jasonwbarnett/.site_config.yaml Secret

## .site_config.yaml
# [15:02:56 CDT] jbarnett@r225 [~]$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]'
---
mindjet:
  engage:
    maintenance: false
    maintenance_title: Site Maintenance in Progress
    maintenance_msg: Site is offline for scheduled maintence
    ip_restricted: false
    allowed_ips: ['25.25.25.25', '22.22.0.0/16']
    ip_restrict_msg: Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake.
nginx:
  configs:
    qa356:
      type: engage
      server_names: ['qa356.domain.com', '*.qa356.domain.com']
      root: /opt/nginx/qa356
      tomcat_host_ip: 192.168.3.5
      tomcat_ssl_port: 8081
      proxy_connect_timeout: 5s
      proxy_read_timeout: 35s
      proxy_read_timeout_long: 1800s
      ssl_enabled: true
      ssl_protocols: SSLv3 TLSv1 TLSv1.1 TLSv1.2
      ssl_forced: false
      ssl_server_names: ['qa356.domain.com', '*.qa356.domain.com']
      ssl_ipaddress: 192.168.3.5
      ssl_ciphers: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
      ssl_certificate: /opt/certs/pem/*.qa356.domain.com.crt
      ssl_certificate_key: /opt/certs/pem/*.qa356.domain.com.key
      proxy_intercept_errors: true
      spigit_only: false
    qa356_redirect:
      type: redirect
      redirect_to: www.qa356.domain.com

## how_to_convert_to_nginx.sh
# Good base point (file should live: /opt/webapps/<webapp_dir>/.site_config.yaml):
# /spigit/operations-scripts/tomcatTools/update_connectors.rb -i
---
nginx:
  site_name: qa356
  server_names: ['qa356.spigit.com', '*.qa356.spigit.com']
  tomcat_host_ip: 192.168.100.194
  ssl_enabled: true
  ssl_servernames: ['*.qa356.spigit.com']
  ssl_ipaddress: 192.168.100.194
  ssl_certificate: /opt/certs/pem/*.qa356.spigit.com.crt
  ssl_certificate_key: /opt/certs/pem/*.qa356.spigit.com.key


$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]'
$ /spigit/operations-scripts/tomcatTools/update_connectors.rb -i
$ iptables -L -t nat -n | egrep '192.168.100.194'
$ vim /etc/rc.d/rc.local ## Comment out IP
$ service iptables restart; /etc/rc.d/rc.local  ## Restart iptables
$ iptables -L -t nat -n | egrep '192.168.100.194' ## confirm IP is no longer in iptables
$ sudo /sbin/service nginx restart; sudo /sbin/service tomcat restart

## providers_fronting_tomcat.rb
# Support whyrun
def whyrun_supported?
  true
end

use_inline_resources

action :create do
  set_defaults(new_resource)
  template new_resource.site_name do
    path "/etc/nginx/conf.d/fronting_tomcat/#{new_resource.site_name}.conf"
    source 'fronting_tomcat.erb'
    mode '0644'
    owner 'root'
    group 'root'
    variables({resource: new_resource})
  end

  directory "#{new_resource.root}/public_html" do
    recursive true
    mode '0775'
    owner 'nginx'
    owner 'spigit'
  end

  template "#{new_resource.root}/public_html/robots.txt" do
    source 'robots.txt.erb'
    mode '0644'
    owner 'nginx'
    group 'spigit'
    variables({resource: new_resource})
    action :create
  end

  template "#{new_resource.root}/public_html/403.html" do
    source '403.html.erb'
    mode '0644'
    owner 'nginx'
    group 'spigit'
    variables({resource: new_resource})
    action :create
  end

  maintenance_action = new_resource.maintenance ? :create : :delete
  template "#{new_resource.root}/public_html/maintenance.html" do
    source 'maintenance.html.erb'
    mode '0644'
    owner 'nginx'
    group 'spigit'
    variables({resource: new_resource})
    action maintenance_action
  end

  ip_restrictions_action = new_resource.ip_restricted ? :create : :delete
  template "/etc/nginx/conf.d/ip_restrictions/#{new_resource.site_name}.conf" do
    source 'allowed_ips.erb'
    mode '0644'
    owner 'nginx'
    group 'spigit'
    variables({resource: new_resource})
    action ip_restrictions_action
  end
end

def set_defaults(resource)
  root = resource.root ? resource.root : "/opt/nginx/#{resource.site_name}"
  resource.root(root)

  ssl_server_names = resource.ssl_server_names ? resource.ssl_server_names : [ resource.site_name ]
  resource.ssl_server_names(ssl_server_names)
end

## recipe_spigit_engage.rb
#
# Cookbook Name:: nginx
# Recipe:: spigit_engage
#
# Author:: Jason Barnett <J@sonBarnett.com>
#
# Copyright 2014, Mindjet LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

site_configs = Dir.glob("/opt/webapps/*/.site_config.yaml")

site_configs.each do |site|
  config = YAML.load_file(site)

  nginx_fronting_tomcat config['nginx']['site_name'] do
    site_name config['nginx']['site_name']
    server_names config['nginx']['server_names']
    root config['nginx']['root']
    tomcat_host_ip config['nginx']['tomcat_host_ip']
    tomcat_ssl_port config['nginx']['tomcat_ssl_port']
    proxy_connect_timeout config['nginx']['proxy_connect_timeout']
    proxy_read_timeout config['nginx']['proxy_read_timeout']
    proxy_read_timeout_long config['nginx']['proxy_read_timeout_long']
    ssl_enabled config['nginx']['ssl_enabled']
    ssl_protocols config['nginx']['ssl_protocols']
    ssl_forced config['nginx']['ssl_forced']
    ssl_server_names config['nginx']['ssl_server_names']
    ssl_ipaddress config['nginx']['ssl_ipaddress']
    ssl_ciphers config['nginx']['ssl_ciphers']
    ssl_certificate config['nginx']['ssl_certificate']
    ssl_certificate_key config['nginx']['ssl_certificate_key']
    redirect_base_to config['nginx']['redirect_base_to']
    proxy_intercept_errors config['nginx']['proxy_intercept_errors']
    ip_restricted config['nginx']['ip_restricted']
    allowed_ips config['nginx']['allowed_ips']
    ip_restrict_msg config['nginx']['ip_restrict_msg']
    spigit_only config['nginx']['spigit_only']
    maintenance config['nginx']['maintenance']
    maintenance_title config['nginx']['maintenance_title']
    maintenance_msg config['nginx']['maintenance_msg']
  end
end

## resources_fronting_tomcat.rb
require 'resolv'

actions :create
default_action :create

attribute :site_name, name_attribute: true, kind_of: String, required: true

attribute :server_names,                kind_of: Array, required: true
attribute :root,                        kind_of: String
attribute :tomcat_host_ip,              kind_of: String, required: true, regex: Resolv::IPv4::Regex
attribute :tomcat_ssl_port,             kind_of: Fixnum, default: 8081
attribute :proxy_connect_timeout,       kind_of: String, default: '5s'
attribute :proxy_read_timeout,          kind_of: String, default: '35s'
attribute :proxy_read_timeout_long,     kind_of: String, default: '1800s'
attribute :ssl_enabled,                 kind_of: [ TrueClass, FalseClass ], default: false
attribute :ssl_protocols,               kind_of: String, default: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'
attribute :ssl_forced,                  kind_of: [ TrueClass, FalseClass ], default: false
attribute :ssl_server_names,            kind_of: Array
attribute :ssl_ipaddress,               kind_of: String, regex: Resolv::IPv4::Regex
attribute :ssl_ciphers,                 kind_of: String, default: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH'
attribute :ssl_certificate,             kind_of: String
attribute :ssl_certificate_key,         kind_of: String
attribute :redirect_base_to,            kind_of: [ TrueClass, FalseClass ], default: false
attribute :proxy_intercept_errors,      kind_of: [ TrueClass, FalseClass ], default: true
attribute :ip_restricted,               kind_of: [ TrueClass, FalseClass ], default: false
attribute :allowed_ips,                 kind_of: Array
attribute :ip_restrict_msg,             kind_of: String, default: "Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake."
attribute :spigit_only,                 kind_of: [ TrueClass, FalseClass ], default: false
attribute :maintenance,                 kind_of: [ TrueClass, FalseClass ], default: false
attribute :maintenance_title,           kind_of: String, default: 'Site Maintenance in Progress'
attribute :maintenance_msg,             kind_of: String, default: 'Site is offline for scheduled maintence.'
	# [15:02:56 CDT] jbarnett@r225 [~]$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]'
	---
	mindjet:
	engage:
	maintenance: false
	maintenance_title: Site Maintenance in Progress
	maintenance_msg: Site is offline for scheduled maintence
	ip_restricted: false
	allowed_ips: ['25.25.25.25', '22.22.0.0/16']
	ip_restrict_msg: Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake.
	nginx:
	configs:
	qa356:
	type: engage
	server_names: ['qa356.domain.com', '*.qa356.domain.com']
	root: /opt/nginx/qa356
	tomcat_host_ip: 192.168.3.5
	tomcat_ssl_port: 8081
	proxy_connect_timeout: 5s
	proxy_read_timeout: 35s
	proxy_read_timeout_long: 1800s
	ssl_enabled: true
	ssl_protocols: SSLv3 TLSv1 TLSv1.1 TLSv1.2
	ssl_forced: false
	ssl_server_names: ['qa356.domain.com', '*.qa356.domain.com']
	ssl_ipaddress: 192.168.3.5
	ssl_ciphers: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
	ssl_certificate: /opt/certs/pem/*.qa356.domain.com.crt
	ssl_certificate_key: /opt/certs/pem/*.qa356.domain.com.key
	proxy_intercept_errors: true
	spigit_only: false
	qa356_redirect:
	type: redirect
	redirect_to: www.qa356.domain.com
	# Good base point (file should live: /opt/webapps/<webapp_dir>/.site_config.yaml):
	# /spigit/operations-scripts/tomcatTools/update_connectors.rb -i
	---
	nginx:
	site_name: qa356
	server_names: ['qa356.spigit.com', '*.qa356.spigit.com']
	tomcat_host_ip: 192.168.100.194
	ssl_enabled: true
	ssl_servernames: ['*.qa356.spigit.com']
	ssl_ipaddress: 192.168.100.194
	ssl_certificate: /opt/certs/pem/*.qa356.spigit.com.crt
	ssl_certificate_key: /opt/certs/pem/*.qa356.spigit.com.key


	$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]'
	$ /spigit/operations-scripts/tomcatTools/update_connectors.rb -i
	$ iptables -L -t nat -n \| egrep '192.168.100.194'
	$ vim /etc/rc.d/rc.local ## Comment out IP
	$ service iptables restart; /etc/rc.d/rc.local ## Restart iptables
	$ iptables -L -t nat -n \| egrep '192.168.100.194' ## confirm IP is no longer in iptables
	$ sudo /sbin/service nginx restart; sudo /sbin/service tomcat restart
	# Support whyrun
	def whyrun_supported?
	true
	end

	use_inline_resources

	action :create do
	set_defaults(new_resource)
	template new_resource.site_name do
	path "/etc/nginx/conf.d/fronting_tomcat/#{new_resource.site_name}.conf"
	source 'fronting_tomcat.erb'
	mode '0644'
	owner 'root'
	group 'root'
	variables({resource: new_resource})
	end

	directory "#{new_resource.root}/public_html" do
	recursive true
	mode '0775'
	owner 'nginx'
	owner 'spigit'
	end

	template "#{new_resource.root}/public_html/robots.txt" do
	source 'robots.txt.erb'
	mode '0644'
	owner 'nginx'
	group 'spigit'
	variables({resource: new_resource})
	action :create
	end

	template "#{new_resource.root}/public_html/403.html" do
	source '403.html.erb'
	mode '0644'
	owner 'nginx'
	group 'spigit'
	variables({resource: new_resource})
	action :create
	end

	maintenance_action = new_resource.maintenance ? :create : :delete
	template "#{new_resource.root}/public_html/maintenance.html" do
	source 'maintenance.html.erb'
	mode '0644'
	owner 'nginx'
	group 'spigit'
	variables({resource: new_resource})
	action maintenance_action
	end

	ip_restrictions_action = new_resource.ip_restricted ? :create : :delete
	template "/etc/nginx/conf.d/ip_restrictions/#{new_resource.site_name}.conf" do
	source 'allowed_ips.erb'
	mode '0644'
	owner 'nginx'
	group 'spigit'
	variables({resource: new_resource})
	action ip_restrictions_action
	end
	end

	def set_defaults(resource)
	root = resource.root ? resource.root : "/opt/nginx/#{resource.site_name}"
	resource.root(root)

	ssl_server_names = resource.ssl_server_names ? resource.ssl_server_names : [ resource.site_name ]
	resource.ssl_server_names(ssl_server_names)
	end
	#
	# Cookbook Name:: nginx
	# Recipe:: spigit_engage
	#
	# Author:: Jason Barnett <J@sonBarnett.com>
	#
	# Copyright 2014, Mindjet LLC
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	site_configs = Dir.glob("/opt/webapps/*/.site_config.yaml")

	site_configs.each do \|site\|
	config = YAML.load_file(site)

	nginx_fronting_tomcat config['nginx']['site_name'] do
	site_name config['nginx']['site_name']
	server_names config['nginx']['server_names']
	root config['nginx']['root']
	tomcat_host_ip config['nginx']['tomcat_host_ip']
	tomcat_ssl_port config['nginx']['tomcat_ssl_port']
	proxy_connect_timeout config['nginx']['proxy_connect_timeout']
	proxy_read_timeout config['nginx']['proxy_read_timeout']
	proxy_read_timeout_long config['nginx']['proxy_read_timeout_long']
	ssl_enabled config['nginx']['ssl_enabled']
	ssl_protocols config['nginx']['ssl_protocols']
	ssl_forced config['nginx']['ssl_forced']
	ssl_server_names config['nginx']['ssl_server_names']
	ssl_ipaddress config['nginx']['ssl_ipaddress']
	ssl_ciphers config['nginx']['ssl_ciphers']
	ssl_certificate config['nginx']['ssl_certificate']
	ssl_certificate_key config['nginx']['ssl_certificate_key']
	redirect_base_to config['nginx']['redirect_base_to']
	proxy_intercept_errors config['nginx']['proxy_intercept_errors']
	ip_restricted config['nginx']['ip_restricted']
	allowed_ips config['nginx']['allowed_ips']
	ip_restrict_msg config['nginx']['ip_restrict_msg']
	spigit_only config['nginx']['spigit_only']
	maintenance config['nginx']['maintenance']
	maintenance_title config['nginx']['maintenance_title']
	maintenance_msg config['nginx']['maintenance_msg']
	end
	end
	require 'resolv'

	actions :create
	default_action :create

	attribute :site_name, name_attribute: true, kind_of: String, required: true

	attribute :server_names, kind_of: Array, required: true
	attribute :root, kind_of: String
	attribute :tomcat_host_ip, kind_of: String, required: true, regex: Resolv::IPv4::Regex
	attribute :tomcat_ssl_port, kind_of: Fixnum, default: 8081
	attribute :proxy_connect_timeout, kind_of: String, default: '5s'
	attribute :proxy_read_timeout, kind_of: String, default: '35s'
	attribute :proxy_read_timeout_long, kind_of: String, default: '1800s'
	attribute :ssl_enabled, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :ssl_protocols, kind_of: String, default: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2'
	attribute :ssl_forced, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :ssl_server_names, kind_of: Array
	attribute :ssl_ipaddress, kind_of: String, regex: Resolv::IPv4::Regex
	attribute :ssl_ciphers, kind_of: String, default: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH'
	attribute :ssl_certificate, kind_of: String
	attribute :ssl_certificate_key, kind_of: String
	attribute :redirect_base_to, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :proxy_intercept_errors, kind_of: [ TrueClass, FalseClass ], default: true
	attribute :ip_restricted, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :allowed_ips, kind_of: Array
	attribute :ip_restrict_msg, kind_of: String, default: "Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake."
	attribute :spigit_only, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :maintenance, kind_of: [ TrueClass, FalseClass ], default: false
	attribute :maintenance_title, kind_of: String, default: 'Site Maintenance in Progress'
	attribute :maintenance_msg, kind_of: String, default: 'Site is offline for scheduled maintence.'