chrisroos/2017-07-27-host-asset-manager-on-ec2.md

## 2017-07-27-host-asset-manager-on-ec2.md

      
    Raw
  

              2017-07-27-host-asset-manager-on-ec2.md
            
          
AMI: ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20170727 (ami-1e749f67)
t2.large instance

$ sudo apt-get update
$ sudo apt-get install -y git

$ sudo apt-get install -y gcc build-essential
$ sudo apt-get install -y libssl-dev libreadline-dev zlib1g-dev

# Install/configure rbenv
$ sudo apt-get install -y rbenv
$ git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
$ rbenv install 2.3.1
$ echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
$ echo 'eval "$(rbenv init -)"' >> ~/.bash_profile 
$ source ~/.bash_profile
$ rbenv global 2.3.1
$ rbenv rehash
$ gem install bundler

# Set-up Asset Manager
$ git clone https://github.com/alphagov/asset-manager.git
$ cd asset-manager
$ bundle install

$ sudo apt-get install -y mongodb

# Clamscan
$ sudo apt-get install -y clamav clamav-freshclam clamav-daemon
$ sudo freshclam
$ sudo /etc/init.d/clamav-daemon start
$ sudo ln -s /usr/bin/clamscan /usr/local/bin/govuk_clamscan

# Apache Bench
$ sudo apt-get install -y apache2-utils

$ sudo apt-get install -y nginx-full

# Create nginx config file using the contents in the other file in this gist
$ sudo vi /etc/nginx/sites-available/asset-manager.ec2.gov.uk

$ sudo ln -s /etc/nginx/sites-available/asset-manager.ec2.gov.uk /etc/nginx/sites-enabled/
$ sudo service nginx reload

# Add `127.0.0.1 asset-manager.ec2.gov.uk` to /etc/hosts

$ echo "worker_processes 2" > config/unicorn.rb

# Store AWS environment variables in ~/.bash_profile
export AWS_ACCESS_KEY=<key>
export AWS_SECRET_KEY=<secret>
export AWS_REGION=<region>
export AWS_S3_BUCKET_NAME=<bucket>

$ bundle exec rails r "User.create!"

# Start Asset Manager server
$ bundle exec unicorn -p 3037 -c config/unicorn.rb

# Start the worker
$ bundle exec rake jobs:work

# Ensure Asset Manager is responding
$ curl http://asset-manager.ec2.gov.uk/healthcheck
OK

# Testing file upload
$ echo `date` > tmp.txt
$ curl http://asset-manager.ec2.gov.uk/assets/ \
--form "asset[file]=@tmp.txt" \
-H"Authorization: Bearer 123" \
-H"Accept: application/json"


## asset-manager.ec2.gov.uk
# Configure the cache for the S3 objects
# Settings based on https://www.nginx.com/blog/nginx-caching-guide/
proxy_cache_path /var/cache/nginx/ levels=1:2 keys_zone=asset-manager:10m max_size=10g
                 inactive=60m;

# I've had to add this to avoid the following error:
# nginx: [emerg] could not build the variables_hash, you should increase either variables_hash_max_size: 512 or variables_hash_bucket_size: 64
variables_hash_max_size 1024;

upstream asset-manager.ec2.gov.uk-proxy {
  server localhost:3037;
}

server {
  server_name asset-manager.ec2.gov.uk;

  listen 80;

  # Set variable that we can use to report the mechanism used to serve the file
  set $debug_served_by '';

  proxy_set_header Host $http_host;

  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_redirect off;
  proxy_connect_timeout 1s;
  proxy_read_timeout 15;

  add_header X-Frame-Options DENY;

  location / {
    try_files $uri/index.html $uri.html $uri @app;
  }

  location @app {
    proxy_pass http://asset-manager.ec2.gov.uk-proxy;
  }

  root /home/ubuntu/asset-manager/public;

  client_max_body_size 500m;

  proxy_set_header X-Sendfile-Type X-Accel-Redirect;
  proxy_set_header X-Accel-Mapping /home/ubuntu/asset-manager/uploads/assets/=/raw/;

  # /raw/(.*) is the path mapping sent from the rails application to
  # nginx and is immediately picked up. /raw/(.*) is not available
  # publicly as it is an internal path mapping.
  location ~ /raw/(.*) {
    internal;
    alias /home/ubuntu/asset-manager/uploads/assets/$1;
    set $debug_served_by SendFile;
  }

  # This querystring tells Rails to proxy the request to S3
  if ($query_string ~* "stream_from_s3") {
    set $debug_served_by RailsProxy;
  }

  # This internal location tells Nginx to proxy the request to S3
  # Based on https://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote/
  # This location is invoked when the Rails app responds with an X-Accel-Redirect
  # header containing something like "/cloud-storage-proxy/https://<bucket-name>.s3.eu-west-2.amazonaws.com/<object-id>"
  location ~* ^/cloud-storage-proxy/(https?://)(.*?)/(.*) {
    # Do not allow people to mess with this location directly
    # Only internal redirects are allowed
    internal;

    # Enable caching
    proxy_cache asset-manager;
    add_header X-Cache-Status $upstream_cache_status;

    # Location-specific logging
    access_log /var/log/nginx/asset-manager-cloud-storage-proxy.access.log;
    error_log /var/log/nginx/asset-manager-cloud-storage-proxy.error.log warn;

    # Extract download url from the request
    set $download_scheme $1;
    set $download_host $2;
    set $download_path $3;

    # Compose download url
    set $download_url $download_scheme$download_host/$download_path;

    # Set download request headers
    proxy_set_header Host $download_host;
    proxy_set_header Authorization '';

    # The next two lines could be used if your storage
    # backend does not support Content-Disposition
    # headers used to specify file name browsers use
    # when save content to the disk
    #proxy_hide_header Content-Disposition;
    #add_header Content-Disposition 'attachment; filename="$args"';

    # Do not touch local disks when proxying
    # content to clients
    proxy_max_temp_file_size 0;

    # Add this to avoid "no resolver defined to resolve" errors
    resolver 8.8.8.8;

    # Download the file and send it to client
    proxy_pass $download_url;

    set $debug_served_by NginxProxy;
  }

  # Add HTTP header to report the mechanism used to serve the file
  add_header Debug-Served-By $debug_served_by;
}
	# Configure the cache for the S3 objects
	# Settings based on https://www.nginx.com/blog/nginx-caching-guide/
	proxy_cache_path /var/cache/nginx/ levels=1:2 keys_zone=asset-manager:10m max_size=10g
	inactive=60m;

	# I've had to add this to avoid the following error:
	# nginx: [emerg] could not build the variables_hash, you should increase either variables_hash_max_size: 512 or variables_hash_bucket_size: 64
	variables_hash_max_size 1024;

	upstream asset-manager.ec2.gov.uk-proxy {
	server localhost:3037;
	}

	server {
	server_name asset-manager.ec2.gov.uk;

	listen 80;

	# Set variable that we can use to report the mechanism used to serve the file
	set $debug_served_by '';

	proxy_set_header Host $http_host;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_redirect off;
	proxy_connect_timeout 1s;
	proxy_read_timeout 15;

	add_header X-Frame-Options DENY;

	location / {
	try_files $uri/index.html $uri.html $uri @app;
	}

	location @app {
	proxy_pass http://asset-manager.ec2.gov.uk-proxy;
	}

	root /home/ubuntu/asset-manager/public;

	client_max_body_size 500m;

	proxy_set_header X-Sendfile-Type X-Accel-Redirect;
	proxy_set_header X-Accel-Mapping /home/ubuntu/asset-manager/uploads/assets/=/raw/;

	# /raw/(.*) is the path mapping sent from the rails application to
	# nginx and is immediately picked up. /raw/(.*) is not available
	# publicly as it is an internal path mapping.
	location ~ /raw/(.*) {
	internal;
	alias /home/ubuntu/asset-manager/uploads/assets/$1;
	set $debug_served_by SendFile;
	}

	# This querystring tells Rails to proxy the request to S3
	if ($query_string ~* "stream_from_s3") {
	set $debug_served_by RailsProxy;
	}

	# This internal location tells Nginx to proxy the request to S3
	# Based on https://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote/
	# This location is invoked when the Rails app responds with an X-Accel-Redirect
	# header containing something like "/cloud-storage-proxy/https://<bucket-name>.s3.eu-west-2.amazonaws.com/<object-id>"
	location ~* ^/cloud-storage-proxy/(https?://)(.?)/(.) {
	# Do not allow people to mess with this location directly
	# Only internal redirects are allowed
	internal;

	# Enable caching
	proxy_cache asset-manager;
	add_header X-Cache-Status $upstream_cache_status;

	# Location-specific logging
	access_log /var/log/nginx/asset-manager-cloud-storage-proxy.access.log;
	error_log /var/log/nginx/asset-manager-cloud-storage-proxy.error.log warn;

	# Extract download url from the request
	set $download_scheme $1;
	set $download_host $2;
	set $download_path $3;

	# Compose download url
	set $download_url $download_scheme$download_host/$download_path;

	# Set download request headers
	proxy_set_header Host $download_host;
	proxy_set_header Authorization '';

	# The next two lines could be used if your storage
	# backend does not support Content-Disposition
	# headers used to specify file name browsers use
	# when save content to the disk
	#proxy_hide_header Content-Disposition;
	#add_header Content-Disposition 'attachment; filename="$args"';

	# Do not touch local disks when proxying
	# content to clients
	proxy_max_temp_file_size 0;

	# Add this to avoid "no resolver defined to resolve" errors
	resolver 8.8.8.8;

	# Download the file and send it to client
	proxy_pass $download_url;

	set $debug_served_by NginxProxy;
	}

	# Add HTTP header to report the mechanism used to serve the file
	add_header Debug-Served-By $debug_served_by;
	}