From 1f3c9ea04dc936c94b04bb9e38f91c07581fc461 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Tue, 11 Feb 2014 17:15:30 +0100 Subject: [PATCH] Add nginx files from omnibus-chef-server --- files/gitlab-cookbooks/gitlab/recipes/nginx.rb | 154 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb | 21 +++++++++++++++++++++ files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb | 2 ++ files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb | 4 ++++ 6 files changed, 329 insertions(+), 0 deletions(-) create mode 100644 files/gitlab-cookbooks/gitlab/recipes/nginx.rb create mode 100644 files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb create mode 100644 files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb diff --git a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb new file mode 100644 index 0000000..3ddaf60 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb @@ -0,0 +1,154 @@ +# +# Copyright:: Copyright (c) 2012 Opscode, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +nginx_dir = node['chef_server']['nginx']['dir'] +nginx_etc_dir = File.join(nginx_dir, "etc") +nginx_cache_dir = File.join(nginx_dir, "cache") +nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp") +nginx_html_dir = File.join(nginx_dir, "html") +nginx_ca_dir = File.join(nginx_dir, "ca") +nginx_log_dir = node['chef_server']['nginx']['log_directory'] + +[ + nginx_dir, + nginx_etc_dir, + nginx_cache_dir, + nginx_cache_tmp_dir, + nginx_html_dir, + nginx_ca_dir, + nginx_log_dir, +].each do |dir_name| + directory dir_name do + owner node['chef_server']['user']['username'] + mode '0700' + recursive true + end +end + +ssl_keyfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.key") +ssl_crtfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.crt") +ssl_signing_conf = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}-ssl.conf") + +unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf) + file ssl_keyfile do + owner "root" + group "root" + mode "0644" + content `/opt/chef-server/embedded/bin/openssl genrsa 2048` + not_if { File.exists?(ssl_keyfile) } + end + + file ssl_signing_conf do + owner "root" + group "root" + mode "0644" + not_if { File.exists?(ssl_signing_conf) } + content <<-EOH + [ req ] + distinguished_name = req_distinguished_name + prompt = no + + [ req_distinguished_name ] + C = #{node['chef_server']['nginx']['ssl_country_name']} + ST = #{node['chef_server']['nginx']['ssl_state_name']} + L = #{node['chef_server']['nginx']['ssl_locality_name']} + O = #{node['chef_server']['nginx']['ssl_company_name']} + OU = #{node['chef_server']['nginx']['ssl_organizational_unit_name']} + CN = #{node['chef_server']['nginx']['server_name']} + emailAddress = #{node['chef_server']['nginx']['ssl_email_address']} + EOH + end + + ruby_block "create crtfile" do + block do + r = Chef::Resource::File.new(ssl_crtfile, run_context) + r.owner "root" + r.group "root" + r.mode "0644" + r.content `/opt/chef-server/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}` + r.not_if { File.exists?(ssl_crtfile) } + r.run_action(:create) + end + end +end + +node.default['chef_server']['nginx']['ssl_certificate'] ||= ssl_crtfile +node.default['chef_server']['nginx']['ssl_certificate_key'] ||= ssl_keyfile + +remote_directory nginx_html_dir do + source "html" + files_backup false + files_owner "root" + files_group "root" + files_mode "0644" + owner node['chef_server']['user']['username'] + mode "0700" +end + +nginx_config = File.join(nginx_etc_dir, "nginx.conf") +nginx_vars = node['chef_server']['nginx'].to_hash.merge({ + :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"), + :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf") +}) + +# We will always render an HTTP and HTTPS config for the Chef API but the HTTP +# config file will only be active if the user set `nginx['enable_non_ssl']` to +# true. Default behavior is to redirect all HTTP requests to HTTPS. +["https", "http"].each do |server_proto| + config_key = "chef_#{server_proto}_config".to_sym + lb_config = nginx_vars[config_key] + + server_port = (server_proto == 'https') ? + nginx_vars['ssl_port'] : + nginx_vars['non_ssl_port'] + + template lb_config do + source "nginx_chef_api_lb.conf.erb" + owner "root" + group "root" + mode "0644" + variables(nginx_vars.merge({ + :server_proto => server_proto, + :server_port => server_port + })) + notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") + end + +end + +template nginx_config do + source "nginx.conf.erb" + owner "root" + group "root" + mode "0644" + variables nginx_vars + notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx") +end + +runit_service "nginx" do + down node['chef_server']['nginx']['ha'] + options({ + :log_directory => nginx_log_dir + }.merge(params)) +end + +if node['chef_server']['bootstrap']['enable'] + execute "/opt/chef-server/bin/chef-server-ctl start nginx" do + retries 20 + end +end + diff --git a/files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb b/files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb new file mode 100644 index 0000000..0b0ba93 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb @@ -0,0 +1,21 @@ +# +# Copyright:: Copyright (c) 2012 Opscode, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +runit_service "nginx" do + action :disable +end + diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb new file mode 100644 index 0000000..45df275 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb @@ -0,0 +1,63 @@ +user <%= node['chef_server']['user']['username'] %> <%= node['chef_server']['user']['username']%>; +worker_processes <%= @worker_processes %>; +error_log /var/log/chef-server/nginx/error.log<%= node['chef_server']['lb']['debug'] ? " debug" : "" %>; + +daemon off; + +events { + worker_connections <%= @worker_connections %>; +} + +http { + log_format opscode '$remote_addr - $remote_user [$time_local] ' + '"$request" $status "$request_time" $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length'; + + sendfile <%= @sendfile %>; + tcp_nopush <%= @tcp_nopush %>; + tcp_nodelay <%= @tcp_nodelay %>; + + keepalive_timeout <%= @keepalive_timeout %>; + + gzip <%= @gzip %>; + gzip_http_version <%= @gzip_http_version %>; + gzip_comp_level <%= @gzip_comp_level %>; + gzip_proxied <%= @gzip_proxied %>; + gzip_types <%= @gzip_types.join(' ') %>; + + include /opt/chef-server/embedded/conf/mime.types; + + <%- node['chef_server']['lb']['upstream'].each do |uname, servers| -%> + upstream <%= uname.gsub(/-/, '_') %> { + <%- servers.each do |server| -%> + server <%= server %>:<%= node['chef_server'][uname]['port'] %>; + <%- end -%> + } + <%- end -%> + + # external lb config for Chef API + <%- if node['chef_server']['lb']['enable'] -%> + proxy_cache_path <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m; + proxy_temp_path <%= File.join(@dir, "cache-tmp") %>; + + # We support three options: serve nothing on non_ssl_port (80), + # redirect to https, or actually serve the API. + <%- if @non_ssl_port -%> + <%- if @enable_non_ssl -%> + + # Chef HTTP API + include <%= @chef_http_config %>; + <%- else -%> + + server { + listen <%= @non_ssl_port %>; + access_log /var/log/chef-server/nginx/rewrite-port-<%= @non_ssl_port %>.log; + return 301 https://$host:<%= @ssl_port %>$request_uri; + } + <%- end -%> + <%- end -%> + + # Chef HTTPS API + include <%= @chef_https_config %>; + <%- end -%> +} diff --git a/files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb new file mode 100644 index 0000000..c286d2c --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb @@ -0,0 +1,85 @@ +server { + listen <%= @server_port %>; + server_name <%= @server_name %>; + access_log /var/log/chef-server/nginx/access.log opscode; + + <% if @server_proto == "https" -%> + ssl on; + ssl_certificate <%= @ssl_certificate %>; + ssl_certificate_key <%= @ssl_certificate_key %>; + + ssl_session_timeout 5m; + + ssl_protocols <%= @ssl_protocols %>; + ssl_ciphers <%= @ssl_ciphers %>; + ssl_prefer_server_ciphers on; + + <% end -%> + root <%= File.join(@dir, "html") %>; + + client_max_body_size <%= @client_max_body_size %>; + + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto <%= @server_proto %>; + proxy_pass_request_headers on; + proxy_connect_timeout 1; + proxy_send_timeout 300; + proxy_read_timeout 300; + + error_page 404 =404 /404.html; + error_page 503 =503 /503.json; + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + + location /version { + types { } + default_type text/plain; + alias /opt/chef-server/version-manifest.txt; + } + + location /docs { + index index.html ; + alias /opt/chef-server/docs; + } + + # bookshelf + location ~ "/<%= node['chef_server']['erchef']['s3_bucket'] %>/{0,1}.*$" { + proxy_pass http://bookshelf; + } + + location ~ "^/(?:stylesheets|javascripts|images|facebox|css|favicon|robots|humans)/{0,1}.*$" { + if ($http_x_chef_version ~* "^(\d+\.\d+?)\..+$") { + error_page 400 =400 /400-chef_client_manage.json; + return 400; + } + proxy_pass http://chef_server_webui; + proxy_pass_request_headers off; + proxy_cache webui-cache; + proxy_cache_valid 200 302 300m; + proxy_cache_valid 404 1m; + } + + location = /_status { + proxy_pass http://erchef/_status; + } + + location = /_status/ { + proxy_pass http://erchef/_status; + } + + location / { + set $my_upstream erchef; + if ($http_x_ops_userid = "") { + set $my_upstream chef_server_webui; + } + proxy_redirect http://$my_upstream /; + proxy_pass http://$my_upstream; + } +} diff --git a/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb new file mode 100644 index 0000000..c8ab3e3 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb @@ -0,0 +1,2 @@ +#!/bin/sh +exec svlogd -tt <%= @options[:log_directory] %> diff --git a/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb new file mode 100644 index 0000000..f6c958d --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb @@ -0,0 +1,4 @@ +#!/bin/sh +exec 2>&1 +exec chpst -P /opt/chef-server/embedded/sbin/nginx -c <%= File.join(node['chef_server']['nginx']['dir'], "etc", "nginx.conf") %> + -- libgit2 0.21.2