-
-
Save jasonwbarnett/155484ef1c821631512c to your computer and use it in GitHub Desktop.
NGINX config LWRP for Chef Opscode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# [15:02:56 CDT] jbarnett@r225 [~]$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]' | |
--- | |
mindjet: | |
engage: | |
maintenance: false | |
maintenance_title: Site Maintenance in Progress | |
maintenance_msg: Site is offline for scheduled maintence | |
ip_restricted: false | |
allowed_ips: ['25.25.25.25', '22.22.0.0/16'] | |
ip_restrict_msg: Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake. | |
nginx: | |
configs: | |
qa356: | |
type: engage | |
server_names: ['qa356.domain.com', '*.qa356.domain.com'] | |
root: /opt/nginx/qa356 | |
tomcat_host_ip: 192.168.3.5 | |
tomcat_ssl_port: 8081 | |
proxy_connect_timeout: 5s | |
proxy_read_timeout: 35s | |
proxy_read_timeout_long: 1800s | |
ssl_enabled: true | |
ssl_protocols: SSLv3 TLSv1 TLSv1.1 TLSv1.2 | |
ssl_forced: false | |
ssl_server_names: ['qa356.domain.com', '*.qa356.domain.com'] | |
ssl_ipaddress: 192.168.3.5 | |
ssl_ciphers: ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH | |
ssl_certificate: /opt/certs/pem/*.qa356.domain.com.crt | |
ssl_certificate_key: /opt/certs/pem/*.qa356.domain.com.key | |
proxy_intercept_errors: true | |
spigit_only: false | |
qa356_redirect: | |
type: redirect | |
redirect_to: www.qa356.domain.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Good base point (file should live: /opt/webapps/<webapp_dir>/.site_config.yaml): | |
# /spigit/operations-scripts/tomcatTools/update_connectors.rb -i | |
--- | |
nginx: | |
site_name: qa356 | |
server_names: ['qa356.spigit.com', '*.qa356.spigit.com'] | |
tomcat_host_ip: 192.168.100.194 | |
ssl_enabled: true | |
ssl_servernames: ['*.qa356.spigit.com'] | |
ssl_ipaddress: 192.168.100.194 | |
ssl_certificate: /opt/certs/pem/*.qa356.spigit.com.crt | |
ssl_certificate_key: /opt/certs/pem/*.qa356.spigit.com.key | |
$ rvmsudo chef-client --once -o 'recipe[nginx::spigit_engage]' | |
$ /spigit/operations-scripts/tomcatTools/update_connectors.rb -i | |
$ iptables -L -t nat -n | egrep '192.168.100.194' | |
$ vim /etc/rc.d/rc.local ## Comment out IP | |
$ service iptables restart; /etc/rc.d/rc.local ## Restart iptables | |
$ iptables -L -t nat -n | egrep '192.168.100.194' ## confirm IP is no longer in iptables | |
$ sudo /sbin/service nginx restart; sudo /sbin/service tomcat restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Support whyrun | |
def whyrun_supported? | |
true | |
end | |
use_inline_resources | |
action :create do | |
set_defaults(new_resource) | |
template new_resource.site_name do | |
path "/etc/nginx/conf.d/fronting_tomcat/#{new_resource.site_name}.conf" | |
source 'fronting_tomcat.erb' | |
mode '0644' | |
owner 'root' | |
group 'root' | |
variables({resource: new_resource}) | |
end | |
directory "#{new_resource.root}/public_html" do | |
recursive true | |
mode '0775' | |
owner 'nginx' | |
owner 'spigit' | |
end | |
template "#{new_resource.root}/public_html/robots.txt" do | |
source 'robots.txt.erb' | |
mode '0644' | |
owner 'nginx' | |
group 'spigit' | |
variables({resource: new_resource}) | |
action :create | |
end | |
template "#{new_resource.root}/public_html/403.html" do | |
source '403.html.erb' | |
mode '0644' | |
owner 'nginx' | |
group 'spigit' | |
variables({resource: new_resource}) | |
action :create | |
end | |
maintenance_action = new_resource.maintenance ? :create : :delete | |
template "#{new_resource.root}/public_html/maintenance.html" do | |
source 'maintenance.html.erb' | |
mode '0644' | |
owner 'nginx' | |
group 'spigit' | |
variables({resource: new_resource}) | |
action maintenance_action | |
end | |
ip_restrictions_action = new_resource.ip_restricted ? :create : :delete | |
template "/etc/nginx/conf.d/ip_restrictions/#{new_resource.site_name}.conf" do | |
source 'allowed_ips.erb' | |
mode '0644' | |
owner 'nginx' | |
group 'spigit' | |
variables({resource: new_resource}) | |
action ip_restrictions_action | |
end | |
end | |
def set_defaults(resource) | |
root = resource.root ? resource.root : "/opt/nginx/#{resource.site_name}" | |
resource.root(root) | |
ssl_server_names = resource.ssl_server_names ? resource.ssl_server_names : [ resource.site_name ] | |
resource.ssl_server_names(ssl_server_names) | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Cookbook Name:: nginx | |
# Recipe:: spigit_engage | |
# | |
# Author:: Jason Barnett <J@sonBarnett.com> | |
# | |
# Copyright 2014, Mindjet LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# | |
site_configs = Dir.glob("/opt/webapps/*/.site_config.yaml") | |
site_configs.each do |site| | |
config = YAML.load_file(site) | |
nginx_fronting_tomcat config['nginx']['site_name'] do | |
site_name config['nginx']['site_name'] | |
server_names config['nginx']['server_names'] | |
root config['nginx']['root'] | |
tomcat_host_ip config['nginx']['tomcat_host_ip'] | |
tomcat_ssl_port config['nginx']['tomcat_ssl_port'] | |
proxy_connect_timeout config['nginx']['proxy_connect_timeout'] | |
proxy_read_timeout config['nginx']['proxy_read_timeout'] | |
proxy_read_timeout_long config['nginx']['proxy_read_timeout_long'] | |
ssl_enabled config['nginx']['ssl_enabled'] | |
ssl_protocols config['nginx']['ssl_protocols'] | |
ssl_forced config['nginx']['ssl_forced'] | |
ssl_server_names config['nginx']['ssl_server_names'] | |
ssl_ipaddress config['nginx']['ssl_ipaddress'] | |
ssl_ciphers config['nginx']['ssl_ciphers'] | |
ssl_certificate config['nginx']['ssl_certificate'] | |
ssl_certificate_key config['nginx']['ssl_certificate_key'] | |
redirect_base_to config['nginx']['redirect_base_to'] | |
proxy_intercept_errors config['nginx']['proxy_intercept_errors'] | |
ip_restricted config['nginx']['ip_restricted'] | |
allowed_ips config['nginx']['allowed_ips'] | |
ip_restrict_msg config['nginx']['ip_restrict_msg'] | |
spigit_only config['nginx']['spigit_only'] | |
maintenance config['nginx']['maintenance'] | |
maintenance_title config['nginx']['maintenance_title'] | |
maintenance_msg config['nginx']['maintenance_msg'] | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'resolv' | |
actions :create | |
default_action :create | |
attribute :site_name, name_attribute: true, kind_of: String, required: true | |
attribute :server_names, kind_of: Array, required: true | |
attribute :root, kind_of: String | |
attribute :tomcat_host_ip, kind_of: String, required: true, regex: Resolv::IPv4::Regex | |
attribute :tomcat_ssl_port, kind_of: Fixnum, default: 8081 | |
attribute :proxy_connect_timeout, kind_of: String, default: '5s' | |
attribute :proxy_read_timeout, kind_of: String, default: '35s' | |
attribute :proxy_read_timeout_long, kind_of: String, default: '1800s' | |
attribute :ssl_enabled, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :ssl_protocols, kind_of: String, default: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2' | |
attribute :ssl_forced, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :ssl_server_names, kind_of: Array | |
attribute :ssl_ipaddress, kind_of: String, regex: Resolv::IPv4::Regex | |
attribute :ssl_ciphers, kind_of: String, default: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH' | |
attribute :ssl_certificate, kind_of: String | |
attribute :ssl_certificate_key, kind_of: String | |
attribute :redirect_base_to, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :proxy_intercept_errors, kind_of: [ TrueClass, FalseClass ], default: true | |
attribute :ip_restricted, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :allowed_ips, kind_of: Array | |
attribute :ip_restrict_msg, kind_of: String, default: "Access to the specified resource has been forbidden.<br/>Contact your Administrator if you believe this is a mistake." | |
attribute :spigit_only, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :maintenance, kind_of: [ TrueClass, FalseClass ], default: false | |
attribute :maintenance_title, kind_of: String, default: 'Site Maintenance in Progress' | |
attribute :maintenance_msg, kind_of: String, default: 'Site is offline for scheduled maintence.' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I had no idea what you meant by
use_inline_resources
until I just saw this lwrp documentation. Thank you!!