ops / cfe-nginx-php-fpm · Commits

Commit e853b45d9b0bc1c206c5a182ae43cae521a4e5c3

Authored by Earth Ugat
1 parent bb2c5262

Bump to v0.2.0. Add 'webserver' config. Fix some bugs.

Inline Side-by-side
Showing 9 changed files with 132 additions and 48 deletions
  1 +# 0.2.0
  2 +
  3 +Add basic proxied webserver config
  4 +
1 # 0.1.2 5 # 0.1.2
2 6
3 Fix the derived attribute pitfalls 7 Fix the derived attribute pitfalls
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
2 2
3 Installs PHP5-FPM, Nginx, Postfix, and MariaDB client on a server. Also sets up webserver configs for all virtual servers, including TLS and basic auth. 3 Installs PHP5-FPM, Nginx, Postfix, and MariaDB client on a server. Also sets up webserver configs for all virtual servers, including TLS and basic auth.
4 4
5 -Can also auto-generate config files for certain site types, such as Wordpress, etc. (right now it's just Wordpress). 5 +Can also auto-generate config files for certain site types, such as Wordpress, etc. (right now it's: `wordpress`, `basic`, and `webserver`).
6 6
7 ## Supported Platforms 7 ## Supported Platforms
8 8
@@ -50,20 +50,20 @@ default['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types'] = %w{ @@ -50,20 +50,20 @@ default['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types'] = %w{
50 } 50 }
51 51
52 default['cfe-nginx-php-fpm']['nginx']['sites'] = [ 52 default['cfe-nginx-php-fpm']['nginx']['sites'] = [
53 - {  
54 - :server_name => 'example.com',  
55 - :aliases => ['www.example.com'],  
56 - :doc_root => '/var/www/example.com',  
57 - :index => 'index.php', 53 + #{
  54 + #:server_name => 'example.com',
  55 + #:aliases => ['www.example.com'],
  56 + #:doc_root => '/var/www/example.com',
  57 + #:index => 'index.php',
58 58
59 # Access log options as one long string. Default: false 59 # Access log options as one long string. Default: false
60 - #:access_log_options => '<some options>' 60 + #:access_log_options => '<some options>',
61 61
62 # Whether to include a default virtual server named '_' or not. 62 # Whether to include a default virtual server named '_' or not.
63 # If there is more than one server given in this 'sites' array, 63 # If there is more than one server given in this 'sites' array,
64 # 'catch_all' value will always be overriden to 'false'. 64 # 'catch_all' value will always be overriden to 'false'.
65 # Default: true 65 # Default: true
66 - #:catch_all => true 66 + #:catch_all => true,
67 67
68 # Necessary values for SSL/TLS setup. Default: :ssl => false 68 # Necessary values for SSL/TLS setup. Default: :ssl => false
69 #:ssl => { 69 #:ssl => {
@@ -73,7 +73,7 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [ @@ -73,7 +73,7 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
73 # :self_signed => false, 73 # :self_signed => false,
74 # :hsts_max_age => '15758000', 74 # :hsts_max_age => '15758000',
75 # :hsts_include_subdomains => true 75 # :hsts_include_subdomains => true
76 - #} 76 + #},
77 77
78 # Necessary values for Basic Auth setup. Default: :auth => false 78 # Necessary values for Basic Auth setup. Default: :auth => false
79 #:auth => { 79 #:auth => {
@@ -81,11 +81,15 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [ @@ -81,11 +81,15 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
81 # :users => { 81 # :users => {
82 # 'example_user' => 'secretpassword123' 82 # 'example_user' => 'secretpassword123'
83 # } 83 # }
84 - #} 84 + #},
  85 +
  86 + # Array of strings that will be written before the start of
  87 + # the 'server' declaration. Default: []
  88 + #:init_statements => [],
85 89
86 # An array of strings that will be included as statements in the main 90 # An array of strings that will be included as statements in the main
87 # nginx config file for this server. Default: [] 91 # nginx config file for this server. Default: []
88 - #:custom_statements => [] 92 + #:custom_statements => [],
89 93
90 # Enumerates the different site types this server supports. 94 # Enumerates the different site types this server supports.
91 # Possible elements of :types are (only :type is mandatory): 95 # Possible elements of :types are (only :type is mandatory):
@@ -101,8 +105,15 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [ @@ -101,8 +105,15 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
101 # # written on the config for the 105 # # written on the config for the
102 # # /wp-login.php and /wp-admin pages. 106 # # /wp-login.php and /wp-admin pages.
103 # } 107 # }
104 - :types => [ { :type => 'basic' } ]  
105 - } 108 + # {
  109 + # :type => 'webserver',
  110 + # :subpath => '',
  111 + # :upstream_name => 'example',
  112 + # :upstream_ip => '127.0.0.1',
  113 + # :upstream_port => '8080',
  114 + # }
  115 + #:types => []
  116 + #}
106 ] 117 ]
107 118
108 # 119 #
@@ -178,7 +189,7 @@ default['postfix']['main']['mydestination'] = @@ -178,7 +189,7 @@ default['postfix']['main']['mydestination'] =
178 # 189 #
179 # nginx cookbook 190 # nginx cookbook
180 # 191 #
181 -default['nginx']['version'] = '1.9.14' 192 +default['nginx']['version'] = '1.9.15'
182 default['nginx']['install_method'] = 'package' 193 default['nginx']['install_method'] = 'package'
183 default['nginx']['package_name'] = 'nginx' 194 default['nginx']['package_name'] = 'nginx'
184 default['nginx']['repo_source'] = 'nginx' 195 default['nginx']['repo_source'] = 'nginx'
@@ -188,16 +199,29 @@ default['nginx']['upstream_repository'] = @@ -188,16 +199,29 @@ default['nginx']['upstream_repository'] =
188 # nginx package's pid file. Otherwise, it fails to restart. 199 # nginx package's pid file. Otherwise, it fails to restart.
189 default['nginx']['pid'] = '/var/run/nginx.pid' 200 default['nginx']['pid'] = '/var/run/nginx.pid'
190 default['nginx']['default_site_enabled'] = false 201 default['nginx']['default_site_enabled'] = false
191 -default['nginx']['client_max_body_size'] = '10m'  
192 -default['nginx']['event'] = 'epoll'  
193 -default['nginx']['worker_processes'] = 'auto'  
194 -default['nginx']['worker_connections'] = 1_024  
195 -default['nginx']['keepalive_timeout'] = 15  
196 -default['nginx']['keepalive_requests'] = 200  
197 -default['nginx']['disable_access_log'] = false  
198 -default['nginx']['server_tokens'] = 'off'  
199 -default['nginx']['gzip_comp_level'] = '5'  
200 -default['nginx']['extra_configs'] = { 202 +
  203 +default['nginx']['client_max_body_size'] = '10m'
  204 +default['nginx']['client_body_buffer_size'] = '64k'
  205 +default['nginx']['keepalive_timeout'] = 15
  206 +default['nginx']['keepalive_requests'] = 200
  207 +
  208 +default['nginx']['event'] = 'epoll'
  209 +default['nginx']['multi_accept'] = true
  210 +
  211 +# Setting worker_processes to 'auto' will automatically
  212 +# set the value to the number of CPUs. But we're going to
  213 +# set it to twice that.
  214 +default['nginx']['worker_processes'] =
  215 + ( %x(grep ^processor /proc/cpuinfo | wc -l).to_i ) * 2
  216 +# Either use `ulimit -n` (usually 1024) for worker_connections, or
  217 +# set it to a much higher value, but not exceeding worker_rlimit_nofile.
  218 +default['nginx']['worker_connections'] = 10000
  219 +default['nginx']['worker_rlimit_nofile'] = 15000
  220 +
  221 +default['nginx']['disable_access_log'] = false
  222 +default['nginx']['server_tokens'] = 'off'
  223 +default['nginx']['gzip_comp_level'] = '5'
  224 +default['nginx']['extra_configs'] = {
201 'reset_timedout_connection' => 'on' 225 'reset_timedout_connection' => 'on'
202 } 226 }
203 # Increase this to 128 if using super long server names 227 # Increase this to 128 if using super long server names
@@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com' @@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com'
4 license 'Apache License' 4 license 'Apache License'
5 description 'Simplifies setup of Nginx+PHP-FPM in Chromedia.' 5 description 'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
6 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) 6 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7 -version '0.1.2' 7 +version '0.2.0'
8 8
9 { 9 {
10 'php-fpm' => '0.7.5', 10 'php-fpm' => '0.7.5',
@@ -79,11 +79,11 @@ attribs['sites'].each do |site| @@ -79,11 +79,11 @@ attribs['sites'].each do |site|
79 site_index = site[:index] || 'index.php' 79 site_index = site[:index] || 'index.php'
80 site_aliases = site[:aliases] || [] 80 site_aliases = site[:aliases] || []
81 site_doc_root = site[:doc_root] || '' 81 site_doc_root = site[:doc_root] || ''
82 - site_index = site[:index] || 'index.html'  
83 site_ssl = site[:ssl] || false 82 site_ssl = site[:ssl] || false
84 site_auth = site[:auth] || false 83 site_auth = site[:auth] || false
85 site_alo = site[:access_log_options] || false 84 site_alo = site[:access_log_options] || false
86 site_cs = site[:custom_statements] || [] 85 site_cs = site[:custom_statements] || []
  86 + site_ins = site[:init_statements] || []
87 87
88 site_types = ( site[:types] || [] ).uniq { |e| e[:type] } 88 site_types = ( site[:types] || [] ).uniq { |e| e[:type] }
89 89
@@ -142,10 +142,12 @@ attribs['sites'].each do |site| @@ -142,10 +142,12 @@ attribs['sites'].each do |site|
142 end 142 end
143 143
144 site_includes = [] 144 site_includes = []
  145 + upstreams = []
145 146
146 # Create necessary include files for each type of this site 147 # Create necessary include files for each type of this site
147 site_types.each do |stype| 148 site_types.each do |stype|
148 - stype_subpath = stype[:subpath] || '' 149 + stype_subp = stype[:subpath] ? stype[:subpath].gsub(/^\/+|\/$|\s/, '') : ''
  150 + stype_subp = stype_subp.length > 0 ? "#{stype_subp}/" : stype_subp
149 151
150 case stype[:type] 152 case stype[:type]
151 # BASIC PHP SITE 153 # BASIC PHP SITE
@@ -156,7 +158,7 @@ attribs['sites'].each do |site| @@ -156,7 +158,7 @@ attribs['sites'].each do |site|
156 action :create_if_missing 158 action :create_if_missing
157 variables( 159 variables(
158 :index => site_index, 160 :index => site_index,
159 - :subpath => stype_subpath, 161 + :subpath => stype_subp,
160 :basic_php_fastcgi => path_bpf 162 :basic_php_fastcgi => path_bpf
161 ) 163 )
162 end 164 end
@@ -170,7 +172,7 @@ attribs['sites'].each do |site| @@ -170,7 +172,7 @@ attribs['sites'].each do |site|
170 action :create_if_missing 172 action :create_if_missing
171 variables( 173 variables(
172 :index => site_index, 174 :index => site_index,
173 - :subpath => stype_subpath, 175 + :subpath => stype_subp,
174 :basic_php_fastcgi => path_bpf, 176 :basic_php_fastcgi => path_bpf,
175 :loginpage_statements => stype[:loginpage_statements] || [], 177 :loginpage_statements => stype[:loginpage_statements] || [],
176 :fastcgi_intercept_errors => stype[:fastcgi_intercept_errors] || false 178 :fastcgi_intercept_errors => stype[:fastcgi_intercept_errors] || false
@@ -178,9 +180,32 @@ attribs['sites'].each do |site| @@ -178,9 +180,32 @@ attribs['sites'].each do |site|
178 end 180 end
179 site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}") 181 site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
180 182
  183 + # BASIC PROXIED WEBSERVER
  184 + when 'webserver'
  185 + upstream_name = stype[:upstream_name] || 'webserver'
  186 + template "#{inc_dir}/inc_type_webserver_#{site_sname}" do
  187 + source 'inc_type_webserver.erb'
  188 + mode 0644
  189 + action :create_if_missing
  190 + variables(
  191 + :subpath => stype_subp,
  192 + :upstream_name => upstream_name
  193 + )
  194 + end
  195 + site_ins.push("map $http_upgrade $connection_upgrade {\n"\
  196 + " default upgrade;\n"\
  197 + " '' close;\n"\
  198 + "}")
  199 + upstreams.push( {
  200 + :name => upstream_name,
  201 + :ip => stype[:upstream_ip] || '127.0.0.1',
  202 + :port => stype[:upstream_port] || '8080'
  203 + } )
  204 + site_includes.push("#{inc_dir}/inc_type_webserver_#{site_sname}")
  205 +
181 else 206 else
182 Chef::Log.error("Unknown site type: #{stype[:type]}") 207 Chef::Log.error("Unknown site type: #{stype[:type]}")
183 - raise 'Missing SSL key file' 208 + raise 'Unknown site type'
184 end 209 end
185 end 210 end
186 211
@@ -207,7 +232,9 @@ attribs['sites'].each do |site| @@ -207,7 +232,9 @@ attribs['sites'].each do |site|
207 :path_dhparam => path_dhparam, 232 :path_dhparam => path_dhparam,
208 :path_rest => path_rest, 233 :path_rest => path_rest,
209 234
  235 + :upstreams => upstreams,
210 :includes => site_includes, 236 :includes => site_includes,
  237 + :init_statements => site_ins,
211 :custom_statements => site_cs 238 :custom_statements => site_cs
212 ) 239 )
213 end 240 end
1 -<%  
2 -subp = @subpath ? @subpath.gsub(/^\/+|\/$|\s/, '') : ''  
3 -subp = subp.length > 0 ? "#{subp}/" : subp  
4 --%>  
5 # Generated by Chef 1 # Generated by Chef
6 # 2 #
7 # A basic PHP site config. 3 # A basic PHP site config.
@@ -9,7 +5,7 @@ subp = subp.length > 0 ? "#{subp}/" : subp @@ -9,7 +5,7 @@ subp = subp.length > 0 ? "#{subp}/" : subp
9 # Pass all .php files onto a php-fpm/php-fcgi server. 5 # Pass all .php files onto a php-fpm/php-fcgi server.
10 #location ~ [^/]\.php(/|$) { 6 #location ~ [^/]\.php(/|$) {
11 # Customized location directive to account for URL subpathing: 7 # Customized location directive to account for URL subpathing:
12 -location ~ ^/<%= subp %>.+\.php(/|$) { 8 +location ~ ^/<%= @subpath %>.+\.php(/|$) {
13 try_files $uri =404; 9 try_files $uri =404;
14 10
15 # Enable only if implementing custom error pages 11 # Enable only if implementing custom error pages
@@ -18,6 +14,6 @@ location ~ ^/<%= subp %>.+\.php(/|$) { @@ -18,6 +14,6 @@ location ~ ^/<%= subp %>.+\.php(/|$) {
18 include <%= @basic_php_fastcgi %>; 14 include <%= @basic_php_fastcgi %>;
19 } 15 }
20 16
21 -location ~ ^/<%= subp %> {  
22 - try_files $uri $uri/ /<%= subp %><%= @index %>?$args; 17 +location ~ ^/<%= @subpath %> {
  18 + try_files $uri $uri/ /<%= @subpath %><%= @index %>?$args;
23 } 19 }
  1 +# Generated by Chef
  2 +#
  3 +# Basic config for proxied webserver (with websocket support)
  4 +
  5 +if ($http_user_agent ~ "MSIE") {
  6 + return 303 https://browser-update.org/update.html;
  7 +}
  8 +
  9 +location ~ ^/<%= @subpath %> {
  10 + proxy_pass http://<%= @upstream_name %>;
  11 + proxy_http_version 1.1;
  12 + proxy_set_header Upgrade $http_upgrade;
  13 + proxy_set_header Connection $connection_upgrade;
  14 + proxy_set_header X-Real-IP $remote_addr;
  15 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  16 + proxy_set_header Host $http_host;
  17 +
  18 + if ($uri != '/') {
  19 + expires 30d;
  20 + }
  21 +}
1 -<%  
2 -subp = @subpath ? @subpath.gsub(/^\/+|\/$|\s/, '') : ''  
3 -subp = subp.length > 0 ? "#{subp}/" : subp  
4 --%>  
5 # Generated by Chef 1 # Generated by Chef
6 # 2 #
7 # WordPress single blog rules. 3 # WordPress single blog rules.
8 # Designed to be included in any server {} block. 4 # Designed to be included in any server {} block.
9 5
10 # Add trailing slash to */wp-admin requests. 6 # Add trailing slash to */wp-admin requests.
11 -rewrite /<%= subp %>wp-admin$ $scheme://$host$uri/ permanent; 7 +rewrite /<%= @subpath %>wp-admin$ $scheme://$host$uri/ permanent;
12 8
13 # Deny access to any files with a .php extension in the uploads directory 9 # Deny access to any files with a .php extension in the uploads directory
14 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) 10 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
15 -location ~* /<%= subp %>(.+/)*(?:uploads|files)/.*\.php$ { 11 +location ~* /<%= @subpath %>(.+/)*(?:uploads|files)/.*\.php$ {
16 deny all; 12 deny all;
17 } 13 }
18 14
19 <% if @loginpage_statements.length > 0 -%> 15 <% if @loginpage_statements.length > 0 -%>
20 -location ~ ^/<%= subp %>(wp-admin|wp-login\.php) { 16 +location ~ ^/<%= @subpath %>(wp-admin|wp-login\.php) {
21 <% @loginpage_statements.each do |statement| -%> 17 <% @loginpage_statements.each do |statement| -%>
22 <%= statement %> 18 <%= statement %>
23 <% end -%> 19 <% end -%>
24 20
25 - location ~ ^/<%= subp %>.+\.php(/|$) { 21 + location ~ ^/<%= @subpath %>.+\.php(/|$) {
26 try_files $uri =404; 22 try_files $uri =404;
27 23
28 <% if @fastcgi_intercept_errors -%> 24 <% if @fastcgi_intercept_errors -%>
@@ -36,7 +32,7 @@ location ~ ^/<%= subp %>(wp-admin|wp-login\.php) { @@ -36,7 +32,7 @@ location ~ ^/<%= subp %>(wp-admin|wp-login\.php) {
36 32
37 <% end -%> 33 <% end -%>
38 # Pass all PHP files to the fastcgi proxy 34 # Pass all PHP files to the fastcgi proxy
39 -location ~ ^/<%= subp %>.+\.php(/|$) { 35 +location ~ ^/<%= @subpath %>.+\.php(/|$) {
40 try_files $uri =404; 36 try_files $uri =404;
41 37
42 <% if @fastcgi_intercept_errors -%> 38 <% if @fastcgi_intercept_errors -%>
@@ -47,6 +43,6 @@ location ~ ^/<%= subp %>.+\.php(/|$) { @@ -47,6 +43,6 @@ location ~ ^/<%= subp %>.+\.php(/|$) {
47 include <%= @basic_php_fastcgi %>; 43 include <%= @basic_php_fastcgi %>;
48 } 44 }
49 45
50 -location ~ ^/<%= subp %> {  
51 - try_files $uri $uri/ /<%= subp %><%= @index %>?$args; 46 +location ~ ^/<%= @subpath %> {
  47 + try_files $uri $uri/ /<%= @subpath %><%= @index %>?$args;
52 } 48 }
1 # Generated by Chef 1 # Generated by Chef
2 # 2 #
  3 +<%
  4 +@init_statements.each do |ins|
  5 +-%>
  6 +<%= ins %>
  7 +
  8 +<%
  9 +end
  10 +
  11 +@upstreams.each do |us|
  12 +-%>
  13 +upstream <%= us[:name] %> {
  14 + server <%= us[:ip] %>:<%= us[:port] %>;
  15 +}
  16 +
3 <% 17 <%
  18 +end
  19 +
4 servers = [@server_name] 20 servers = [@server_name]
5 @aliases.each do |aname| 21 @aliases.each do |aname|
6 servers << aname 22 servers << aname