx.Key('server_name', 'localhost'),
nginx.Key('root', '/var/www'),
nginx.Location('/', nginx.Key('test', 'true'),
nginx.Key('test2', 'false'))))
def servers(self, port):
for server_data in self.servers:
server = nginx.Server()
domain = server_data.get("domain", "")
if port == 80 and server_data.get("is_ssl_certificate", False):
server.add(
nginx.Key('server_name', domain),
nginx.Key('return', "301 https://$host$request_uri"),
)
server.add(nginx.Key("listen", f'{port}'))
server.add(nginx.Key("listen", f'[::]:{port}'))
else:
if server_data.get("is_ssl_certificate", False):
server.add(
nginx.Key(
'include',
f'/etc/nginx/conf.d/ssl_certificate/{domain}.*'), )
server.add(
nginx.Key('server_name', domain),
nginx.Location(
'/', nginx.Key("try_files", "$uri @proxy_to_app")),
nginx.Location(
'@proxy_to_app',
nginx.Key('rewrite', f"^ /{domain}$request_uri break"),
nginx.Key(
'proxy_set_header',
"X-Forwarded-For $proxy_add_x_forwarded_for"),
nginx.Key('proxy_set_header',
"X-Forwarded-Proto $scheme"),
nginx.Key('proxy_set_header', "Host $http_host"),
nginx.Key('add_header', "Last-Modified $date_gmt"),
nginx.Key(
'add_header',
"Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'"
),
nginx.Key('if_modified_since', "off"),
nginx.Key('expires', "off"),
nginx.Key('etag', "off"),
nginx.Key('proxy_no_cache', "1"),
nginx.Key('proxy_cache_bypass', "1"),
nginx.Key('proxy_redirect', "off"),
nginx.Key('proxy_pass', f"http://base_server"),
),
nginx.Location(
"/static/", nginx.Key('autoindex', 'on'),
nginx.Key('alias', '/var/www/static/'),
nginx.Key('add_header', 'Cache-Control no-cache')),
nginx.Location(
"/media/", nginx.Key('autoindex', 'on'),
nginx.Key('alias', '/var/www/media/'),
nginx.Key('add_header', 'Cache-Control no-cache')),
)
server.add(nginx.Key("listen", f'{port} ssl'))
server.add(nginx.Key("listen", f'[::]:{port}'))
self.config.add(server)
def create_nginx_config_for_subdomain(domain, subdomain, destination, use_ssl,
force_ssl, cert_dir):
full_domain = '{sub}.{main}'.format(main=domain, sub=subdomain)
c = nginx.Conf()
c.add(nginx.Comment(generation_comment('NGINX config', full_domain)))
if use_ssl and force_ssl:
non_ssl = nginx.Server()
non_ssl.add(nginx.Comment('force_ssl = True'),
nginx.Key('listen', '80'),
nginx.Key('server_name', full_domain),
nginx.Key('return', '301 https://$host$request_uri'))
c.add(non_ssl)
main = nginx.Server()
if not force_ssl:
main.add(nginx.Comment('force_ssl = False'), nginx.Key('listen', '80'))
proto = 'http'
if use_ssl:
proto = 'https'
main.add(
nginx.Comment('use_ssl = True'), nginx.Key('listen', '443 ssl'),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate', str(cert_dir / 'certificate.crt')),
nginx.Key('ssl_certificate_key',
str(cert_dir / 'certificate.key')))
main.add(
nginx.Key('server_name', full_domain),
nginx.Location(
'/', nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection $connection_upgrade'),
nginx.Key('proxy_pass', destination),
nginx.Key('proxy_read_timeout', '90'),
nginx.Key(
'proxy_redirect',
'{dst} {proto}://{full}'.format(dst=destination,
full=full_domain,
proto=proto))))
c.add(main)
return c
def _edit_nginx_entry(project_root_dir, rev_proxy_container, model_name, hostname, ip_port, old_hostname = None):
conf_dir = _copy_down_nginx_conf(project_root_dir, rev_proxy_container)
try:
conf_file = _build_relative_path(conf_dir,'nginx.conf')
c = _nginx.loadf(conf_file)
http = c.filter('Http')[0]
endpoint_url = '/{}/'.format(model_name)
# check for existing upstream entry for item, edit as needed
if old_hostname is not None:
for ups in http.filter('Upstream'):
if ups.value == old_hostname:
http.remove(ups)
# create new hostname entry
upstream = _nginx.Upstream(hostname)
upstream.add(_nginx.Key('server', ip_port))
http.add(
upstream
)
# check for existing location entry and remove if present
servers = http.filter('Server')
add2http = False
if len(servers) > 0:
server = servers[0]
for loc in server.filter('Location'):
if loc.value == endpoint_url:
server.remove(loc)
else:
add2http = True
server = _nginx.Server()
server.add(_nginx.Key('listen', '5000'))
location = _nginx.Location(endpoint_url)
location.add(
_nginx.Key('proxy_pass', 'http://{}/'.format(hostname)),
_nginx.Key('proxy_redirect', 'off'),
_nginx.Key('proxy_set_header', 'Host $host'),
_nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
_nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
_nginx.Key('proxy_set_header', 'X-Forwarded-Host $server_name')
)
server.add(location)
if add2http:
http.add(server)
_nginx.dumpf(c, conf_file)
_copy_up_nginx_conf(project_root_dir, conf_dir, rev_proxy_container)
# reload nginx on server
rev_proxy_container.exec_run('/usr/sbin/nginx', detach = True)
rev_proxy_container.exec_run('/usr/sbin/nginx -s reload', detach = True)
finally:
_shutil.rmtree(conf_dir, ignore_errors=True)
def write_conf(app):
print(bcolors.OKBLUE + 'Writing NGINX vhost file for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
appname = app.get('appname')
root = app.get('root')
username = app.get('username', 'serverpilot')
confname = vhostsdir + appname + '-ssl.conf'
domains = app.get('domains')
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Comment(
'SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)'
),
nginx.Key('listen', '443 ssl http2'),
nginx.Key('listen', '[::]:443 ssl http2'),
nginx.Key('server_name', ' '.join(domains)),
nginx.Key('ssl', 'on'),
nginx.Key('ssl_certificate',
app.get('certpath') + '/fullchain.pem'),
nginx.Key('ssl_certificate_key',
app.get('certpath') + '/privkey.pem'),
nginx.Key('root', root),
nginx.Key(
'access_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.access.log main'),
nginx.Key(
'error_log', '/srv/users/' + username + '/log/' + appname +
'/dev_nginx.error.log'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'X-Forwarded-SSL on'),
nginx.Key('proxy_set_header', 'X-Forwarded-Proto $scheme'),
nginx.Key('include',
'/etc/nginx-sp/vhosts.d/' + appname + '.d/*.conf'),
)
c.add(s)
try:
nginx.dumpf(c, confname)
print(bcolors.OKGREEN + 'Virtual host file created!' + bcolors.ENDC)
print(bcolors.OKBLUE + 'Reloading NGINX server...' + bcolors.ENDC)
reload_nginx_sp()
print(bcolors.OKGREEN +
'SSL should have been installed and activated for the app ' +
bcolors.BOLD + app.get('appname') + bcolors.ENDC)
return True
except:
print(bcolors.FAIL + 'Virtual host file cannot be created!' +
bcolors.ENDC)
return False
def nginxConfGenerator(instances, options):
c = nginx.Conf()
for instance in instances:
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Key('server_name',
'nxt-mq-' + instance[1] + '.ies.inventec'),
nginx.Location('/', nginx.Key('proxy_pass',
'http://' + instance[0] + ':15672')),
)
c.add(s)
nginx.dumpf(c, os.path.dirname(os.path.abspath(__file__)) + '/nginx.conf')
return
def generate_nginx_config(self):
c = nginx.Conf()
u = nginx.Upstream('loadbalancer', nginx.Key('least_conn', ''))
ip_addr = get_ip_address()
for server_idx in range(self.n_endpoints):
u.add(
nginx.Key('server', f'{ip_addr}:{self.src_port + server_idx}'))
s = nginx.Server(
nginx.Location('/', nginx.Key('proxy_pass',
'http://loadbalancer')))
loc = nginx.Location('/favicon.ico', nginx.Key('log_not_found', 'off'),
nginx.Key('access_log', 'off'))
c.add(u)
s.add(loc)
c.add(s)
nginx.dumpf(c, 'dockerfiles/loadbalancer/nginx.conf')
def nginx_add(self, site, add):
if site.path == '':
site.path = os.path.join('/srv/http/webapps/', site.name)
c = nginx.Conf()
c.add(
nginx.Comment(
'GENESIS %s %s' %
(site.stype, 'http://' + site.addr + ':' + site.port)))
s = nginx.Server(
nginx.Key('listen', site.port), nginx.Key('server_name',
site.addr),
nginx.Key('root', site.path),
nginx.Key('index', 'index.' + ('php' if site.php else 'html')))
if add:
s.add(*[x for x in add])
c.add(s)
nginx.dumpf(c, os.path.join('/etc/nginx/sites-available', site.name))
def add():
data = request.get_json()
input_port = data['input_port']
upstream = data['upstream'] + ":" + data['upstream_port']
path = "/config/" + input_port + ".conf"
c = nginx.Conf()
s = nginx.Server()
s.add(
nginx.Key('listen', input_port),
nginx.Key('proxy_pass', upstream),
nginx.Key('proxy_protocol', 'on'),
)
c.add(s)
nginx.dumpf(c, path)
return "Done!"
def test_create():
c = nginx.Conf()
u = nginx.Upstream('php', nginx.Key('server', 'unix:/tmp/php-fcgi.socket'),
nginx.Key('server', '10.0.2.1'))
u.add(nginx.Key('server', '101.0.2.1'))
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Comment('Yes, python-nginx can read/write comments!'),
nginx.Key('server_name', 'localhost 127.0.0.1'),
nginx.Key('root', '/srv/http'), nginx.Key('index', 'index.php'),
nginx.Location('= /robots.txt', nginx.Key('allow', 'all'),
nginx.Key('log_not_found', 'off'),
nginx.Key('access_log', 'off')),
nginx.Location('~ \.php$', nginx.Key('include', 'fastcgi.conf'),
nginx.Key('fastcgi_intercept_errors', 'on'),
nginx.Key('fastcgi_pass', 'php')))
c.add(s)
nginx.dumpf(c, 'mysite')
def create_nginx_config(nginx_port, app_name):
c = nginx.Conf()
e = nginx.Events()
e.add(nginx.Key('worker_connections', '1024'))
c.add(e)
h = nginx.Http()
u = nginx.Upstream(app_name)
h.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', str(nginx_port)),
nginx.Key('server_name', app_name),
nginx.Location('/', nginx.Key('proxy_pass', 'http://' + app_name),
nginx.Key('proxy_set_header', 'Host $host')))
h.add(s)
c.add(h)
nginx.dumpf(c, nginx_configs_dir + "/" + app_name + '/nginx.conf')
def ssl_enable(self, data, cname, cpath, kpath):
# If no cipher preferences set, use the default ones
# As per Mozilla recommendations, but substituting 3DES for RC4
from genesis.plugins.certificates.backend import CertControl
ciphers = ':'.join([
'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES256-GCM-SHA384',
'kEDH+AESGCM', 'ECDHE-RSA-AES128-SHA256',
'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA',
'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA',
'ECDHE-ECDSA-AES256-SHA', 'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384',
'ECDHE-RSA-DES-CBC3-SHA', 'ECDHE-ECDSA-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA', 'EDH-DSS-DES-CBC3-SHA',
'DES-CBC3-SHA', 'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES',
'!RC4', '!MD5', '!PSK'
])
cfg = self.app.get_config(CertControl(self.app))
if hasattr(cfg, 'ciphers') and cfg.ciphers:
ciphers = cfg.ciphers
elif hasattr(cfg, 'ciphers'):
cfg.ciphers = ciphers
cfg.save()
name, stype = data.name, data.stype
port = '443'
c = nginx.loadf('/etc/nginx/sites-available/'+name)
s = c.servers[0]
l = s.filter('Key', 'listen')[0]
if l.value == '80':
l.value = '443 ssl'
port = '443'
c.add(nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name', data.addr),
nginx.Key('return', '301 https://%s$request_uri'%data.addr)
))
for x in c.servers:
if x.filter('Key', 'listen')[0].value == '443 ssl':
s = x
break
else:
port = l.value.split(' ssl')[0]
l.value = l.value.split(' ssl')[0] + ' ssl'
for x in s.all():
if type(x) == nginx.Key and x.name.startswith('ssl_'):
s.remove(x)
s.add(
nginx.Key('ssl_certificate', cpath),
nginx.Key('ssl_certificate_key', kpath),
nginx.Key('ssl_protocols', 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'),
nginx.Key('ssl_ciphers', ciphers),
nginx.Key('ssl_session_timeout', '5m'),
nginx.Key('ssl_prefer_server_ciphers', 'on'),
nginx.Key('ssl_session_cache', 'shared:SSL:50m'),
)
g = ConfigParser.SafeConfigParser()
g.read(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'))
g.set('website', 'ssl', cname)
g.write(open(os.path.join('/etc/nginx/sites-available', '.'+name+'.ginf'), 'w'))
nginx.dumpf(c, '/etc/nginx/sites-available/'+name)
apis.webapps(self.app).get_interface(stype).ssl_enable(
os.path.join('/srv/http/webapps', name), cpath, kpath)
def start(args):
global path
global conPicDict
global firstTimeNginx
global firstTimeNetcat
processDocker = subprocess.Popen(["docker", "start"]+ [args[1]], stdout = subprocess.PIPE)
output = processDocker.communicate()
#get the image_name and the Cmds
processCmd = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Cmd}}'", ""+ args[1]], stdout = subprocess.PIPE)
cmd = processCmd.communicate()[0]
cmd = cmd.split("'")[1]
processImageName = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Image}}'", ""+ args[1]], stdout = subprocess.PIPE)
imageName = processImageName.communicate()[0]
imageName = imageName.split("'")[1]
#conPicDict[args[1]] = ["docker","start"] + [args[1]]
conPicDict[args[1]] = [imageName,cmd] + [args[1]]
#args[1] is gonna be the worker name, ex: worker1
isNginx = False
if(imageName == 'nginx:alpine'):
isNginx = True
#if both firstimes are false we add the server to both upstreams so it runs
c = nginx.loadf(path+'/load-balancer/nginx.conf')
HttpFilter = ((c.filter('Http')[0]))
if(isNginx):
if(firstTimeNginx == False):
#make upstream make worker add worker to upstream add upstream
#to the http
nginxUpstream = nginx.Upstream('nginx')
worker = nginx.Key('server', args[1]+":80")
nginxUpstream.add(worker)
HttpFilter.add(nginxUpstream)
#when we make upstream for first time we also make server server
s = nginx.Server()
s.add(nginx.Key('listen','8100'),nginx.Location('/' , nginx.Key('proxy_pass','http://nginx'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name')))
HttpFilter.add(s)
#dumping
firstTimeNginx = True
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
upstreamSearch = HttpFilter.filter('Upstream')
j = 0
found = False
for key in upstreamSearch:
if(((key.as_dict).keys())[0] == 'upstream nginx'):
found = True
break
j = j + 1
worker = nginx.Key('server', args[1]+":80")
if(found):
upstreamSearch[j].add(worker)
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
if(firstTimeNetcat == False):
#make upstream make worker add worker to upstream add upstream
#to the http
nginxUpstream = nginx.Upstream('netcat')
worker = nginx.Key('server', args[1]+":80")
nginxUpstream.add(worker)
HttpFilter.add(nginxUpstream)
#when we make upstream for first time we also make server server
s = nginx.Server()
s.add(nginx.Key('listen','8101'),nginx.Location('/' , nginx.Key('proxy_pass','http://netcat'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name')))
HttpFilter.add(s)
#dumping
firstTimeNetcat = True
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
upstreamSearch = HttpFilter.filter('Upstream')
j = 0
found = False
for key in upstreamSearch:
if(((key.as_dict).keys())[0] == 'upstream netcat'):
found = True
break
j = j + 1
worker = nginx.Key('server', args[1]+":80")
if(found):
upstreamSearch[j].add(worker)
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
#now kill,rm,build,run
loadBalReset()
def run(args):
global conPicDict
global workerCounter
global firstTimeNginx
global firstTimeNetcat
global path
#args[1] is image name
#args[2] is container name
#args[3]+ is the commands
processDocker = subprocess.Popen(["docker","run","--name", "worker"+str(workerCounter)] + args[1:], stdout = subprocess.PIPE)
output = processDocker.communicate()
#connect container to network bridge conNet
processNetConnect = subprocess.Popen(["docker","network","connect", "conNet","worker"+str(workerCounter)], stdout = subprocess.PIPE)
output = processNetConnect.communicate()
#get the image_name and the Cmds
processCmd = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Cmd}}'", "worker"+str(workerCounter)], stdout = subprocess.PIPE)
cmd = processCmd.communicate()[0]
cmd = cmd.split("'")[1]
processImageName = subprocess.Popen(["docker", "inspect" ,"-f","'{{.Config.Image}}'", "worker"+str(workerCounter)], stdout = subprocess.PIPE)
imageName = processImageName.communicate()[0]
imageName = imageName.split("'")[1]
conPicDict["worker"+str(workerCounter)] = [imageName,cmd] + ["worker"+str(workerCounter)]
conPicDict['count'] = workerCounter
#everytime we run a container we add it to the load balancer by editing
#the nginx.conf file then we have to kill, rm, rebuild and rerun loadBal
#checks if its nginx or netcat(anything else)
isNginx = False
if(imageName == 'nginx:alpine'):
isNginx = True
#if both firstimes are false we add the server to both upstreams so it runs
c = nginx.loadf(path+'/load-balancer/nginx.conf')
HttpFilter = ((c.filter('Http')[0]))
if(isNginx):
if(firstTimeNginx == False):
#make upstream make worker add worker to upstream add upstream
#to the http
nginxUpstream = nginx.Upstream('nginx')
worker = nginx.Key('server', "worker"+str(workerCounter)+":80")
nginxUpstream.add(worker)
HttpFilter.add(nginxUpstream)
#when we make upstream for first time we also make server server
s = nginx.Server()
s.add(nginx.Key('listen','8100'),nginx.Location('/' , nginx.Key('proxy_pass','http://nginx'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name')))
HttpFilter.add(s)
#dumping
firstTimeNginx = True
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
upstreamSearch = HttpFilter.filter('Upstream')
j = 0
found = False
for key in upstreamSearch:
if(((key.as_dict).keys())[0] == 'upstream nginx'):
found = True
break
j = j + 1
worker = nginx.Key('server', "worker"+str(workerCounter)+":80")
if(found):
upstreamSearch[j].add(worker)
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
if(firstTimeNetcat == False):
#make upstream make worker add worker to upstream add upstream
#to the http
nginxUpstream = nginx.Upstream('netcat')
worker = nginx.Key('server', "worker"+str(workerCounter)+":80")
nginxUpstream.add(worker)
HttpFilter.add(nginxUpstream)
#when we make upstream for first time we also make server server
s = nginx.Server()
s.add(nginx.Key('listen','8101'),nginx.Location('/' , nginx.Key('proxy_pass','http://netcat'), nginx.Key('proxy_redirect','off'),nginx.Key('proxy_set_header','Host $host'), nginx.Key('proxy_set_header','X-Real_IP $remote_addr'), nginx.Key('proxy_set_header','X-Forwarded-For $proxy_add_x_forwarded_for'), nginx.Key('proxy_set_header','X-Forwarded-Host $server_name')))
HttpFilter.add(s)
#dumping
firstTimeNetcat = True
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
else:
upstreamSearch = HttpFilter.filter('Upstream')
j = 0
found = False
for key in upstreamSearch:
if(((key.as_dict).keys())[0] == 'upstream netcat'):
found = True
break
j = j + 1
worker = nginx.Key('server', "worker"+str(workerCounter)+":80")
if(found):
upstreamSearch[j].add(worker)
nginx.dumpf(c, path+'/load-balancer/nginx.conf')
#now kill,rm,build,run
loadBalReset()
#increment workerCounter
workerCounter = workerCounter + 1
def _execute(command):
config = FileUtils.get_instance('config.ini')
nginx_conf_dir = config.get_prop("nginx-config", "nginx_conf_dir")
nginx_conf_dir_bak = config.get_prop("nginx-config", "nginx_conf_dir_bak")
os.system('mkdir -p ' + nginx_conf_dir)
os.system('cp -r ' + nginx_conf_dir + nginx_conf_dir_bak)
os.system('rm -rf ' + nginx_conf_dir + '*')
state = '0'
try:
for k1 in command:
upstreamName = k1["upstreamName"]
upstreamNode = json.loads(k1["upstreamNode"])
fileName = nginx_conf_dir + upstreamName + '.conf'
os.system('touch ' + fileName)
c = nginx.Conf()
LogUtil.info("Node信息:%s" % (upstreamNode))
t = ''
for k2 in range(len(upstreamNode)):
if (k2 == 0):
t = 'server' + ' ' + upstreamNode[k2][
"ipAdress"] + ' ' + upstreamNode[k2]["strategy"] + ';\n'
if (0 < k2 < len(upstreamNode) - 1):
t = t + ' ' + 'server' + ' ' + upstreamNode[k2][
"ipAdress"] + ' ' + upstreamNode[k2]["strategy"] + ';\n'
if (k2 == len(upstreamNode) - 1):
t = t + ' ' + 'server' + ' ' + upstreamNode[k2][
"ipAdress"] + ' ' + upstreamNode[k2]["strategy"]
ipHash = k1["ipHash"]
if (ipHash == '1'):
u = nginx.Upstream(upstreamName, nginx.Key('', t),
nginx.Key('', 'ip_hash'))
c.add(u)
if (ipHash == '0'):
u = nginx.Upstream(upstreamName, nginx.Key('', t))
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', k1["nginxListenPort"]),
nginx.Key('server_name', k1["nginxServerName"]),
nginx.Key('access_log', k1["accessLog"]),
nginx.Location(
'= /',
nginx.Key('proxy_pass', 'http://' + k1["upstreamName"]),
nginx.Key('proxy_redirect', 'off'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for')))
c.add(s)
nginx.dumpf(c, fileName)
LogUtil.info("完成Nginx配置")
output = os.popen('service nginx restart').read()
state = '1'
param = [
"{\"mac\":\"" + MachineUtil.get_mac_address() + "\",\"state\":\"" +
state + "\",\"msg\":\"" + output + "\"}"
]
os.system('rm -rf ' + nginx_conf_dir_bak)
AosServerService.route_service("ThriftApiService", "nginxLog", param)
except Exception, ex:
LogUtil.error(ex)
os.system('rm -rf ' + nginx_conf_dir)
os.system('mv ' + nginx_conf_dir_bak + nginx_conf_dir)
os.system('service nginx restart')
output = ex.message
state = '2'
param = [
"{\"mac\":\"" + MachineUtil.get_mac_address() + "\",\"state\":\"" +
state + "\",\"msg\":\"" + output + "\"}"
]
AosServerService.route_service("ThriftApiService", "nginxLog", param)
def rebuild_sites(self):
""" Turns jack's site json files into useable nginx configuration files """
for uuid, site_config in self.configs.items():
maintenance_mode = 'maintenance' in site_config and site_config['maintenance']
nginx_config = nginx.Conf()
# Add some comments so anyone who looks in the nginx config
# knows what's going on
nginx_config.add(nginx.Comment('Generated by Prism CP. Any changes will be overwritten!'))
nginx_config.add(nginx.Comment('Site ID: %s' % site_config['id']))
server_block = nginx.Server()
if 'listen' in site_config:
for port in site_config['listen']:
server_block.add(nginx.Key('listen', port))
if 'hostname' in site_config:
server_block.add(nginx.Key('server_name', site_config['hostname']))
site_folder = os.path.join(self._jack_plugin.site_files_location, uuid)
# Sets the root and logs to the site's folder
server_block.add(nginx.Key('access_log', os.path.join(site_folder, 'access.log')))
server_block.add(nginx.Key('error_log', os.path.join(site_folder, 'error.log')))
if 'root' in site_config:
root_folder = os.path.join(site_folder, site_config['root'])
if not os.path.exists(root_folder):
os.makedirs(root_folder)
server_block.add(nginx.Key('root', root_folder))
if 'index' in site_config:
server_block.add(nginx.Key('index', site_config['index']))
# If the site is in maintenance mode, redirect everything to 503
if maintenance_mode:
server_block.add(nginx.Location('/',
nginx.Key('return', 503)))
else:
for path, items in site_config['locations'].items():
location_items = []
for item, content in items.items():
if isinstance(content, tuple) or isinstance(content, list):
for c in content:
location_items.append(nginx.Key(item, c))
else:
location_items.append(nginx.Key(item, content))
server_block.add(nginx.Location(path, *location_items))
# Error page blocks
server_block.add(nginx.Key('error_page', '400 /error/400.html'))
server_block.add(nginx.Key('error_page', '403 /error/403.html'))
server_block.add(nginx.Key('error_page', '404 /error/404.html'))
server_block.add(nginx.Key('error_page', '408 /error/408.html'))
server_block.add(nginx.Key('error_page', '500 /error/500.html'))
server_block.add(nginx.Key('error_page', '502 /error/502.html'))
server_block.add(nginx.Key('error_page', '503 /error/503.html'))
server_block.add(nginx.Location('^~ /error/',
nginx.Key('root', self.sites_default),
nginx.Key('internal', '')))
nginx_config.add(server_block)
# Dump to nginx's config location
nginx.dumpf(nginx_config, os.path.join(self.config_location, site_config['uuid'] + '.conf'))
# Reload nginx so it picks up the changes
prism.os_command('systemctl reload nginx.service')
def BuildNginxConfiguration(self, server, api_services, clients,
identity_services):
print("Configuring Nginx Server")
serverConfig = server['config']
config = nginx.Conf()
# Add Root Configurations
for key, value in serverConfig.items():
if (not isinstance(value, dict)):
config.add(nginx.Key(key, value))
events = nginx.Events()
httpConf = nginx.Http()
# Add Event Configurations
if ('events' in serverConfig):
for key, value in serverConfig['events'].items():
events.add(nginx.Key(key, value))
config.add(events)
# Add Http Configurations
if ('http' in serverConfig):
for key, value in serverConfig['http'].items():
httpConf.add(nginx.Key(key, value))
# Add Services To Http
for api_service in api_services:
nginxServer = nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name',
str.lower(api_service['name']) + '.localhost'),
)
proxy_pass = '******' + api_service['name'] + ':' + str(
api_service['port']) + '/'
location = nginx.Location(
'/', nginx.Key('proxy_http_version', '1.1'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection keep-alive'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-NginX-Proxy true'),
nginx.Key('proxy_pass', proxy_pass))
nginxServer.add(location)
httpConf.add(nginxServer)
for i_service in identity_services:
nginxServer = nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name',
str.lower(i_service['name']) + '.localhost'),
)
#pylint: disable-msg=E1121
proxy_pass = '******' + i_service['name'] + ':' + str(
i_service['port']) + '/'
location = nginx.Location(
'/', nginx.Key('proxy_http_version', '1.1'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection keep-alive'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-NginX-Proxy true'),
nginx.Key('proxy_pass', proxy_pass))
nginxServer.add(location)
httpConf.add(nginxServer)
for client in clients:
nginxServer = nginx.Server(
nginx.Key('listen', '80'),
nginx.Key('server_name',
str.lower(client['name']) + '.localhost'),
)
#pylint: disable-msg=E1121
proxy_pass = '******' + client['name'] + ':' + str(
client['port']) + '/'
location = nginx.Location(
'/', nginx.Key('proxy_http_version', '1.1'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection keep-alive'),
nginx.Key('proxy_set_header',
'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-NginX-Proxy true'),
nginx.Key('proxy_pass', proxy_pass))
nginxServer.add(location)
httpConf.add(nginxServer)
config.add(httpConf)
return config
def _ssl_enable(self):
# Get server-preferred ciphers
if config.get("certificates", "ciphers"):
ciphers = config.get("certificates", "ciphers")
else:
config.set("certificates", "ciphers", ciphers)
config.save()
block = nginx.loadf(
os.path.join("/etc/nginx/sites-available/", self.id))
# If the site is on port 80, setup an HTTP redirect to new port 443
server = block.server
listens = server.filter("Key", "listen")
for listen in listens:
httport = "80"
sslport = "443"
if listen.value.startswith("[::]"):
# IPv6
httport = "[::]:80"
sslport = "[::]:443"
if listen.value == httport:
listen.value = (sslport + " ssl http2")
block.add(
nginx.Server(
nginx.Key("listen", httport),
nginx.Key("server_name", self.domain),
nginx.Location(
"/",
nginx.Key("return",
"301 https://$host$request_uri")),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", self.path))))
for x in block.servers:
if " ssl" in x.filter("Key", "listen")[0].value:
server = x
break
else:
listen.value = listen.value.split(" ssl")[0] + " ssl http2"
# Clean up any pre-existing SSL directives that no longer apply
to_remove = [x for x in server.keys if x.name.startswith("ssl_")]
server.remove(*to_remove)
# Add the necessary SSL directives to the serverblock and save
server.add(
nginx.Key("ssl_certificate", self.cert.cert_path),
nginx.Key("ssl_certificate_key", self.cert.key_path),
nginx.Key("ssl_protocols", "TLSv1 TLSv1.1 TLSv1.2"),
nginx.Key("ssl_ciphers", ciphers),
nginx.Key("ssl_session_timeout", "5m"),
nginx.Key("ssl_prefer_server_ciphers", "on"),
nginx.Key("ssl_dhparam", "/etc/arkos/ssl/dh_params.pem"),
nginx.Key("ssl_session_cache", "shared:SSL:50m"),
)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available/",
self.id))
# Set the certificate name in the metadata file
if not os.path.exists(os.path.join(self.path, ".arkos")):
raise errors.InvalidConfigError("Could not find metadata file")
meta = configparser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "ssl", self.cert.id)
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Call the website type's SSL enable hook
self.enable_ssl(self.cert.cert_path, self.cert.key_path)
def _edit(self, newname):
site_dir = config.get("websites", "site_dir")
block = nginx.loadf(os.path.join("/etc/nginx/sites-available",
self.id))
# If SSL is enabled and the port is changing to 443,
# create the port 80 redirect
server = block.server
if self.cert and self.port == 443:
for x in block.servers:
if "443 ssl" in x.filter("Key", "listen")[0].value:
server = x
if self.port != 443:
for x in block.servers:
if "ssl" not in x.filter("Key", "listen")[0].value\
and x.filter("key", "return"):
block.remove(x)
elif self.port == 443:
block.add(
nginx.Server(
nginx.Key("listen", "80"), nginx.Key("listen", "[::]:80"),
nginx.Key("server_name", self.domain),
nginx.Location(
"/",
nginx.Key("return", "301 https://$host$request_uri")),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", self.path))))
# If the name was changed...
if newname and self.id != newname:
# rename the folder and files...
self.path = os.path.join(site_dir, newname)
if os.path.exists(self.path):
shutil.rmtree(self.path)
self.nginx_disable(reload=False)
shutil.move(os.path.join(site_dir, self.id), self.path)
os.unlink(os.path.join("/etc/nginx/sites-available", self.id))
signals.emit("websites", "site_removed", self)
self.id = newname
# then update the site's arkOS metadata file with the new name
meta = configparser.SafeConfigParser()
meta.read(os.path.join(self.path, ".arkos"))
meta.set("website", "id", self.id)
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
self.nginx_enable(reload=False)
# Pass any necessary updates to the nginx serverblock and save
port = "{0} ssl".format(self.port) if self.cert else str(self.port)
for listen in server.filter("Key", "listen"):
if listen.value.startswith("[::]:"):
listen.value = "[::]:" + str(port)
else:
listen.value = str(port)
if hasattr(self.app, "website_root") and self.app.website_root:
webroot = os.path.join(self.path, self.app.website_root)
else:
webroot = self.path
server.filter("Key", "server_name")[0].value = self.domain
server.filter("Key", "root")[0].value = webroot
server.filter("Key", "index")[0].value = "index.php" \
if getattr(self, "php", False) else "index.html"
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id))
# Call the site's edited hook, if it has one, then reload nginx
signals.emit("websites", "site_loaded", self)
if hasattr(self, "site_edited"):
self.site_edited()
nginx_reload()
def set_conf(request, proxy):
config = nginx.Conf()
serverHTTP = nginx.Server()
serverHTTPS = nginx.Server()
print(proxy.domain)
print(proxy.ssl)
print(proxy.letsencrypt)
print(proxy.rewriteHTTPS)
print(proxy.proxypass)
serverHTTP.add(
nginx.Key('listen', '*:80'),
nginx.Key('server_name', proxy.domain),
)
if proxy.rewriteHTTPS:
serverHTTP.add(
nginx.Key('return', '302 https://$server_name$request_uri'),
)
else:
serverHTTP.add(
nginx.Location(
'/',
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection '"upgrade"),
nginx.Key('proxy_http_version', '1.1'),
nginx.Key('proxy_pass', proxy.proxypass),
)
)
if proxy.ssl:
letsencrypt.generate_cert(request, proxy)
serverHTTPS.add(
nginx.Key('server_name', proxy.domain),
nginx.Key('listen', '*:443 ssl'),
nginx.Key('ssl_protocols', 'TLSv1 TLSv1.1 TLSv1.2'),
nginx.Key('ssl_certificate', '/etc/letsencrypt/live/'+proxy.domain+'/fullchain.pem'),
nginx.Key('ssl_certificate_key', '/etc/letsencrypt/live/'+proxy.domain+'/privkey.pem'),
)
serverHTTPS.add(
nginx.Location(
'/',
nginx.Key('proxy_set_header', 'Host $host'),
nginx.Key('proxy_set_header', 'X-Real-IP $remote_addr'),
nginx.Key('proxy_set_header', 'X-Forwarded-For $proxy_add_x_forwarded_for'),
nginx.Key('proxy_set_header', 'Upgrade $http_upgrade'),
nginx.Key('proxy_set_header', 'Connection '"upgrade"),
nginx.Key('proxy_http_version', '1.1'),
nginx.Key('proxy_pass', proxy.proxypass),
)
)
config.add(serverHTTP)
config.add(serverHTTPS)
nginx.dumpf(config, '/etc/nginx/conf.d/' + proxy.domain + '.conf')
shell.restart_nginx(request)
return True
NOMAD_ADDR_nginx1_http=10.123.26.15:22707
"""
# find out the IP address of the task via env NOMAD_IP_nginx1_http
env_var = 'NOMAD_ADDR_%s_%s' % (task, label)
url = os.getenv(env_var)
if not url:
print "ERROR: Environment variable %s does not exist, exiting..." % env_var
sys.exit(1)
upstream_args.append(nginx.Key('server', url))
u = nginx.Upstream(*upstream_args)
c.add(u)
s = nginx.Server()
s.add(
nginx.Key('listen', '80'),
nginx.Comment(
'Autogenerated configuration from build_config_run_nginx.py'),
nginx.Key('server_name', 'localhost'),
nginx.Key('root', '/usr/share/nginx/html'),
nginx.Key('index', 'index.html'),
nginx.Location('/', nginx.Key('proxy_pass', 'http://tasks')))
c.add(s)
print nginx.dumps(c)
nginx.dumpf(c, '/etc/nginx/conf.d/default.conf')
def _install(self, extra_vars, enable, nthread):
nthread.title = "Installing website"
msg = Notification("info", "Webs", "Preparing to install...")
nthread.update(msg)
# Make sure the chosen port is indeed open
if not tracked_services.is_open_port(self.port, self.domain):
cname = "({0})".format(self.app.id)
raise errors.InvalidConfigError(cname, nthread)\
from tracked_services.PortConflictError(self.port, self.domain)
# Set some metadata values
specialmsg, dbpasswd = "", ""
site_dir = config.get("websites", "site_dir")
path = (self.path or os.path.join(site_dir, self.id))
self.path = path
self.php = extra_vars.get("php") or self.php \
or self.app.uses_php or False
self.version = self.app.version.rsplit("-", 1)[0] \
if self.app.website_updates else None
# Classify the source package type
if not self.app.download_url:
ending = ""
elif self.app.download_url.endswith(".tar.gz"):
ending = ".tar.gz"
elif self.app.download_url.endswith(".tgz"):
ending = ".tgz"
elif self.app.download_url.endswith(".tar.bz2"):
ending = ".tar.bz2"
elif self.app.download_url.endswith(".zip"):
ending = ".zip"
elif self.app.download_url.endswith(".git"):
ending = ".git"
else:
raise errors.InvalidConfigError(
"Invalid source archive format in {0}".format(self.app.id))
msg = "Running pre-installation..."
uid, gid = users.get_system("http").uid, groups.get_system("http").gid
nthread.update(Notification("info", "Webs", msg))
# Call website type's pre-install hook
self.pre_install(extra_vars)
# If needs DB and user didn't select an engine, choose one for them
if len(self.app.database_engines) > 1 \
and extra_vars.get("dbengine", None):
self.app.selected_dbengine = extra_vars.get("dbengine")
if not getattr(self.app, "selected_dbengine", None)\
and self.app.database_engines:
self.app.selected_dbengine = self.app.database_engines[0]
# Create DB and/or DB user as necessary
if getattr(self.app, "selected_dbengine", None):
msg = "Creating database..."
nthread.update(Notification("info", "Webs", msg))
mgr = databases.get_managers(self.app.selected_dbengine)
if not mgr:
estr = "No manager found for {0}"
raise errors.InvalidConfigError(
estr.format(self.app.selected_dbengine))
# Make sure DB daemon is running if it has one
if not mgr.state:
svc = services.get(mgr.meta.database_service)
svc.restart()
self.db = mgr.add_db(self.id)
if hasattr(self.db, "path"):
os.chmod(self.db.path, 0o660)
os.chown(self.db.path, -1, gid)
# If multiuser DB type, create user
if mgr.meta.database_multiuser:
dbpasswd = random_string(16)
db_user = mgr.add_user(self.id, dbpasswd)
db_user.chperm("grant", self.db)
# Make sure the target directory exists, but is empty
pkg_path = os.path.join("/tmp", self.id + ending)
if os.path.isdir(self.path):
shutil.rmtree(self.path)
os.makedirs(self.path)
# Download and extract the source repo / package
msg = "Downloading website source..."
nthread.update(Notification("info", "Webs", msg))
if self.app.download_url and ending == ".git":
g = git.Repo.clone_from(self.app.download_url, self.path)
if hasattr(self.app, "download_at_tag"):
g = git.Git(self.path)
g.checkout(self.app.download_git_tag)
elif self.app.download_url:
download(self.app.download_url, file=pkg_path, crit=True)
# Format extraction command according to type
msg = "Extracting source..."
nthread.update(Notification("info", "Webs", msg))
if ending in [".tar.gz", ".tgz", ".tar.bz2"]:
arch = tarfile.open(pkg_path, "r:gz")
r = (x for x in arch.getnames() if re.match("^[^/]*$", x))
toplvl = next(r, None)
if not toplvl:
raise errors.OperationFailedError(
"Malformed source archive")
arch.extractall(site_dir)
os.rename(os.path.join(site_dir, toplvl), self.path)
else:
arch = zipfile.ZipFile(pkg_path)
r = (x for x in arch.namelist() if re.match("^[^/]*/$", x))
toplvl = next(r, None)
if not toplvl:
raise errors.OperationFailedError(
"Malformed source archive")
arch.extractall(site_dir)
os.rename(os.path.join(site_dir, toplvl.rstrip("/")),
self.path)
os.remove(pkg_path)
# Set proper starting permissions on source directory
os.chmod(self.path, 0o755)
os.chown(self.path, uid, gid)
for r, d, f in os.walk(self.path):
for x in d:
os.chmod(os.path.join(r, x), 0o755)
os.chown(os.path.join(r, x), uid, gid)
for x in f:
os.chmod(os.path.join(r, x), 0o644)
os.chown(os.path.join(r, x), uid, gid)
# If there is a custom path for the data directory, set it up
if getattr(self.app, "website_datapaths", None) \
and extra_vars.get("datadir"):
self.data_path = extra_vars["datadir"]
if not os.path.exists(self.data_path):
os.makedirs(self.data_path)
os.chmod(self.data_path, 0o755)
os.chown(self.data_path, uid, gid)
elif hasattr(self, "website_default_data_subdir"):
self.data_path = os.path.join(self.path,
self.website_default_data_subdir)
else:
self.data_path = self.path
# Create the nginx serverblock
addtoblock = self.addtoblock or []
if extra_vars.get("addtoblock"):
addtoblock += nginx.loads(extra_vars.get("addtoblock"), False)
default_index = "index." + ("php" if self.php else "html")
if hasattr(self.app, "website_root"):
webroot = os.path.join(self.path, self.app.website_root)
else:
webroot = self.path
block = nginx.Conf()
server = nginx.Server(
nginx.Key("listen", str(self.port)),
nginx.Key("listen", "[::]:" + str(self.port)),
nginx.Key("server_name", self.domain), nginx.Key("root", webroot),
nginx.Key(
"index",
getattr(self.app, "website_index", None) or default_index),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", self.path)))
if addtoblock:
server.add(*[x for x in addtoblock])
block.add(server)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id))
challenge_dir = os.path.join(self.path, ".well-known/acme-challenge/")
if not os.path.exists(challenge_dir):
os.makedirs(challenge_dir)
# Create arkOS metadata file
meta = configparser.SafeConfigParser()
meta.add_section("website")
meta.set("website", "id", self.id)
meta.set("website", "app", self.app.id)
meta.set("website", "ssl",
self.cert.id if getattr(self, "cert", None) else "None")
meta.set("website", "version", self.version or "None")
if getattr(self.app, "website_datapaths", None) \
and self.data_path:
meta.set("website", "data_path", self.data_path)
meta.set("website", "dbengine", "")
meta.set("website", "dbengine",
getattr(self.app, "selected_dbengine", ""))
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Call site type's post-installation hook
msg = "Running post-installation. This may take a few minutes..."
nthread.update(Notification("info", "Webs", msg))
specialmsg = self.post_install(extra_vars, dbpasswd)
# Cleanup and reload daemons
msg = "Finishing..."
nthread.update(Notification("info", "Webs", msg))
self.installed = True
storage.websites[self.id] = self
if self.port == 80:
cleanup_acme_dummy(self.domain)
signals.emit("websites", "site_installed", self)
if enable:
self.nginx_enable()
if enable and self.php:
php.open_basedir("add", "/srv/http/")
php_reload()
msg = "{0} site installed successfully".format(self.app.name)
nthread.complete(Notification("success", "Webs", msg))
if specialmsg:
return specialmsg
# Read the INI file
config.read(file)
# Generate required socket and set it
socket = host + ":" + port
config.set('uwsgi', 'socket', socket)
# Write the updates to the file
with open(file, 'w') as configfile:
config.write(configfile)
configfile.close()
# Add server module to the nginx file object
server = nginx.Server()
server.add(
nginx.Key('listen', port + " " + "ssl"),
nginx.Key('ssl_certificate', "/etc/nginx/" + subdir + "_cert.crt"),
nginx.Key('ssl_certificate_key', "/etc/nginx/" + subdir + "_cert.key"),
nginx.Location('/', nginx.Key('include', 'uwsgi_params'),
nginx.Key('uwsgi_pass', subdir + ":" + port)))
nginx_config.add(server)
# Hardcoded redirect for base localhost
# server = nginx.Server()
# server.add(
# nginx.Key('listen', "80"),
# nginx.Key('listen', "8080"),
# nginx.Key('server_name', "localhost"),
# nginx.Key('return', "307 https://github.com/oscar-king/A-Decentralised-Digital-Identity-Architecture$request_uri")
def _install(self, extra_vars, enable, nthread):
# Set metadata values
site_dir = config.get("websites", "site_dir")
path = (self.path or os.path.join(site_dir, self.id))
self.path = path
if os.path.isdir(self.path):
shutil.rmtree(self.path)
os.makedirs(self.path)
# If extra data is passed in, set up the serverblock accordingly
uwsgi_block = [
nginx.Location(
extra_vars.get("lregex", "/"),
nginx.Key("{0}_pass".format(extra_vars.get("type")),
extra_vars.get("pass", "")),
nginx.Key("include",
"{0}_params".format(extra_vars.get("type"))))
]
default_block = [
nginx.Location(extra_vars.get("lregex", "/"),
nginx.Key("proxy_pass", extra_vars.get("pass", "")),
nginx.Key("proxy_redirect", "off"),
nginx.Key("proxy_buffering", "off"),
nginx.Key("proxy_set_header", "Host $host"))
]
if extra_vars:
if not extra_vars.get("type") or not extra_vars.get("pass"):
raise errors.InvalidConfigError(
"Must enter ReverseProxy type and location to pass to")
elif extra_vars.get("type") in ["fastcgi", "uwsgi"]:
self.block = uwsgi_block
else:
self.block = default_block
if extra_vars.get("xrip"):
self.block[0].add(
nginx.Key("proxy_set_header", "X-Real-IP $remote_addr"))
if extra_vars.get("xff") == "1":
xff_key = "X-Forwarded-For $proxy_add_x_forwarded_for"
self.block[0].add(nginx.Key("proxy_set_header", xff_key))
# Create the nginx serverblock and arkOS metadata files
block = nginx.Conf()
server = nginx.Server(
nginx.Key("listen", self.port),
nginx.Key("listen", "[::]:" + str(self.port)),
nginx.Key("server_name", self.domain),
nginx.Key("root", self.base_path or self.path),
nginx.Location("/.well-known/acme-challenge/",
nginx.Key("root", self.path)))
server.add(*[x for x in self.block])
block.add(server)
nginx.dumpf(block, os.path.join("/etc/nginx/sites-available", self.id))
challenge_dir = os.path.join(self.path, ".well-known/acme-challenge/")
if not os.path.exists(challenge_dir):
os.makedirs(challenge_dir)
meta = configparser.SafeConfigParser()
ssl = self.cert.id if getattr(self, "cert", None) else "None"
meta.add_section("website")
meta.set("website", "id", self.id)
meta.set("website", "app", self.app.id if self.app else "None")
meta.set("website", "version", "None")
meta.set("website", "ssl", ssl)
with open(os.path.join(self.path, ".arkos"), "w") as f:
meta.write(f)
# Track port and reload daemon
self.installed = True
storage.websites[self.id] = self
signals.emit("websites", "site_installed", self)
self.nginx_enable()
