Skip to content

Instantly share code, notes, and snippets.

@alanivey

alanivey/centos-openlmis-haproxy.sh Secret

Last active February 27, 2019 16:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alanivey/82cebd2b121be6df877e690c3046dd05 to your computer and use it in GitHub Desktop.
Save alanivey/82cebd2b121be6df877e690c3046dd05 to your computer and use it in GitHub Desktop.
Download ZIP
OpenLMIS and TLS
Raw
centos-openlmis-haproxy.sh
#!/bin/bash
# Not shown: FQDN set as hostname
# Not shown: SELinux to permissive
########
yum install \
--assumeyes \
yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install \
--assumeyes \
docker-ce \
docker-ce-cli \
containerd.io
systemctl enable docker
systemctl start docker
########
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose
chmod +x /usr/local/sbin/docker-compose
########
yum install \
--assumeyes \
git
git clone \
--branch 'master' \
--depth 1 \
https://github.com/OpenLMIS/openlmis-ref-distro.git \
/opt/openlmis/distro/
cd /opt/openlmis/distro/
sed \
-r \
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \
-e 's/^(spring_profiles_active\s*=)/# \1/g' \
-e 's/^# (spring_profiles_active=production).*/\1/' \
settings-sample.env > settings.env
echo -e '\nOL_HTTP_PORT=8080' | tee -a .env
sed \
-r \
-e '/^REQUIRE_SSL=/ s/=.*/=true/' \
-i \
settings.env
########
export spring_profiles_active='production'
docker-compose pull --include-deps
docker-compose up --detach
docker-compose logs --follow --timestamps --tail="10"
########
docker-compose exec db \
psql \
--username='postgres' \
--dbname='open_lmis' \
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid)
SELECT true, 'mail@example.com', true, id
FROM referencedata.users
WHERE username = 'admin';"
########
yum install \
--assumeyes \
haproxy \
openssl-libs \
openssl
mkdir -v /etc/haproxy/certs.d/
openssl req \
-new \
-sha256 \
-newkey rsa:2048 \
-nodes \
-subj "/CN=${FQDN:-$( hostname --long )}" \
-days 3650 \
-x509 \
-keyout /etc/haproxy/certs.d/server.key \
-out /etc/haproxy/certs.d/server.crt
cat /etc/haproxy/certs.d/server.crt /etc/haproxy/certs.d/server.key > /etc/haproxy/certs.d/server.pem
cat > /etc/haproxy/haproxy.cfg <<'EOF'
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend www
bind *:80
bind *:443 ssl crt /etc/haproxy/certs.d/server.pem no-sslv3
default_backend openlmis
backend openlmis
server openlmis0 127.0.0.1:8080
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
EOF
systemctl start haproxy
Raw
centos-openlmis-modifynginx.sh
#!/bin/bash
# Not shown: FQDN set as hostname
# Not shown: SELinux to permissive
########
yum install \
--assumeyes \
yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install \
--assumeyes \
docker-ce \
docker-ce-cli \
containerd.io
systemctl enable docker
systemctl start docker
########
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose
chmod +x /usr/local/sbin/docker-compose
########
yum install \
--assumeyes \
git
git clone \
--branch 'master' \
--depth 1 \
https://github.com/OpenLMIS/openlmis-ref-distro.git \
/opt/openlmis/distro/
cd /opt/openlmis/distro/
sed \
-r \
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \
-e 's/^(spring_profiles_active\s*=)/# \1/g' \
-e 's/^# (spring_profiles_active=production).*/\1/' \
settings-sample.env > settings.env
# "true" causes the browser to enter a redirect loop, "false" results in 404 accessing both http and https
#sed \
# -r \
# -e '/^REQUIRE_SSL=/ s/=.*/=false/' \
# -i \
# settings.env
########
yum install \
--assumeyes \
openssl
mkdir -pv /opt/openlmis/files
openssl req \
-new \
-sha256 \
-newkey rsa:2048 \
-nodes \
-subj "/CN=${FQDN:-$( hostname --long )}" \
-days 3650 \
-x509 \
-keyout /opt/openlmis/files/server.key \
-out /opt/openlmis/files/server.crt
( source .env
docker pull "openlmis/nginx:${OL_NGINX_VERSION}"
TMP_CONTAINER="$( docker create "openlmis/nginx:${OL_NGINX_VERSION}" )"
docker cp "$TMP_CONTAINER:/etc/consul-template/openlmis.conf" /opt/openlmis/files/openlmis.conf
docker rm -v "$TMP_CONTAINER" )
sed \
-e '/^server {/a \ listen 443 ssl;\n ssl_certificate_key /etc/nginx/server.key;\n ssl_certificate /etc/nginx/server.crt;\n' \
-i /opt/openlmis/files/openlmis.conf
# Edit the docker-compose.yml file:
${EDITOR:-vi} docker-compose.yml
# The 'nginx' section should look like this (added port, three added volumes):
# nginx:
# image: openlmis/nginx:${OL_NGINX_VERSION}
# ports:
# - "${OL_HTTP_PORT:-80}:80"
# - "443:443"
# env_file: settings.env
# environment:
# NGINX_LOG_DIR: '/var/log/nginx/log'
# volumes:
# - 'nginx-log:/var/log/nginx/log'
# - 'consul-template-log:/var/log/consul-template'
# - '/opt/openlmis/files/openlmis.conf:/etc/consul-template/openlmis.conf:ro'
# - '/opt/openlmis/files/server.crt:/etc/nginx/server.crt:ro'
# - '/opt/openlmis/files/server.key:/etc/nginx/server.key:ro'
# depends_on: [consul]
########
export spring_profiles_active='production'
docker-compose pull --include-deps
docker-compose up --detach
docker-compose logs --follow --timestamps --tail="10"
########
docker-compose exec db \
psql \
--username='postgres' \
--dbname='open_lmis' \
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid)
SELECT true, 'mail@example.com', true, id
FROM referencedata.users
WHERE username = 'admin';"
Raw
centos-openlmis-nginx.sh
#!/bin/bash
# CentOS 7, OpenLMIS master/head, Nginx on system host
########
# Not shown: FQDN set as hostname
# Not shown: SELinux to permissive
########
yum install \
--assumeyes \
yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install \
--assumeyes \
docker-ce \
docker-ce-cli \
containerd.io
systemctl enable docker
systemctl start docker
########
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose
chmod +x /usr/local/sbin/docker-compose
########
yum install \
--assumeyes \
git
git clone \
--branch 'master' \
--depth 1 \
https://github.com/OpenLMIS/openlmis-ref-distro.git \
/opt/openlmis/distro/
cd /opt/openlmis/distro/
sed \
-r \
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \
-e 's/^(spring_profiles_active\s*=)/# \1/g' \
-e 's/^# (spring_profiles_active=production).*/\1/' \
settings-sample.env > settings.env
echo -e '\nOL_HTTP_PORT=8080' | tee -a .env
sed \
-r \
-e '/^REQUIRE_SSL=/ s/=.*/=true/' \
-i \
settings.env
########
export spring_profiles_active='production'
docker-compose pull --include-deps
docker-compose up --detach
docker-compose logs --follow --timestamps --tail="10"
########
docker-compose exec db \
psql \
--username='postgres' \
--dbname='open_lmis' \
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid)
SELECT true, 'mail@example.com', true, id
FROM referencedata.users
WHERE username = 'admin';"
########
yum install \
--assumeyes \
http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm \
openssl \
yum-utils
yum-config-manager \
--setopt='nginx.gpgcheck=1' \
--save
rpm \
--import \
/etc/pki/rpm-gpg/RPM-GPG-KEY-nginx
yum install \
--assumeyes \
nginx
systemctl start nginx
mkdir -v /etc/nginx/ssl/
openssl req \
-new \
-sha256 \
-newkey rsa:2048 \
-nodes \
-subj "/CN=${FQDN:-$( hostname --long )}" \
-days 3650 \
-x509 \
-keyout /etc/nginx/ssl/server.key \
-out /etc/nginx/ssl/server.crt
cat > /etc/nginx/conf.d/default.conf <<'EOF'
server {
listen 80;
listen 443 ssl;
ssl_certificate_key ssl/server.key;
ssl_certificate ssl/server.crt;
server_name _;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
EOF
nginx -t && systemctl reload-or-try-restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment