From fe2d9f24e490ef25c25da8bd20da8424641e2262 Mon Sep 17 00:00:00 2001 From: Sean McManus Date: Thu, 21 Oct 2021 09:56:52 -0700 Subject: [PATCH 1/3] remove noao references --- files/nginx-install/install-nginx.sh | 4 ++-- manifests/install.pp | 36 ++++++++++++++-------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/files/nginx-install/install-nginx.sh b/files/nginx-install/install-nginx.sh index b91778a..578b79e 100755 --- a/files/nginx-install/install-nginx.sh +++ b/files/nginx-install/install-nginx.sh @@ -21,7 +21,7 @@ cd nginx-config #! envsubst < uwsgi.ini > /etc/nginx/uwsgi.ini #! cp uwsgi_params /etc/nginx/ -cp __dm_noao_edu.crt /etc/ssl/certs/ -cp star-dm-noao-edu.key /etc/ssl/certs/ +#cp __dm_noao_edu.crt /etc/ssl/certs/ +#cp star-dm-noao-edu.key /etc/ssl/certs/ diff --git a/manifests/install.pp b/manifests/install.pp index 922a786..a50e08b 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -9,8 +9,8 @@ $ssl_domain_crt = lookup('ssl_domain_crt'), $ssl_domain_key = lookup('ssl_domain_key'), - $ssl_noao_crt = lookup('ssl_noao_crt'), # This is not used in internal servers - $ssl_noao_key = lookup('ssl_noao_key'), + #$ssl_noao_crt = lookup('ssl_noao_crt'), # This is not used in internal servers + #$ssl_noao_key = lookup('ssl_noao_key'), $noirlab_edu_nginx_config = lookup('noirlab_edu_nginx_conf'), #'puppet:///modules/marsnat/nginx/sites-enabled/internal.noirlab', $guconf = lookup('guconf'), @@ -314,17 +314,17 @@ replace => true, source => 'puppet:///modules/marsnat/nginx.logrotate', } - file { '/etc/ssl/certs/noao_domain.crt' : - ensure => 'file', - replace => true, - source => "${ssl_noao_crt}", - - } - file { '/etc/ssl/certs/noao_domain.key' : - ensure => 'present', - replace => true, - source => "${ssl_noao_key}", - } + #file { '/etc/ssl/certs/noao_domain.crt' : + # ensure => 'file', + # replace => true, + # source => "${ssl_noao_crt}", + # + # } + #file { '/etc/ssl/certs/noao_domain.key' : + # ensure => 'present', + # replace => true, + # source => "${ssl_noao_key}", + # } file { '/etc/ssl/certs/domain.crt' : ensure => 'present', replace => true, @@ -345,11 +345,11 @@ replace => true, source => 'puppet:///modules/marsnat/nginx/sites-enabled/default', } - file { '/etc/nginx/sites-enabled/noao' : - ensure => 'present', - replace => true, - source => "puppet:///modules/marsnat/nginx/sites-enabled/noao", - } + #file { '/etc/nginx/sites-enabled/noao' : + # ensure => 'present', + # replace => true, + # source => "puppet:///modules/marsnat/nginx/sites-enabled/noao", + # } file { '/etc/nginx/nginx.conf' : ensure => 'present', replace => true, From 69fc6bfae80ccfc10f3cb13406f68adca5851659 Mon Sep 17 00:00:00 2001 From: ipetepete Date: Mon, 25 Oct 2021 12:41:34 -0700 Subject: [PATCH 2/3] Added seperate nginx config for stage --- files/nginx/sites-enabled/stage_default | 113 ++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 files/nginx/sites-enabled/stage_default diff --git a/files/nginx/sites-enabled/stage_default b/files/nginx/sites-enabled/stage_default new file mode 100644 index 0000000..8f9611b --- /dev/null +++ b/files/nginx/sites-enabled/stage_default @@ -0,0 +1,113 @@ +# Things that might need changing +# - port 8080 not needed in production +# - place SSL certs in /etc/ssl/certs +# - server_name - default_server is less secure but used to access within VM as localhost, dev.local etc +# - logging +# - static file locations + +# app_server already defined in 'default' config +# possibly change this name to gunicorn server +upstream app_server { + server unix:/opt/mars/gunicorn.sock fail_timeout=0; +} +server { + listen 80; + listen [::]:80; + server_name marsnat1-stage.csdc.noirlab.edu; + return 301 https://$host$request_uri; +} + +# configuration of the server +server { + # the port your site will be served on, default_server indicates that this server block + # is the block to use if no blocks match the server_name + #! listen 8080; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/ssl/certs/domain.crt; + ssl_certificate_key /etc/ssl/certs/domain.key; + + # the domain name it will serve for + server_name astroarchive.noirlab.edu; # can use machine's IP or FQDN + + # the domain name it will serve for + #server_name .dm.noao.edu; # substitute your machine's IP address or FQDN + charset utf-8; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + + # max upload size + client_max_body_size 75M; # adjust to taste + + # Django media + location /media { + alias /opt/mars/marssite/static/; # your Django project's media files - amend as required + } + + location /static { + expires 10d; + sendfile on; + sendfile_max_chunk 1m; + alias /opt/mars/marssite/static/; # your Django project's static files - amend as required + } + + location /download/zip { + alias /srv/ftp; + } + + location /download/archive { + alias /srv/ftp/Volumes/archive; + } + + location /hlsp { + alias /net/archive/hlsp; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + + + location /ops { + # allow anyone in 192.168.1.0/24 + allow 127.0.0.0/8; #localhost + allow 172.18.0.0/16; #docker containers + allow 140.252.0.0/16; #NOAO intranet + # drop rest of the world + deny all; + try_files $uri @proxy_to_app; + } + + location /admin { + # allow anyone in 192.168.1.0/24 + allow 127.0.0.0/8; #localhost + allow 172.18.0.0/16; #docker containers + allow 140.252.0.0/16; #NOAO intranet + # drop rest of the world + deny all; + try_files $uri @proxy_to_app; + } + + + + location / { + # checks for static file, if not found proxy to app + try_files $uri @proxy_to_app; + } + + location @proxy_to_app { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + # uses the default app_server + proxy_pass http://app_server; + } + +} From 993b04c60d213d64b94ca2eb63049c8c88f02069 Mon Sep 17 00:00:00 2001 From: ipetepete Date: Mon, 25 Oct 2021 13:05:03 -0700 Subject: [PATCH 3/3] using catchall servernames for nginx --- files/nginx/sites-enabled/default | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/nginx/sites-enabled/default b/files/nginx/sites-enabled/default index 276058d..00d914e 100644 --- a/files/nginx/sites-enabled/default +++ b/files/nginx/sites-enabled/default @@ -13,7 +13,7 @@ upstream app_server { server { listen 80; listen [::]:80; - server_name astroarchive.noirlab.edu; + server_name astroarchive.noirlab.edu marsnat1-stage.csdc.noirlab.edu marsnat1-pat.csdc.noirlab.edu; return 301 https://$host$request_uri; } @@ -29,7 +29,7 @@ server { ssl_certificate_key /etc/ssl/certs/domain.key; # the domain name it will serve for - server_name astroarchive.noirlab.edu; # can use machine's IP or FQDN + server_name astroarchive.noirlab.edu marsnat1-stage.csdc.noirlab.edu marsnat1-pat.csdc.noirlab.edu; # can use machine's IP or FQDN # the domain name it will serve for #server_name .dm.noao.edu; # substitute your machine's IP address or FQDN