mirror of
https://github.com/viq/NewsBlur.git
synced 2025-09-18 21:43:31 +00:00
Merge branch 'master' into dashboard3
* master: Moving imageproxy and push to behind HAProxy for single point configuration.
This commit is contained in:
Samuel Clay
commit
0e6470fbf1
3 changed files with 33 additions and 11 deletions
|
|
@ -32,7 +32,7 @@ defaults
|
|||
|
||||
frontend public
|
||||
bind :80
|
||||
bind :443 ssl crt newsblur.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
|
||||
bind :443 ssl crt newsblur.com.crt ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
|
||||
http-response add-header Strict-Transport-Security max-age=0;\ includeSubDomains
|
||||
option http-server-close
|
||||
|
||||
|
|
@ -50,6 +50,8 @@ frontend public
|
|||
# Redirect all HTTP traffic to HTTPS
|
||||
redirect scheme https code 301 if !{ ssl_fc }
|
||||
|
||||
use_backend imageproxy if { hdr_end(host) -i imageproxy.newsblur.com }
|
||||
use_backend push if { hdr_end(host) -i push.newsblur.com }
|
||||
use_backend node_socket if { path_beg /socket.io/ }
|
||||
use_backend node_socket2 if { path_beg /v2/socket.io/ }
|
||||
use_backend node_socket3 if { path_beg /v3/socket.io/ }
|
||||
|
|
@ -67,6 +69,14 @@ frontend public
|
|||
use_backend gunicorn_counts if is_unread_count
|
||||
use_backend gunicorn unless gunicorn_dead || nginx_dead
|
||||
|
||||
backend imageproxy
|
||||
http-check expect rstatus 200|503
|
||||
server imageproxy01 127.0.0.1:81 check inter 2000ms
|
||||
|
||||
backend push
|
||||
http-check expect rstatus 200|503
|
||||
server push01 127.0.0.1:8000 check inter 2000ms
|
||||
|
||||
backend node_socket
|
||||
balance roundrobin
|
||||
server nodedebug 127.0.0.1:8888 check inter 2000ms
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ defaults
|
|||
|
||||
frontend public
|
||||
bind :80
|
||||
bind :443 ssl crt newsblur.pem ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
|
||||
bind :443 ssl crt newsblur.com.crt ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
|
||||
rspadd Strict-Transport-Security:\ max-age=0;\ includeSubDomains
|
||||
option http-server-close
|
||||
|
||||
|
|
@ -50,6 +50,8 @@ frontend public
|
|||
monitor fail if nginx_dead
|
||||
monitor fail if mx_mode
|
||||
|
||||
use_backend imageproxy if { hdr_end(host) -i imageproxy.newsblur.com }
|
||||
use_backend push if { hdr_end(host) -i push.newsblur.com }
|
||||
use_backend node_socket if { path_beg /v2/socket.io/ }
|
||||
use_backend node_socket3 if { path_beg /v3/socket.io/ }
|
||||
use_backend node_favicon if { path_beg /rss_feeds/icon/ }
|
||||
|
|
@ -67,6 +69,10 @@ frontend public
|
|||
use_backend gunicorn_refresh if is_refresh_feeds
|
||||
use_backend gunicorn unless gunicorn_dead || nginx_dead
|
||||
|
||||
backend imageproxy
|
||||
http-check expect rstatus 200|503
|
||||
server imageproxy01 imageproxy:80 check inter 2000ms
|
||||
|
||||
backend node_socket
|
||||
http-check expect rstatus 200|503
|
||||
balance roundrobin
|
||||
|
|
|
|||
24
fabfile.py
vendored
24
fabfile.py
vendored
|
|
@ -861,9 +861,8 @@ def copy_certificates():
|
|||
privkey_path = "/etc/letsencrypt/live/newsblur.com/privkey.pem"
|
||||
run('ln -fs %s %s' % (fullchain_path, os.path.join(cert_path, 'newsblur.com.crt')))
|
||||
run('ln -fs %s %s' % (fullchain_path, os.path.join(cert_path, 'newsblur.com.pem'))) # For backwards compatibility with hard-coded nginx configs
|
||||
run('ln -fs %s %s' % (fullchain_path, os.path.join(cert_path, 'newsblur.pem'))) # For backwards compatibility with hard-coded haproxy configs
|
||||
run('ln -fs %s %s' % (privkey_path, os.path.join(cert_path, 'newsblur.com.key')))
|
||||
run('ln -fs %s %s' % (privkey_path, os.path.join(cert_path, 'newsblur.pem.key'))) # HAProxy
|
||||
run('ln -fs %s %s' % (privkey_path, os.path.join(cert_path, 'newsblur.com.crt.key'))) # HAProxy
|
||||
put(os.path.join(env.SECRETS_PATH, 'certificates/comodo/dhparams.pem'), cert_path)
|
||||
put(os.path.join(env.SECRETS_PATH, 'certificates/ios/aps_development.pem'), cert_path)
|
||||
# openssl x509 -in aps.cer -inform DER -outform PEM -out aps.pem
|
||||
|
|
@ -882,24 +881,31 @@ def setup_certbot():
|
|||
sudo('ln -fs /snap/bin/certbot /usr/bin/certbot')
|
||||
put(os.path.join(env.SECRETS_PATH, 'configs/certbot.conf'),
|
||||
os.path.join(env.NEWSBLUR_PATH, 'certbot.conf'))
|
||||
sudo('chmod 0400 %s' % os.path.join(env.NEWSBLUR_PATH, 'certbot.conf'))
|
||||
sudo('chmod 0600 %s' % os.path.join(env.NEWSBLUR_PATH, 'certbot.conf'))
|
||||
sudo('certbot certonly -n --agree-tos '
|
||||
' --dns-dnsimple --dns-dnsimple-credentials %s'
|
||||
' --email samuel@newsblur.com --domains newsblur.com '
|
||||
' -d "*.newsblur.com" -d "global.popular.newsblur.com"' %
|
||||
' -d "*.newsblur.com" -d "popular.global.newsblur.com"' %
|
||||
(os.path.join(env.NEWSBLUR_PATH, 'certbot.conf')))
|
||||
sudo('chmod 0755 /etc/letsencrypt/{live,archive}')
|
||||
sudo('chmod 0755 /etc/letsencrypt/archive/newsblur.com/privkey1.pem')
|
||||
|
||||
# def setup_certbot():
|
||||
# def setup_certbot_old():
|
||||
# sudo('add-apt-repository -y universe')
|
||||
# sudo('add-apt-repository -y ppa:certbot/certbot')
|
||||
# sudo('apt-get update')
|
||||
# sudo('apt-get install -y certbot')
|
||||
# sudo('apt-get install -y python3-certbot-dns-dnsimple')
|
||||
# run('echo "dns_dnsimple_token = %s" > dnsimple.ini')
|
||||
# run('chmod 0400 dnsimple.ini')
|
||||
# sudo('certbot certonly -n --agree-tos --email samuel@newsblur.com --domains "*.newsblur.com" --dns-dnsimple --dns-dnsimple-credentials %s' % (settings.DNSIMPLE_TOKEN))
|
||||
# run('rm dnsimple.ini')
|
||||
# put(os.path.join(env.SECRETS_PATH, 'configs/certbot.conf'),
|
||||
# os.path.join(env.NEWSBLUR_PATH, 'certbot.conf'))
|
||||
# sudo('chmod 0600 %s' % os.path.join(env.NEWSBLUR_PATH, 'certbot.conf'))
|
||||
# sudo('certbot certonly -n --agree-tos '
|
||||
# ' --dns-dnsimple --dns-dnsimple-credentials %s'
|
||||
# ' --email samuel@newsblur.com --domains newsblur.com '
|
||||
# ' -d "*.newsblur.com" -d "global.popular.newsblur.com"' %
|
||||
# (os.path.join(env.NEWSBLUR_PATH, 'certbot.conf')))
|
||||
# sudo('chmod 0755 /etc/letsencrypt/{live,archive}')
|
||||
# sudo('chmod 0755 /etc/letsencrypt/archive/newsblur.com/privkey1.pem')
|
||||
|
||||
@parallel
|
||||
def maintenance_on():
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue