From 3b48d6481a5bec5b2e00c4fabb18eaafb9173238 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Wed, 7 Apr 2021 11:45:57 +0200 Subject: [PATCH] tune nginx, varia --- README.md | 48 ++++++++++++++++++++- ansible/production | 3 +- ansible/roles/common/tasks/main.yml | 2 + ansible/roles/nginx/tasks/main.yml | 4 +- ansible/roles/nginx/templates/nginx.conf.j2 | 18 +++++++- 5 files changed, 68 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 0030626..72510ea 100644 --- a/README.md +++ b/README.md @@ -17,43 +17,87 @@ https://github.com/hetznercloud/cli Temporaer einen API Key erstellen (nachher wieder loeschen) +` $ hcloud context create wo-bisch-server $ hcloud image list # zeigt moegliche Images $ hcloud server-type list # zeigt moegliche Typen +` +` $ hcloud server create --name wobisch1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch $ hcloud server set-rdns wobisch1 --hostname wobisch1.nbit.ch $ IPV6="$(hcloud server ip wobisch1 -6)" $ hcloud server set-rdns wobisch1 --ip $IPV6 --hostname wobisch1.nbit.ch +` DNS Eintraege erstellen: +` $ hcloud server ip wobisch1 $ hcloud server ip wobisch1 -6 +` Root-Passwort setzen (das machen wir von Hand) +` +# yum update +` + ## Ansible Playbook laufen lassen +` $ cd ansible -$ ansible-playbook -i production wo-bisch-server.yml +$ ansible-playbook -i production wo-bisch-server.yml --limit wobisch1.wo-bisch.ch # or wobisch2.wo-bisch.ch +` Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)! ### Let's Encrypt Zertifikat einrichten +` # curl https://get.acme.sh | sh -s email=info@nbit.ch -# acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web +# systemctl stop nginx +# acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web --standalone + [Sa Feb 27 17:27:34 CET 2021] Your cert is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer [Sa Feb 27 17:27:34 CET 2021] Your cert key is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key [Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in /root/.acme.sh/wo-bisch.ch/ca.cer [Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there: /root/.acme.sh/wo-bisch.ch/fullchain.cer +` ### Influxdb Users + +wobisch1: + admin: admin7355 Org: wobischorg Bucket: wobischbucket RW-Token: PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg== RO-Token: TQvQxxLLAj1kTKWuEqcx7BA-KfE6WtJUeDlPa_Dnvms6Zqf6uh6lMbpXtzcsCjKO_x3PrpxxGDR5E6YnDB5PFg== + +wobisch2: + +admin: admin7355 +Org: wobischorg +Bucket: wobischbucket +RW-Token: Dl1ogBm4U9IgDgMqsHgFX04g4Rn9VyPqc94teQ9QzLztFUSttMTAwkch3TrdUk4c4vtr3eysZbsTaFrTQa-JqA== +RO-Token: hVK-DQk3kQhrTndYCvv8T1c99nSdpUe2wPAzEMH77rpuDKLbEdsI-Ten6S09EPlgKBCPVypYohMNO9AYbt0MlQ== + +## Redis Dump + +Backup/Restore Tool fuer Redis von https://github.com/yannh/redis-dump-go + +` +# cd /var/tmp && wget https://github.com/yannh/redis-dump-go/releases/download/v0.4.1/redis-dump-go-linux-amd64.tar.gz +# tar xzvf redis-dump-go-linux-amd64.tar.gz +# cp redis-dump-go /usr/local/bin + +Zum Backup: +$ redis-dump-go -output commands >redis-backup-$(date +%Y%m%W).out + +Zum Restore: +$ redis-cli --pipe < redis-backup.out +` + diff --git a/ansible/production b/ansible/production index 865bc33..0953954 100644 --- a/ansible/production +++ b/ansible/production @@ -7,4 +7,5 @@ mail_forward_address=joerg.lehmann@nbit.ch document_root=/home/appuser/wo-bisch-web [wo_bisch_servers] -wobisch1.wo-bisch.ch +wobisch1.wo-bisch.ch letsEncryptDomain=dev.wo-bisch.ch +wobisch2.wo-bisch.ch letsEncryptDomain=wo-bisch.ch diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index efdfb1a..77349fa 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -16,6 +16,8 @@ - socat - unzip - wget + - git + - bzip2 - name: Enable SELinux selinux: diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index 484b2bf..d11ea36 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -28,9 +28,9 @@ - wo-bisch-web.css - wo-bisch-web-custom.css -- name: Allow apache to read files in /root/.acme.sh/wo-bisch.ch +- name: Allow apache to read files in /root/.acme.sh/{{ letsEncryptDomain }} sefcontext: - target: '/root/.acme.sh/mail2.nbit.ch(/.*)?' + target: '/root/.acme.sh/{{ letsEncryptDomain }}(/.*)?' setype: httpd_sys_content_t state: present notify: diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index 17fb9ea..25cf925 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -26,6 +26,14 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; + # GZip Settings + gzip on; + gzip_vary on; + gzip_min_length 10240; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript; + gzip_disable "MSIE [1-6]\."; + server { listen 80 default_server; listen [::]:80 default_server; @@ -46,6 +54,12 @@ http { proxy_pass http://127.0.0.1:8080; } + location /static { + autoindex off; + root {{ document_root }}/; + expires 30d; + } + location / { try_files $uri @wo-bisch; } location @wo-bisch { proxy_pass http://127.0.0.1:4000; @@ -53,8 +67,8 @@ http { listen [::]:443 ssl ipv6only=on; listen 443 ssl; - ssl_certificate /root/.acme.sh/wo-bisch.ch/fullchain.cer; - ssl_certificate_key /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key; + ssl_certificate /root/.acme.sh/{{ letsEncryptDomain }}/fullchain.cer; + ssl_certificate_key /root/.acme.sh/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key; } }