From 881f24859bd5e011604a1196d146c8d1d2eefef7 Mon Sep 17 00:00:00 2001
From: Samuel Clay <samuel@ofbrooklyn.com>
Date: Thu, 14 Mar 2013 22:39:58 -0700
Subject: [PATCH] Adding HAProxy config.

---
 config/gunicorn_conf.py |   2 +-
 config/haproxy-init     | 154 ++++++++++++++++++++++++++++++++++++++++
 config/haproxy.conf     |  76 ++++++++++++++++++++
 fabfile.py              |  29 +++++---
 4 files changed, 252 insertions(+), 9 deletions(-)
 create mode 100644 config/haproxy-init
 create mode 100644 config/haproxy.conf

diff --git a/config/gunicorn_conf.py b/config/gunicorn_conf.py
index 6c1ce19bd..dc0d6c8ff 100644
--- a/config/gunicorn_conf.py
+++ b/config/gunicorn_conf.py
@@ -19,6 +19,6 @@ else:
     workers = int(NUM_CPUS / 2)
 
 if workers <= 4:
-    workers = int(math.floor(GIGS_OF_MEMORY * 1000 / 512))
+    workers = min(int(math.floor(GIGS_OF_MEMORY * 1000 / 512)), 4)
 if workers > 8:
     workers = 8
\ No newline at end of file
diff --git a/config/haproxy-init b/config/haproxy-init
new file mode 100644
index 000000000..c85aebc48
--- /dev/null
+++ b/config/haproxy-init
@@ -0,0 +1,154 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          haproxy
+# Required-Start:    $local_fs $network $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: fast and reliable load balancing reverse proxy
+# Description:       This file should be used to start and stop haproxy.
+### END INIT INFO
+  
+# Author: Arnaud Cornet <acornet@debian.org>
+  
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+PIDFILE=/var/run/haproxy.pid
+CONFIG=/etc/haproxy/haproxy.cfg
+HAPROXY=/usr/local/sbin/haproxy
+EXTRAOPTS=
+ENABLED=0
+  
+test -x $HAPROXY || exit 0
+test -f "$CONFIG" || exit 0
+  
+if [ -e /etc/default/haproxy ]; then
+    . /etc/default/haproxy
+fi
+  
+test "$ENABLED" != "0" || exit 0
+  
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+. /lib/lsb/init-functions
+  
+haproxy_start(){
+    start-stop-daemon --start --pidfile "$PIDFILE" \
+        --exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \
+        $EXTRAOPTS || return 2
+    return 0
+}
+  
+haproxy_stop(){
+    if [ ! -f $PIDFILE ] ; then
+        # This is a success according to LSB
+        return 0
+    fi
+    for pid in $(cat $PIDFILE) ; do
+        /bin/kill $pid || return 4
+    done
+    rm -f $PIDFILE
+    return 0
+}
+  
+haproxy_reload(){
+    $HAPROXY -f "$CONFIG" -p $PIDFILE -D $EXTRAOPTS -sf $(cat $PIDFILE) \
+        || return 2
+    return 0
+}
+  
+haproxy_status(){
+    if [ ! -f $PIDFILE ] ; then
+        # program not running
+        return 3
+    fi
+    for pid in $(cat $PIDFILE) ; do
+        if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then
+            # program running, bogus pidfile
+            return 1
+        fi
+    done
+    return 0
+}
+  
+case "$1" in
+start)
+    log_daemon_msg "Starting haproxy" "haproxy"
+    haproxy_start
+    ret=$?
+    case "$ret" in
+    0)
+        log_end_msg 0
+        ;;
+    1)
+        log_end_msg 1
+        echo "pid file '$PIDFILE' found, haproxy not started."
+        ;;
+    2)
+        log_end_msg 1
+        ;;
+    esac
+    exit $ret
+    ;;
+stop)
+    log_daemon_msg "Stopping haproxy" "haproxy"
+    haproxy_stop
+    ret=$?
+    case "$ret" in
+    0|1)
+        log_end_msg 0
+        ;;
+    2)
+        log_end_msg 1
+        ;;
+    esac
+    exit $ret
+    ;;
+reload|force-reload)
+    log_daemon_msg "Reloading haproxy" "haproxy"
+    haproxy_reload
+    case "$?" in
+    0|1)
+        log_end_msg 0
+        ;;
+    2)
+        log_end_msg 1
+        ;;
+    esac
+    ;;
+restart)
+    log_daemon_msg "Restarting haproxy" "haproxy"
+    haproxy_stop
+    haproxy_start
+    case "$?" in
+    0)
+        log_end_msg 0
+        ;;
+    1)
+        log_end_msg 1
+        ;;
+    2)
+        log_end_msg 1
+        ;;
+    esac
+    ;;
+status)
+    haproxy_status
+    ret=$?
+    case "$ret" in
+    0)
+        echo "haproxy is running."
+        ;;
+    1)
+        echo "haproxy dead, but $PIDFILE exists."
+        ;;
+    *)
+        echo "haproxy not running."
+        ;;
+    esac
+    exit $ret
+    ;;
+*)
+    echo "Usage: /etc/init.d/haproxy {start|stop|reload|restart|status}"
+    exit 2
+    ;;
+esac
+:
\ No newline at end of file
diff --git a/config/haproxy.conf b/config/haproxy.conf
new file mode 100644
index 000000000..c2d5d381d
--- /dev/null
+++ b/config/haproxy.conf
@@ -0,0 +1,76 @@
+global
+  maxconn 4096
+  user haproxy
+  group haproxy
+  daemon
+  ca-base /srv/newsblur/config/certificates
+  crt-base /srv/newsblur/config/certificates
+
+defaults
+  log global
+  maxconn 4096
+  mode http
+  # Add x-forwarded-for header.
+  option forwardfor
+  option http-server-close
+  timeout connect 5s
+  timeout client 30s
+  timeout server 30s
+  # Long timeout for WebSocket connections.
+  timeout tunnel 1h
+  errorfile 503 /srv/newsblur/templates/502.html
+ 
+frontend public
+  # HTTP
+  bind :80
+  # Redirect all HTTP traffic to HTTPS
+  # redirect scheme https if !{ ssl_fc }
+ 
+  # HTTPS
+  # Example with CA certificate bundle
+  # bind :443 ssl crt intermediate.pem ca-file newsblur.com.crt
+  # Example without CA certification bunch
+  bind :443 ssl crt newsblur.pem
+   
+  # The node backends - websockets will be managed automatically, given the
+  # right base paths to send them to the right Node.js backend.
+  #
+  # If you wanted to specifically send websocket traffic somewhere different
+  # you'd use an ACL like { hdr(Upgrade) -i WebSocket }. Looking at path works
+  # just as well, though - such as { path_beg /socket.io } or similar. Adjust your
+  # rules to suite your specific setup.
+  use_backend node if { path_beg /socket.io/ }
+  # Everything else to Nginx.
+  default_backend nginx
+ 
+backend node
+  balance leastconn
+  # Check by hitting a page intended for this use.
+  # option httpchk GET /served/by/node/isrunning
+  # timeout check 500ms
+  # Wait 500ms between checks.
+  server node1 127.0.0.1:8888 check inter 500ms
+ 
+backend nginx
+  balance leastconn
+  # Check by hitting a page intended for this use.
+  # option httpchk GET /isrunning
+  # timeout check 500ms
+  # Wait 500ms between checks.
+  server nginx1 127.0.0.1:81
+ 
+# For displaying HAProxy statistics.
+frontend stats
+  # HTTPS only.
+  # Example with CA certificate bundle
+  # bind :1936 ssl crt zzgenie.com.pem ca-file gd_bundle.crt
+  # Example without CA certification bunch
+  bind :1936 ssl crt newsblur.pem
+  default_backend stats
+ 
+backend stats
+    stats enable
+    stats hide-version
+    stats realm Haproxy\ Statistics
+    stats uri /
+    stats auth admin:password
\ No newline at end of file
diff --git a/fabfile.py b/fabfile.py
index f7517a4eb..571de0d47 100644
--- a/fabfile.py
+++ b/fabfile.py
@@ -100,6 +100,7 @@ env.roledefs ={
            '198.211.110.131',
            '192.34.61.227',
            '198.211.109.155',
+           '198.211.109.197',
            ]
 }
 
@@ -404,7 +405,7 @@ def setup_task(skip_common=False):
 def setup_installs():
     sudo('apt-get -y update')
     sudo('apt-get -y upgrade')
-    sudo('apt-get -y install build-essential gcc scons libreadline-dev sysstat iotop git zsh python-dev locate python-software-properties libpcre3-dev libncurses5-dev libdbd-pg-perl libssl-dev make pgbouncer python-psycopg2 libmemcache0 python-memcache libyaml-0-2 python-yaml python-numpy python-scipy python-imaging curl monit ufw')
+    sudo('apt-get -y install build-essential gcc scons libreadline-dev sysstat iotop git zsh python-dev locate python-software-properties software-properties-common libpcre3-dev libncurses5-dev libdbd-pg-perl libssl-dev make pgbouncer python-psycopg2 libmemcache0 python-memcache libyaml-0-2 python-yaml python-numpy python-scipy python-imaging curl monit ufw')
     # sudo('add-apt-repository ppa:pitti/postgresql')
     sudo('apt-get -y update')
     sudo('apt-get -y install postgresql-client')
@@ -685,15 +686,27 @@ def maintenance_off():
         run('mv templates/maintenance_on.html templates/maintenance_off.html')
         run('git checkout templates/maintenance_off.html')
 
-def setup_haproxy():
-    sudo('apt-get install -y haproxy')
+def setup_haproxy(install=False):
+    # sudo('apt-get install -y haproxy')
+    # sudo('ufw allow 81') # nginx moved
+    if install:
+        with cd(env.VENDOR_PATH):
+            run('wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gz')
+            run('tar -xf haproxy-1.5-dev17.tar.gz')
+            with cd('haproxy-1.5-dev17'):
+                run('make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1')
+                sudo('make install')
     put('config/haproxy-init', '/etc/init.d/haproxy', use_sudo=True)
     sudo('chmod u+x /etc/init.d/haproxy')
-    put('config/haproxy.conf', '/etc/haproxy/.conf', use_sudo=True)
-    sudo('mkdir -p /var/lib/redis')
-    sudo('update-rc.d redis defaults')
-    sudo('/etc/init.d/redis stop')
-    sudo('/etc/init.d/redis start')
+    put('config/haproxy.conf', '/etc/haproxy/haproxy.cfg', use_sudo=True)
+    sudo('echo "ENABLED=1" > /etc/default/haproxy')
+    cert_path = "%s/config/certificates" % env.NEWSBLUR_PATH
+    run('cat %s/newsblur.com.crt > %s/newsblur.pem' % (cert_path, cert_path))
+    run('cat %s/intermediate.crt >> %s/newsblur.pem' % (cert_path, cert_path))
+    run('cat %s/newsblur.com.key >> %s/newsblur.pem' % (cert_path, cert_path))
+
+    sudo('/etc/init.d/haproxy stop')
+    sudo('/etc/init.d/haproxy start')
 
 # ==============
 # = Setup - DB =