Skip to content
Snippets Groups Projects
Commit 7c17d200 authored by Stefano Alberto Russo's avatar Stefano Alberto Russo
Browse files

Added the Postgres and Proxy services. Minor fixes in the docker-compose.

parent 1016fca1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 5912 additions and 2 deletions
.gitignore
+ 1
0
View file @ 7c17d200
...@@ -16,3 +16,4 @@ data* ...@@ -16,3 +16,4 @@ data*
# DB conf # DB conf
services/webapp/db_conf.sh services/webapp/db_conf.sh
services/proxy/certificates
docker-compose.yml
+ 25
1
View file @ 7c17d200
...@@ -37,6 +37,15 @@ services: ...@@ -37,6 +37,15 @@ services:
ports: ports:
- "5000:5000" - "5000:5000"
postgres:
image: "rosetta/postgres"
container_name: postgres
hostname: postgres
environment:
- SAFEMODE=False
volumes:
- ./data_rosetta/postgres/data:/data
webapp: webapp:
image: "rosetta/webapp" image: "rosetta/webapp"
container_name: webapp container_name: webapp
...@@ -50,6 +59,9 @@ services: ...@@ -50,6 +59,9 @@ services:
#- ROSETTA_WEBAPP_PORT=8080 #- ROSETTA_WEBAPP_PORT=8080
#- LOCAL_DOCKER_REGISTRY_HOST= #- LOCAL_DOCKER_REGISTRY_HOST=
#- LOCAL_DOCKER_REGISTRY_PORT=5000 #- LOCAL_DOCKER_REGISTRY_PORT=5000
#- DJANGO_EMAIL_APIKEY=""
#- DJANGO_EMAIL_FROM="Rosetta Platform <notifications@rosetta.platform>"
#- DJANGO_PUBLIC_HTTP_HOST=http://localhost:8080
ports: ports:
- "8080:8080" - "8080:8080"
- "8000:8590" - "8000:8590"
...@@ -59,7 +71,19 @@ services: ...@@ -59,7 +71,19 @@ services:
- ./data_rosetta/webapp/data:/data - ./data_rosetta/webapp/data:/data
- ./data_rosetta/webapp/log:/var/log/webapp - ./data_rosetta/webapp/log:/var/log/webapp
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
#- ./services/webapp/code:/opt/webapp_code - ./services/webapp/code:/opt/webapp_code
proxy:
image: "rosetta/proxy"
container_name: proxy
hostname: proxy
environment:
- SAFEMODE=False
ports:
- "80:80"
- "443:443"
volumes:
- ./data_rosetta/proxy/data:/data
......
rosetta/build
+ 2
1
View file @ 7c17d200
...@@ -36,7 +36,8 @@ if [[ "x$SERVICE" == "x" ]] ; then ...@@ -36,7 +36,8 @@ if [[ "x$SERVICE" == "x" ]] ; then
$BUILD_COMMAND services/slurmclusterworker -t rosetta/slurmclusterworker $BUILD_COMMAND services/slurmclusterworker -t rosetta/slurmclusterworker
$BUILD_COMMAND services/dregistry -t rosetta/dregistry $BUILD_COMMAND services/dregistry -t rosetta/dregistry
$BUILD_COMMAND services/webapp -t rosetta/webapp $BUILD_COMMAND services/webapp -t rosetta/webapp
$BUILD_COMMAND services/postgres -t rosetta/postgres
$BUILD_COMMAND services/proxy -t rosetta/proxy
else else
......
rosetta/setup
+ 9
0
View file @ 7c17d200
...@@ -7,3 +7,12 @@ if [ ! -f services/webapp/db_conf.sh ]; then ...@@ -7,3 +7,12 @@ if [ ! -f services/webapp/db_conf.sh ]; then
else else
echo "Not using dev webapp database settings as settings are already present." echo "Not using dev webapp database settings as settings are already present."
fi fi
# Use dev (local) database for backend
if [ ! -d services/proxy/certificates ]; then
echo "Using dev certificates."
cp -a services/proxy/certificates-dev services/proxy/certificates
else
echo "Not using dev certificates as certificates are already present."
fi
services/postgres/Dockerfile 0 → 100644
+ 48
0
View file @ 7c17d200
FROM rosetta/base
MAINTAINER Stefano Alberto Russo <stefano.russo@gmail.com>
# Always start with an apt-get update when extending Reyns images,
# otherwise apt repositories might get outdated (404 not found)
# and building without cache does not re-build Reyns services.
RUN apt-get update
#------------------------
# Install Postgres 11
#------------------------
# Add repo
RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main" >> /etc/apt/sources.list.d/pgdg.list
RUN wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
RUN apt-get update
RUN apt-get install -y postgresql-11
# Copy conf
RUN mv /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf.or
COPY pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
COPY postgresql.conf /etc/postgresql/11/main/postgresql.conf
# Chown conf
RUN chown -R postgres:postgres /etc/postgresql
# Create user/db script
COPY create_rosetta_DB_and_user.sql /
RUN chown postgres:postgres /create_rosetta_DB_and_user.sql
# Prestartup
COPY prestartup_postgres.sh /prestartup/
#------------------------
# Postgres on Supervisor
#------------------------
COPY run_postgres.sh /etc/supervisor/conf.d/
RUN chmod 755 /etc/supervisor/conf.d/run_postgres.sh
COPY supervisord_postgres.conf /etc/supervisor/conf.d/
#------------------------
# Security
#------------------------
# Disable SSH
RUN rm /etc/supervisor/conf.d/supervisord_sshd.conf
services/postgres/create_rosetta_DB_and_user.sql 0 → 100644
+ 6
0
View file @ 7c17d200
CREATE DATABASE rosetta;
CREATE USER rosetta_master WITH PASSWORD '949fa84a';
ALTER USER rosetta_master CREATEDB;
GRANT ALL PRIVILEGES ON DATABASE rosetta to rosetta_master;
\c rosetta
GRANT CREATE ON SCHEMA PUBLIC TO rosetta_master;
services/postgres/pg_hba.conf 0 → 100644
+ 107
0
View file @ 7c17d200
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
# Accept from all
host all all 0.0.0.0/0 trust
# Accept from Docker subnet
#host all all 172.17.0.0/16 trust
services/postgres/postgresql.conf 0 → 100644
+ 697
0
View file @ 7c17d200
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
data_directory = '/var/lib/postgresql/11/main' # use data in another directory
# (change requires restart)
hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file
# (change requires restart)
ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
ssl = on
#ssl_ca_file = ''
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#ssl_crl_file = ''
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# use none to disable dynamic shared memory
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = off # allow JIT compilation
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'Etc/UTC'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
cluster_name = '11/main' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'Etc/UTC'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 0 # min -15, max 3
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'C.UTF-8' # locale for system error message
# strings
lc_monetary = 'C.UTF-8' # locale for monetary formatting
lc_numeric = 'C.UTF-8' # locale for number formatting
lc_time = 'C.UTF-8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
include_dir = 'conf.d' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here
listen_addresses = '*'
# Add settings for extensions here
#shared_preload_libraries = 'timescaledb'
services/postgres/prestartup_postgres.sh 0 → 100644
+ 108
0
View file @ 7c17d200
#!/bin/bash
set -e
echo 'Executing Postgres Prestartup'
#------------------------------
# Postgres-specific (data dir)
#------------------------------
if [ ! -d "/data/postgres/11" ]; then
echo "Data dir does not exist"
# Setup /data/postgres
mkdir -p /data/postgres
chown postgres:postgres /data/postgres
chmod 700 /data/postgres
# Setup /data/postgres/11
mkdir -p /data/postgres/11
chown postgres:postgres /data/postgres/11
chmod 700 /data/postgres/11
# Copy files
mv /var/lib/postgresql/11/main /data/postgres/11/
# Create link
ln -s /data/postgres/11/main /var/lib/postgresql/11/main
# Move conf
mv /etc/postgresql/11/main/pg_hba.conf /data/postgres
ln -s /data/postgres/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
chown postgres:postgres /data/postgres/pg_hba.conf
# Move conf
mv /etc/postgresql/11/main/postgresql.conf /data/postgres
ln -s /data/postgres/postgresql.conf /etc/postgresql/11/main/postgresql.conf
chown postgres:postgres /data/postgres/postgresql.conf
else
echo "Data dir does exist"
mv /var/lib/postgresql/11/main /var/lib/postgresql/11/main_or
ln -s /data/postgres/11/main /var/lib/postgresql/11/main
mv /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf_or
ln -s /data/postgres/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
chown postgres:postgres /data/postgres/pg_hba.conf
mv /etc/postgresql/11/main/postgresql.conf /etc/postgresql/11/main/postgresql.conf_or
ln -s /data/postgres/postgresql.conf /etc/postgresql/11/main/postgresql.conf
chown postgres:postgres /data/postgres/postgresql.conf
fi
# Check correct permissions. Incorrect permissions might occur when changing base images,
# as the user "postgres" might get mapped to a differend uid / guid.
PERMISSIONS=$(ls -alh /data/postgres | grep main | awk '{print $3 ":" $4}')
if [[ "x$PERMISSIONS" == "xpostgres:postgres" ]] ; then
# Everything ok
:
else
# Fix permissions
chown -R postgres:postgres /data/postgres/
#chown -R postgres:postgres /data/postgres/11
#chown -R postgres:postgres /data/postgres/pg_hba.conf
#chown -R postgres:postgres /data/postgres/postgresql.conf
chown -R postgres:postgres /var/run/postgresql
fi
# Configure Postgres (create user etc.)
if [ ! -f /data/postgres/configured_flag ]; then
echo 'Configuring as /data/postgres/configured_flag is not found...'
echo "Running postgres server in standalone mode for configuring users..."
# Run Postgres. Use > /dev/null or a file, otherwise Reyns prestarup scripts end detection will fail
/etc/supervisor/conf.d/run_postgres.sh &> /dev/null &
# Save PID
PID=$!
echo "PID=$PID"
# Wait for postgres to become ready (should be improved)
sleep 5
echo 'Creating user/db...'
# Execute sql commands for rosetta user/db
su postgres -c "psql -f /create_rosetta_DB_and_user.sql"
# Set configured flag
touch /data/postgres/configured_flag
echo "Stopping Postgres"
# Stop Postgres
kill $PID
echo "Ok, configured"
else
echo ' Not configuring as /data/postgres/configured_flag is found.'
fi
services/postgres/run_postgres.sh 0 → 100644
+ 12
0
View file @ 7c17d200
#!/bin/bash
# This script is run by Supervisor to start PostgreSQL 11 in foreground mode
# https://github.com/Karumi/docker-sentry/blob/master/conf/run_postgres.sh
if [ -d /var/run/postgresql ]; then
chmod 2775 /var/run/postgresql
else
install -d -m 2775 -o postgres -g postgres /var/run/postgresql
fi
exec su postgres -c "/usr/lib/postgresql/11/bin/postgres -D /var/lib/postgresql/11/main -c config_file=/etc/postgresql/11/main/postgresql.conf"
\ No newline at end of file
services/postgres/supervisord_postgres.conf 0 → 100644
+ 17
0
View file @ 7c17d200
[program:postgres]
; Process definition
process_name = postgres
command = /etc/supervisor/conf.d/run_postgres.sh
autostart = true
autorestart = true
startsecs = 5
stopwaitsecs = 10
; Log files
stdout_logfile = /var/log/supervisor/%(program_name)s_out.log
stdout_logfile_maxbytes = 10MB
stdout_logfile_backups = 5
stderr_logfile = /var/log/supervisor/%(program_name)s_err.log
stderr_logfile_maxbytes = 10MB
stderr_logfile_backups = 5
services/proxy/000-default.conf 0 → 100644
+ 51
0
View file @ 7c17d200
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@backfrontend
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
#----------------------------------
# Force https except on localhost
#----------------------------------
# This is somehow a bad idea, as
# 1) dev env is different than staging/production, and
# 2) other roules in 001-proxy.conf are never reached
#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteCond %{HTTP_HOST} !=localhost
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file
services/proxy/001-proxy.conf 0 → 100644
+ 94
0
View file @ 7c17d200
#---------------------------
# Rosetta platform
#---------------------------
# Non-SSL
<VirtualHost *:80>
ServerName rosetta.platform
Redirect 301 / https://rosetta.platform/
</VirtualHost>
# SSL
<VirtualHost *:443>
ServerName rosetta.platform
SSLEngine on
SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
#---------------------------
# Localhost
#---------------------------
# Non-SSL
<VirtualHost *:80>
ServerName localhost
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
# SSL
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
#---------------------------
# Anything
#---------------------------
# Non-SSL
<VirtualHost *:80>
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
# SSL
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
services/proxy/Dockerfile 0 → 100644
+ 54
0
View file @ 7c17d200
FROM rosetta/base
MAINTAINER Stefano Alberto Russo <stefano.russo@gmail.com>
# Always start with an apt-get update when extending Reyns images,
# otherwise apt repositories might get outdated (404 not found)
# and building without cache does not re-build Reyns services.
RUN apt-get update
# Install Apache
RUN apt-get install -y apache2
RUN apt-get install apache2-utils
# Copy conf
COPY supervisord_apache.conf /etc/supervisor/conf.d/
COPY run_Apache.sh /etc/supervisor/conf.d/
RUN chmod 755 /etc/supervisor/conf.d/run_Apache.sh
# Enable mod_proxy and SSL
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN sudo a2enmod ssl
RUN a2enmod rewrite
RUN a2enmod headers
RUN a2enmod proxy_wstunnel
# Copy and enable conf for proxy
COPY 001-proxy.conf /etc/apache2/sites-available/
RUN ln -s /etc/apache2/sites-available/001-proxy.conf /etc/apache2/sites-enabled/001-proxy.conf
# We overwrite default Apache conf as we force https
COPY 000-default.conf /etc/apache2/sites-available/
# Copy and enable conf for ssl. Not enabling ssl default site causes the first ssl
# site in sites-avaialbe to be used as default. "Check with apachectl -t -D DUMP_VHOSTS".
# A custom conf is not really necessary as defaults are ok (it is the original file)
# Note: not naming this file with "000" causes to load other sites-available before, same problem.
COPY default-ssl.conf /etc/apache2/sites-available/
RUN ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
# Copy certificates (snakeoil or real)
RUN mkdir /certificates
COPY certificates/rosetta_platform.crt /root/certificates/rosetta_platform/rosetta_platform.crt
COPY certificates/rosetta_platform.key /root/certificates/rosetta_platform/rosetta_platform.key
COPY certificates/rosetta_platform.ca-bundle /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
# Copy index and norobots.txt
COPY index.html /var/www/html/
COPY norobots.txt /var/www/html/
# Prestartup
COPY prestartup_proxy.sh /prestartup/
# reyns: expose 80/tcp
# reyns: expose 443/tcp
services/proxy/certificates-dev/rosetta_platform.ca-bundle 0 → 100644
+ 4496
0
View file @ 7c17d200
Source diff could not be displayed: it is too large. Options to address this: view the blob.
services/proxy/certificates-dev/rosetta_platform.crt 0 → 100644
+ 17
0
View file @ 7c17d200
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAM9K5eCAXmjJMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDDAyNWQ5YzY3ZThlZDAeFw0xNzEwMjMxODM2NTdaFw0yNzEwMjExODM2NTda
MBcxFTATBgNVBAMTDDAyNWQ5YzY3ZThlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMe3pfnmJEpE8GZKRZ/XO034gRlTgmylpmWRQ59wYArujUmNRAB3
43GsdQvxavponG2x97HKHtDfrPdLycwWxyDFKIQw0e6GY0H4gMBJq5UjA9O7sznF
Sy1fjUIfhz2tIbBdo1BgW9EUzgq6sKBN8H6RnzSat+DTcP3xzUhkTFS6EPi8MFXw
gvBlEUWGjjesaaylLfD5/eDPhEeciKN8mlVi4I84QkPgu/O4NHXcqT1LaZUUPojs
Ca2bq87yyuSQljQby2c/4GqPue2PF3EU3gp051lWbOvTPkPuA0HC5VsDFZKxJHfL
b5gyN+I1tKjkKe8BpTNmQ8DP5SDi/ut4ltcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEACf5KUw0rM9jgyJWa1g2mhGpmqY4aiaMwJrwYYZza
DtYS2MQoiCyIpO3PHlPfLVHtvrU+5OX+YMPfA1wWRtSWu86Vh+JVU/56ZdEul0y5
aH1s8aYDaiDJa2ee5MBnqMMNbkcoMLuKens4+uOTTKolJduZNfZI/yk2JQQvMdTi
qYB7dg/V5fe/lba8OoUjN+m3J4KS/bqEOZ32/PLTHFwv1/z4osXXUEkzD2hQzBR2
ru2XD/7+oeR729r7YcskHRdJd8LVERQOi0JK1qyr4gEB67JvaCiOFFc6qzwqntdx
UwVRxLa5KbetgD1Fw/ic+9TNHmB9Y/9mBtpGx8KufWpoYg==
-----END CERTIFICATE-----
services/proxy/certificates-dev/rosetta_platform.key 0 → 100644
+ 28
0
View file @ 7c17d200
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHt6X55iRKRPBm
SkWf1ztN+IEZU4JspaZlkUOfcGAK7o1JjUQAd+NxrHUL8Wr6aJxtsfexyh7Q36z3
S8nMFscgxSiEMNHuhmNB+IDASauVIwPTu7M5xUstX41CH4c9rSGwXaNQYFvRFM4K
urCgTfB+kZ80mrfg03D98c1IZExUuhD4vDBV8ILwZRFFho43rGmspS3w+f3gz4RH
nIijfJpVYuCPOEJD4LvzuDR13Kk9S2mVFD6I7Amtm6vO8srkkJY0G8tnP+Bqj7nt
jxdxFN4KdOdZVmzr0z5D7gNBwuVbAxWSsSR3y2+YMjfiNbSo5CnvAaUzZkPAz+Ug
4v7reJbXAgMBAAECggEACG6hjFaCK7yTZc42+FOvBlC6qqYS+KFZ0Cn87+tfsrZ1
sqhLObXWHYOJgZKU0LO//wWnjpMZD/qRo/NINtyzVZfdaQ9ina6A3FUwom2519cd
nz/qhkLlNKo3HZaVMC5yIK8jaQ5YchBtzpgpQutnfwCI90CdCNoEiERARZEug9kw
Km30UM3sh1fAvAQuynkaKKHzxF5j1pnNVDGWZSb3qBN7kTSaR1P6wBKYAJxPj1vP
rL0PXLGfzkuryAXfgVq8hsYIyg6VwCmaontPItopmH5U9sYo0gB5RLDyv9++n3I6
lkeSyCqQpGCA6ugiqsO8s4bL0thTi9YLL3ztg+sF8QKBgQDoc8W0ALSY+9YWV8r7
K+BW0kVzatJmwUdLLEGw2l23ScjS6yQuNlxJCav2+n6bkM73VbM+lSjX1RaFsQty
52EPefTf+7FADQnk7eanPXvlb1nDKb+vitl6MV5okJBz2jZRNPa7bcpFBUCejdGJ
VZX32gdsxk+9VPjJQb2Y6tkoOQKBgQDb8vTvufcMiGC2q8Y7XrQ84ZSFHGQUHf4Z
R909fPGprfWuGQG2/DFEX1R9lCIth+gioWGLrboU5Q7+u2cn81s0zPlZI6Kg2e2Q
htVYaMSw731yWsilH7j6RftBbYUb/3jZadVT4FbDmxJqeiJVzQXlLJ3C9dExMj0n
weZM2f4XjwKBgQC/CQZd3IaPg8h6LEShD3obYEu7gvrPf+B7oy+JjKygSX9F+AGQ
CRTm4Y/2Nf9/Eg9FraTVtfgPCQytasch844NDgl1WoBdR1nuTqXUo+8Cq/R1NAZY
2h/JEHGqNcTBsYAaVRDBEIW/G4XzyFGAMFpDi2e2uXQnAYJExEZxOfCl4QKBgDIH
inU47JvaLX1/hwCcIw0yFnFMqur0g4bGlOlWkTWSTy7Bm2U+6gnuUS6bUkbfAgtW
f/SgmJIGJCoHAIjSzu0sro77DxPdXi8grEiG1C6W2wb25WrB03aCEouoWL2sl5WE
gDSq87FchYzYqRSxJOUjB+N/vIyfK8/uR+81Kpm7AoGBAJjZ0HGFuOn7FQfg1/gJ
5jQz3/JvjemQO83xDuh/mczRWNvmeC3H0Few8MfcJuwORQRbZ1e5uTRG9DOOZKOk
1/fEpJZvXdQxLtITwx6yq/BG857pA0C8rNCW+OzjfhSwbI4rt4COwjnZF8e9Lbi6
0DANJf8JhgYxKPeUT2au+147
-----END PRIVATE KEY-----
services/proxy/default-ssl.conf 0 → 100644
+ 138
0
View file @ 7c17d200
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ProxyPass / http://cloud:8080/
ProxyPassReverse / http://cloud:8080/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file
services/proxy/index.html 0 → 100644
+ 0
0
View file @ 7c17d200
services/proxy/norobots.txt 0 → 100644
+ 2
0
View file @ 7c17d200
User-agent: *
Disallow: /
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment