aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLouise Crow <louise.crow@gmail.com>2014-08-08 16:19:49 +0100
committerLouise Crow <louise.crow@gmail.com>2014-08-08 16:19:49 +0100
commita760114de869ce3f07358dde19b8b5cc5d36003b (patch)
treec55b0b5037bc42cbc6b4a65cbb7d8b048c056efd
parentc3e1825ffbdd86f477491447972ff24416d8ba96 (diff)
parentd700f325de56c8a039cbe4178dd44842ef0ee977 (diff)
Merge branch 'rails-3-develop' of ssh://git.mysociety.org/data/git/public/alaveteli into rails-3-develop
-rw-r--r--config/httpd-force-ssl.conf-example5
-rw-r--r--config/httpd-ssl.conf-example24
-rw-r--r--config/httpd.conf-example222
-rwxr-xr-xconfig/sysvinit-thin.ugly68
-rwxr-xr-xconfig/sysvinit.example53
-rw-r--r--lib/tasks/config_files.rake21
-rw-r--r--lib/tasks/stats.rake4
-rwxr-xr-xscript/site-specific-install.sh11
8 files changed, 260 insertions, 148 deletions
diff --git a/config/httpd-force-ssl.conf-example b/config/httpd-force-ssl.conf-example
new file mode 100644
index 000000000..0e89afe62
--- /dev/null
+++ b/config/httpd-force-ssl.conf-example
@@ -0,0 +1,5 @@
+# Rewrite all proxied HTTP requests to HTTPS.
+# Only include if FORCE_SSL: true is set in general.yml
+# Expected to be found at /etc/apache2/vhost.d/alaveteli
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule /(.*) https://www.example.com/$1 [L,R=permanent]
diff --git a/config/httpd-ssl.conf-example b/config/httpd-ssl.conf-example
new file mode 100644
index 000000000..8f099b8a6
--- /dev/null
+++ b/config/httpd-ssl.conf-example
@@ -0,0 +1,24 @@
+# VirtualHost for HTTPS requests
+<VirtualHost *:443>
+ ServerName www.example.com
+
+ ErrorLog /var/log/apache2/alaveteli_error.log
+ CustomLog /var/log/apache2/alaveteli_access.log combined
+
+ ProxyRequests Off
+ ProxyPreserveHost On
+ ProxyPass / http://localhost:80/
+ ProxyPassReverse / http://localhost:80/
+ RequestHeader set X-Forwarded-Proto 'https'
+
+ SSLEngine on
+ SSLProtocol all -SSLv2
+ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
+
+ SSLCertificateFile /etc/ssl/certs/www.example.com.cert
+ SSLCertificateKeyFile /etc/ssl/private/www.example.com.key
+ # SSLCertificateChainFile /etc/ssl/sub.class2.server.ca.pem
+ # SSLCACertificateFile /etc/ssl/ca.pem
+
+ SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+</VirtualHost>
diff --git a/config/httpd.conf-example b/config/httpd.conf-example
index 8d549d363..9736cafff 100644
--- a/config/httpd.conf-example
+++ b/config/httpd.conf-example
@@ -1,81 +1,145 @@
-# Apache configuration for FOI site.
-#
-# For development ignore this, you can just run ./scripts/server as for any
-# Ruby on Rails application.
-#
-# Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
-# Email: hello@mysociety.org; WWW: http://www.mysociety.org
-
-# This is needed for the PHP spell checker
-<Location /fcgi>
- Options +ExecCGI
- SetHandler fastcgi-script
-</Location>
-
-RewriteEngine On
-#RewriteLog /var/log/apache2/rewrite.log
-#RewriteLogLevel 9
-
-# TODO: do we need this now we use Passenger?
-# Pass through the HTTP basic authentication to mongrel. See also
-# admin_http_auth_user in app/controllers/application.rb
-# Note: Apache 2 only. Doesn't work in Apache 1.3, you'll need to live without
-# it.
-RewriteCond %{LA-U:REMOTE_USER} (.+)
-RewriteRule . - [E=RU:%1]
-RequestHeader add X-Forwarded-User %{RU}e
-
-# Old /files URL to new subdomain (as can't use Alias with passenger,
-# so we do it on its own domain). This is for custom admin upload
-# files for archiving.
-RewriteRule /files/(.+) http://files.whatdotheyknow.com/$1
-
-# Serve attachments directly from the cache, if possible.
-#
-# The file names are URL-encoded on disk, and sharded by the first
-# three digits of the request id, which is why this is as complicated
-# as it is. The RewriteMap directive makes the URL-escaping function
-# available to use in the other directives.
-#
-# The condition means that the rule will fire only if the cached
-# file exists.
-RewriteMap escape int:escape
-RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f
-RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L]
-
-
-<IfModule mod_passenger.c>
- # Set this to something like 100 if you have memory leak issues
- PassengerMaxRequests 500
- PassengerResolveSymlinksInDocumentRoot on
- # Recommend setting this to 3 or less on servers with 512MB RAM
- PassengerMaxPoolSize 6
- # The RackEnv variable applies to Rails 3 applications, while
- # the RailsEnv variable applies to applications for earlier
- # versions of Rails. There doesn't seem to be any harm in
- # setting both, however.
- RailsEnv production
- RackEnv production
-</IfModule>
-
-# Gzip font resources
-<IfModule mod_deflate.c>
- <IfModule mod_mime.c>
- Addtype font/opentype .otf
- Addtype font/opentype .woff
- Addtype font/eot .eot
- Addtype font/truetype .ttf
+# Redirect other domains to canonical domain
+<VirtualHost *:80>
+ ServerName example.com
+ ServerAlias example.org
+ ServerAlias www.example.org
+ RedirectPermanent / http://www.example.com/
+</VirtualHost>
+
+# Canonical domain vHost
+<VirtualHost *:80>
+ ServerName www.example.com
+ ServerAdmin webmaster@example.com
+ DocumentRoot /var/www/alaveteli/public
+
+ # TODO: Remove this and use PassengerUser when supported
+ # This is the user that runs the rails application processes
+ SuExecUserGroup alaveteli alaveteli
+ RewriteEngine On
+
+ ErrorLog /var/log/apache2/alaveteli_error.log
+ CustomLog /var/log/apache2/alaveteli_access.log combined
+
+ # App server configuration
+ <IfModule mod_passenger.c>
+ PassengerAppRoot /var/www/alaveteli
+ PassengerResolveSymlinksInDocumentRoot on
+
+ # See http://blog.phusion.nl/2013/03/12/tuning-phusion-passengers-concurrency-settings/
+ # and http://blog.scoutapp.com/articles/2009/12/08/production-rails-tuning-with-passenger-passengermaxprocesses
+ # for more information on tuning Passenger
+
+ # Set this to something like 100 if you have memory leak issues
+ PassengerMaxRequests 2000
+ # Passenger's default MaxPoolSize is 6. At the time of writing
+ # normal instances of Alaveteli seem to take 150-200MB per
+ # process, so we've set this conservatively at 3. Read the guides
+ # above to tune this for your system
+ PassengerMaxPoolSize 3
+
+ # The RAILS_ENV that the app is running in. This can be any of
+ # the environments listed in APP_ROOT/config/environments.
+ RailsEnv production
+ RackEnv production
</IfModule>
- AddOutputFilterByType DEFLATE font/opentype font/truetype font/eot
- AddOutputFilterByType DEFLATE image/svg+xml
-</IFModule>
-
-# Set the Sendfile header and switch sendfile on - Apache will
-# now handle send_file calls from Alaveteli
-<Location />
- <IfModule mod_xsendfile.c>
- RequestHeader Set X-Sendfile-Type X-Sendfile
- XSendFile On
- XSendFileAllowAbove On
+
+ # This is your Rails app's public directory
+ <Directory "/var/www/alaveteli/public">
+ Options +ExecCGI -MultiViews
+ AllowOverride All
+ </Directory>
+
+ # Maintenance Page
+ # Make a file down.html in the DocumentRoot to bring down the whole
+ # site and display itself.
+ RewriteEngine on
+ ErrorDocument 503 /down.html
+ Redirect 503 /down
+
+ # If down.html exists, and that's what's been asked for,
+ # just hand it over
+ RewriteCond %{DOCUMENT_ROOT}/down.html -s
+ RewriteRule /down.html /down.html [L]
+
+ RewriteCond %{DOCUMENT_ROOT}/down.html -s
+ RewriteRule /(.+).cgi /down [PT]
+ RewriteCond %{DOCUMENT_ROOT}/down.html -s
+ RewriteRule /(.+).php /down [PT]
+ # Mainly for Rails/Django type sites - anything without a . can go down
+ # TODO: could we just check that it is an HTML content-type?
+ RewriteCond %{DOCUMENT_ROOT}/down.html -s
+ RewriteRule /([^.]*)$ /down [PT]
+ # END Maintenance Page
+
+ # Set the Sendfile header and switch sendfile on - Apache will
+ # now handle send_file calls from Alaveteli
+ <Location />
+ <IfModule mod_xsendfile.c>
+ RequestHeader Set X-Sendfile-Type X-Sendfile
+ XSendFile On
+ XSendFilePath /var/www/alaveteli/public
+ </IfModule>
+ </Location>
+
+ # Commonlib is typically found in alaveteli/commonlib
+ Alias /jslib/ "/var/www/alaveteli/commonlib/jslib"
+ <Directory "/var/www/alaveteli/commonlib/jslib">
+ Options +ExecCGI
+ AddHandler fastcgi-script .cgi
+ </Directory>
+
+ # Serve attachments directly from the cache, if possible.
+ #
+ # The file names are URL-encoded on disk, and sharded by the first
+ # three digits of the request id, which is why this is as complicated
+ # as it is. The RewriteMap directive makes the URL-escaping function
+ # available to use in the other directives.
+ #
+ # The condition means that the rule will fire only if the cached
+ # file exists.
+ RewriteMap escape int:escape
+ RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f
+ RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L]
+ RewriteCond %{DOCUMENT_ROOT}/views_cache/cy/request/$2/$1/${escape:$3} -f
+ RewriteRule ^/cy/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/cy/request/$2/$1/${escape:$3} [L]
+
+ # Compress assets
+ <Location />
+ <IfModule mod_deflate.c>
+ AddOutputFilterByType DEFLATE text/css application/javascript text/plain
+ </IfModule>
+ </Location>
+
+ # Cache assets
+ ExpiresActive On
+ <LocationMatch "^/(assets).*\.(ico|gif|jpe?g|png|js|css|svg|ttf|otf|eot|woff)$">
+ ExpiresDefault "access plus 1 day"
+ </LocationMatch>
+
+ # Compress font resources
+ <IfModule mod_deflate.c>
+ <IfModule mod_mime.c>
+ Addtype font/opentype .otf
+ Addtype font/opentype .woff
+ Addtype font/eot .eot
+ Addtype font/truetype .ttf
+ </IfModule>
+ AddOutputFilterByType DEFLATE font/opentype font/truetype font/eot
+ AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
-</Location>
+
+ # Include optional configuration
+ Include vhost.d/alaveteli
+
+</VirtualHost>
+
+# Large / static files for WhatDoTheyKnow. Used for manual sysadmin uploads.
+# Is on its own files.example.com subdomain (instead of old /files URL)
+# as mod_alias doesn't work with Passenger.
+# <VirtualHost *:80>
+# ServerName files.example.com
+# DocumentRoot /var/www/alaveteli/files
+# <Directory "/var/www/alaveteli/files">
+# Options +Indexes
+# </Directory>
+# </VirtualHost>
diff --git a/config/sysvinit-thin.ugly b/config/sysvinit-thin.ugly
new file mode 100755
index 000000000..cc604d994
--- /dev/null
+++ b/config/sysvinit-thin.ugly
@@ -0,0 +1,68 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: application-thin-!!(*= $site *)!!
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Starts the Thin app server for the "!!(*= $site *)!!" site
+# Description: The Thin app server for the "!!(*= $site *)!!" site
+### END INIT INFO
+
+# This example sysvinit script is based on the helpful example here:
+# http://richard.wallman.org.uk/2010/02/howto-deploy-a-catalyst-application-using-fastcgi-and-nginx/
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+NAME=!!(*= $site *)!!
+SITE_HOME=!!(*= $vhost_dir *)!!/!!(*= $vcspath *)!!
+DESC="Alaveteli app server"
+USER=!!(*= $user *)!!
+
+set -e
+
+# Check that the Daemon can be run
+su -l -c "cd $SITE_HOME && bundle exec thin --version &> /dev/null || exit 0" $USER
+
+start_daemon() {
+ echo -n "Starting $DESC: "
+ cd "$SITE_HOME" && bundle exec thin \
+ --environment=production \
+ --user="$USER" \
+ --group="$USER" \
+ --address=127.0.0.1 \
+ --daemonize \
+ --quiet \
+ start || true
+ echo "$NAME."
+}
+
+stop_daemon() {
+ echo -n "Stopping $DESC: "
+ cd "$SITE_HOME" && bundle exec thin --quiet stop || true
+ echo "$NAME."
+}
+
+restart_daemon() {
+ echo -n "Restarting $DESC: "
+ cd "$SITE_HOME" && bundle exec thin --onebyone --quiet restart || true
+ echo "$NAME."
+}
+
+case "$1" in
+ start)
+ start_daemon
+ ;;
+ stop)
+ stop_daemon
+ ;;
+ reload|restart|force-reload)
+ restart_daemon
+ ;;
+ *)
+ N=/etc/init.d/$NAME
+ echo "Usage: $N {start|stop|reload|restart|force-reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/config/sysvinit.example b/config/sysvinit.example
deleted file mode 100755
index 443e7c3fb..000000000
--- a/config/sysvinit.example
+++ /dev/null
@@ -1,53 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides: application-thin-alaveteli
-# Required-Start: $local_fs $network
-# Required-Stop: $local_fs $network
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Starts the Thin web server for the "Alaveteli" site
-# Description: The Thin web server for the "Alaveteli" site
-### END INIT INFO
-
-# This example sysvinit script is based on the helpful example here:
-# http://richard.wallman.org.uk/2010/02/howto-deploy-a-catalyst-application-using-fastcgi-and-nginx/
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-SITE_HOME=/var/www/alaveteli
-NAME=alaveteli
-DESC="Alaveteli app server"
-USER=fms
-
-echo $DAEMON
-test -f $DAEMON || exit 0
-
-set -e
-
-start_daemon() {
- su -l -c "cd $SITE_HOME/alaveteli && bundle exec thin -d -p 3300 -e development start" $USER
-}
-
-stop_daemon() {
- pkill -f thin -u $USER || true
-}
-
-case "$1" in
- start)
- start_daemon
- ;;
- stop)
- stop_daemon
- ;;
- reload|restart|force-reload)
- stop_daemon
- sleep 5
- start_daemon
- ;;
- *)
- N=/etc/init.d/$NAME
- echo "Usage: $N {start|stop|reload|restart|force-reload}" >&2
- exit 1
- ;;
-esac
-
-exit 0
diff --git a/lib/tasks/config_files.rake b/lib/tasks/config_files.rake
index 438b63fc0..5dda64a04 100644
--- a/lib/tasks/config_files.rake
+++ b/lib/tasks/config_files.rake
@@ -28,22 +28,23 @@ namespace :config_files do
'VHOST_DIR',
'SCRIPT_FILE'], example)
- script_file = ENV['SCRIPT_FILE']
- site = ENV.fetch('SITE', 'foi')
-
replacements = {
:user => ENV['DEPLOY_USER'],
:vhost_dir => ENV['VHOST_DIR'],
- :vcspath => ENV.fetch('VCSPATH', 'alaveteli'),
- :site => site
+ :vcspath => ENV.fetch('VCSPATH') { 'alaveteli' },
+ :site => ENV.fetch('SITE') { 'foi' }
}
- daemon_name = File.basename(script_file, '-debian.ugly')
- replacements.update(:daemon_name => "#{ site }-#{ daemon_name }")
- converted = convert_ugly(script_file, replacements)
- rails_env_file = File.expand_path(File.join(Rails.root, 'config', 'rails_env.rb'))
+ # Use the filename for the $daemon_name ugly variable
+ daemon_name = File.basename(ENV['SCRIPT_FILE'], '-debian.ugly')
+ replacements.update(:daemon_name => "#{ replacements[:site] }-#{ daemon_name }")
+
+ # Generate the template for potential further processing
+ converted = convert_ugly(ENV['SCRIPT_FILE'], replacements)
- unless File.exists?(rails_env_file)
+ # gsub the RAILS_ENV in to the generated template if its not set by the
+ # hard coded config file
+ unless File.exists?("#{ Rails.root }/config/rails_env.rb")
converted.each do |line|
line.gsub!(/^#\s*RAILS_ENV=your_rails_env/, "RAILS_ENV=#{Rails.env}")
line.gsub!(/^#\s*export RAILS_ENV/, "export RAILS_ENV")
diff --git a/lib/tasks/stats.rake b/lib/tasks/stats.rake
index f09594529..46a645b4d 100644
--- a/lib/tasks/stats.rake
+++ b/lib/tasks/stats.rake
@@ -119,7 +119,7 @@ DESC
count ? count : 0
end
- row = [body.name] + stats
+ row = [%Q("#{ body.name }")] + stats
puts row.join(",")
end
end
@@ -147,7 +147,7 @@ DESC
count ? count : 0
end
- row = [body.name] + stats
+ row = [%Q("#{ body.name }")] + stats
puts row.join(",")
end
end
diff --git a/script/site-specific-install.sh b/script/site-specific-install.sh
index fce230822..4c8c99aa2 100755
--- a/script/site-specific-install.sh
+++ b/script/site-specific-install.sh
@@ -134,10 +134,6 @@ su -l -c "$BIN_DIRECTORY/install-as-user '$UNIX_USER' '$HOST' '$DIRECTORY'" "$UN
# no longer need the PostgreSQL user to be a superuser:
echo "ALTER USER \"$UNIX_USER\" WITH NOSUPERUSER;" | su -l -c 'psql' postgres
-if [ ! "$DEVELOPMENT_INSTALL" = true ]; then
- install_sysvinit_script
-fi
-
# Set up root's crontab:
cd "$REPOSITORY"
@@ -151,6 +147,13 @@ sed -r \
-i /etc/cron.d/alaveteli
echo $DONE_MSG
+if [ ! "$DEVELOPMENT_INSTALL" = true ]; then
+ echo -n "Creating /etc/init.d/$SITE... "
+ (su -l -c "cd '$REPOSITORY' && bundle exec rake config_files:convert_init_script DEPLOY_USER='$UNIX_USER' VHOST_DIR='$DIRECTORY' VCSPATH='$SITE' SITE='$SITE' SCRIPT_FILE=config/sysvinit-thin.ugly" "$UNIX_USER") > /etc/init.d/"$SITE"
+ chmod a+rx /etc/init.d/"$SITE"
+ echo $DONE_MSG
+fi
+
echo -n "Creating /etc/init.d/foi-alert-tracks... "
(su -l -c "cd '$REPOSITORY' && bundle exec rake config_files:convert_init_script DEPLOY_USER='$UNIX_USER' VHOST_DIR='$DIRECTORY' SCRIPT_FILE=config/alert-tracks-debian.ugly" "$UNIX_USER") > /etc/init.d/foi-alert-tracks
chmod a+rx /etc/init.d/foi-alert-tracks