dminchev/setup.md

## setup.md

      
    Raw
  

              setup.md
            
          
adduser deploy
ssh-copy-id -i ~/.ssh/deploy.pub deploy@example.com

Install rbenv

aptitude install git
git clone https://github.com/sstephenson/rbenv.git /usr/local/rbenv
vim /etc/profile.d/rbenv.sh
# rbenv setup
export RBENV_ROOT=/usr/local/rbenv
export PATH="$RBENV_ROOT/bin:$PATH"
eval "$(rbenv init -)"

chmod +x /etc/profile.d/rbenv.sh

Exit and login again

Install ruby-build

mkdir /usr/local/rbenv/plugins
git clone https://github.com/sstephenson/ruby-build.git /usr/local/rbenv/plugins/ruby-build
Install ruby

https://github.com/sstephenson/ruby-build/wiki#suggested-build-environment
apt-get update
apt-get -y install autoconf bison build-essential libssl-dev libyaml-dev libreadline6-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm3 libgdbm-dev
apt-get -y install libjemalloc-dev libcurl4-openssl-dev libpcre3-dev libxml2 libxml2-dev libxslt1-dev
RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.2.3
rbenv global 2.2.3
rbenv rehash
ruby -v

echo 'gem: --no-ri --no-rdoc' > ~/.gemrc
gem install bundler
gem install passenger

Install nginx + passenger

[Optional] Install ngx_headers_more

cd /tmp
git clone https://github.com/openresty/headers-more-nginx-module.git

Download and install nginx

cd /tmp && wget http://nginx.org/download/nginx-1.9.5.tar.gz
tar zxvf nginx-1.9.5.tar.gz && cd nginx-1.9.5
./configure \
--sbin-path=/usr/local/sbin \
--conf-path=/etc/nginx/nginx.conf \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--user=deploy --group=deploy \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_dav_module \
--with-http_flv_module \
--with-sha1=/usr/lib \
--add-module=`passenger-config --root`/src/nginx_module \
--add-module=/tmp/headers-more-nginx-module
mkdir /var/lib/nginx
make && make install
Create nginx init script

vim /etc/init.d/nginx
#!/bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/nginx
NAME=nginx
DESC=nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
	. /etc/default/nginx
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
	if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
		return 0
	else
		$DAEMON -t $DAEMON_OPTS
		return $?
	fi
}

case "$1" in
	start)
		echo -n "Starting $DESC: "
		test_nginx_config
		# Check if the ULIMIT is set in /etc/default/nginx
		if [ -n "$ULIMIT" ]; then
			# Set the ulimits
			ulimit $ULIMIT
		fi
		start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
		    --exec $DAEMON -- $DAEMON_OPTS || true
		echo "$NAME."
		;;

	stop)
		echo -n "Stopping $DESC: "
		start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
		    --exec $DAEMON || true
		echo "$NAME."
		;;

	restart|force-reload)
		echo -n "Restarting $DESC: "
		start-stop-daemon --stop --quiet --pidfile \
		    /var/run/$NAME.pid --exec $DAEMON || true
		sleep 1
		test_nginx_config
		start-stop-daemon --start --quiet --pidfile \
		    /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
		echo "$NAME."
		;;

	reload)
		echo -n "Reloading $DESC configuration: "
		test_nginx_config
		start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
		    --exec $DAEMON || true
		echo "$NAME."
		;;

	configtest|testconfig)
		echo -n "Testing $DESC configuration: "
		if test_nginx_config; then
			echo "$NAME."
		else
			exit $?
		fi
		;;

	status)
		status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
		;;
	*)
		echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
		exit 1
		;;
esac

exit 0
chmod +x /etc/init.d/nginx
update-rc.d nginx defaults

Config nginx

user deploy;
worker_processes 4;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    passenger_root /usr/local/rbenv/versions/2.2.3/lib/ruby/gems/2.2.0/gems/passenger-5.0.20;
    passenger_ruby /usr/local/rbenv/shims/ruby;
    passenger_pool_idle_time 0;
    passenger_show_version_in_header off;
    # more_clear_headers 'Server' 'X-Powered-By' 'X-Runtime';
    
    client_max_body_size    25m;
    server_tokens           off;
    tcp_nopush              on;
    tcp_nodelay             on;
    sendfile                on;
    keepalive_timeout       70;
    types_hash_max_size     2048;
 
    gzip                    on;
    gzip_http_version       1.1;
    gzip_disable            "msie6";
    gzip_vary               on;
    gzip_min_length         1100;
    gzip_buffers            64 8k;
    gzip_comp_level         3;
    gzip_proxied            any;
    gzip_types              text/plain text/css application/x-javascript text/xml application/xml;
    
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Install MySQL

aptitude install mysql-server mysql-client libmysqlclient-dev
vim /etc/mysql/my.cnf

[client]
default-character-set=utf8

[mysqld]
collation-server = utf8_unicode_ci
init-connect='SET NAMES utf8'
character-set-server = utf8

[mysql]
default-character-set=utf8

service mysql restart

mysql -uroot -p
GRANT ALL PRIVILEGES ON  `%\_staging` . * TO  'staging'@'localhost' IDENTIFIED BY  '***';
GRANT ALL PRIVILEGES ON  `%\_production` . * TO  'production'@'localhost' IDENTIFIED BY  '***';

Application /etc/nginx/sites-enabled/example.com

http only

server {
    listen       80;
    server_name  example.com www.example.com;
    root   /var/www/example.com/public;
    passenger_enabled on;
    index  index.html;
    
    charset  utf-8;
    
    access_log  /dev/null;
    error_log   /dev/null;
    
    error_page  404 /404.html;
    error_page  500 502 503 504 /50x.html;
}

http + https

https://weakdh.org/sysadmin.html
server {
  listen 80;
  server_name example.com default_server;
  access_log /dev/null;
  error_log /dev/null;
  return 301 https://example.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name example.com;
  access_log /dev/null;
  error_log /dev/null;

  passenger_enabled on;
  root /var/www/example.com/current/public;

  ssl on;
  ssl_certificate      /etc/nginx/certs/example.com.crt;
  ssl_certificate_key  /etc/nginx/certs/example.com.key;

  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}