tune nginx, varia
This commit is contained in:
		
							parent
							
								
									4570e285eb
								
							
						
					
					
						commit
						3b48d6481a
					
				
							
								
								
									
										48
									
								
								README.md
								
								
								
								
							
							
						
						
									
										48
									
								
								README.md
								
								
								
								
							|  | @ -17,43 +17,87 @@ https://github.com/hetznercloud/cli | ||||||
| 
 | 
 | ||||||
| Temporaer einen API Key erstellen (nachher wieder loeschen) | Temporaer einen API Key erstellen (nachher wieder loeschen) | ||||||
| 
 | 
 | ||||||
|  | ` | ||||||
| $ hcloud context create wo-bisch-server | $ hcloud context create wo-bisch-server | ||||||
| $ hcloud image list                          # zeigt moegliche Images | $ hcloud image list                          # zeigt moegliche Images | ||||||
| $ hcloud server-type list                    # zeigt moegliche Typen | $ hcloud server-type list                    # zeigt moegliche Typen | ||||||
|  | ` | ||||||
| 
 | 
 | ||||||
|  | ` | ||||||
| $ hcloud server create --name wobisch1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch | $ hcloud server create --name wobisch1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch | ||||||
| $ hcloud server set-rdns wobisch1 --hostname wobisch1.nbit.ch | $ hcloud server set-rdns wobisch1 --hostname wobisch1.nbit.ch | ||||||
| $ IPV6="$(hcloud server ip wobisch1 -6)" | $ IPV6="$(hcloud server ip wobisch1 -6)" | ||||||
| $ hcloud server set-rdns wobisch1 --ip $IPV6 --hostname wobisch1.nbit.ch | $ hcloud server set-rdns wobisch1 --ip $IPV6 --hostname wobisch1.nbit.ch | ||||||
|  | ` | ||||||
| 
 | 
 | ||||||
| DNS Eintraege erstellen: | DNS Eintraege erstellen: | ||||||
|  | ` | ||||||
| $ hcloud server ip wobisch1  | $ hcloud server ip wobisch1  | ||||||
| $ hcloud server ip wobisch1 -6                      | $ hcloud server ip wobisch1 -6                      | ||||||
|  | ` | ||||||
| 
 | 
 | ||||||
| Root-Passwort setzen (das machen wir von Hand) | Root-Passwort setzen (das machen wir von Hand) | ||||||
| 
 | 
 | ||||||
|  | ` | ||||||
|  | # yum update | ||||||
|  | ` | ||||||
|  | 
 | ||||||
| ## Ansible Playbook laufen lassen | ## Ansible Playbook laufen lassen | ||||||
| 
 | 
 | ||||||
|  | ` | ||||||
| $ cd ansible | $ cd ansible | ||||||
| $ ansible-playbook -i production wo-bisch-server.yml | $ ansible-playbook -i production wo-bisch-server.yml --limit wobisch1.wo-bisch.ch  # or wobisch2.wo-bisch.ch | ||||||
|  | ` | ||||||
| 
 | 
 | ||||||
| Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)! | Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)! | ||||||
| 
 | 
 | ||||||
| ### Let's Encrypt Zertifikat einrichten | ### Let's Encrypt Zertifikat einrichten | ||||||
| 
 | 
 | ||||||
|  | ` | ||||||
| # curl https://get.acme.sh | sh -s email=info@nbit.ch | # curl https://get.acme.sh | sh -s email=info@nbit.ch | ||||||
| # acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web | # systemctl stop nginx | ||||||
|  | # acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web --standalone | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| [Sa Feb 27 17:27:34 CET 2021] Your cert is in  /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer  | [Sa Feb 27 17:27:34 CET 2021] Your cert is in  /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer  | ||||||
| [Sa Feb 27 17:27:34 CET 2021] Your cert key is in  /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key  | [Sa Feb 27 17:27:34 CET 2021] Your cert key is in  /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key  | ||||||
| [Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in  /root/.acme.sh/wo-bisch.ch/ca.cer  | [Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in  /root/.acme.sh/wo-bisch.ch/ca.cer  | ||||||
| [Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there:  /root/.acme.sh/wo-bisch.ch/fullchain.cer  | [Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there:  /root/.acme.sh/wo-bisch.ch/fullchain.cer  | ||||||
|  | ` | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| ### Influxdb Users | ### Influxdb Users | ||||||
|  | 
 | ||||||
|  | wobisch1: | ||||||
|  | 
 | ||||||
| admin: admin7355 | admin: admin7355 | ||||||
| Org: wobischorg | Org: wobischorg | ||||||
| Bucket: wobischbucket | Bucket: wobischbucket | ||||||
| RW-Token: PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg== | RW-Token: PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg== | ||||||
| RO-Token: TQvQxxLLAj1kTKWuEqcx7BA-KfE6WtJUeDlPa_Dnvms6Zqf6uh6lMbpXtzcsCjKO_x3PrpxxGDR5E6YnDB5PFg== | RO-Token: TQvQxxLLAj1kTKWuEqcx7BA-KfE6WtJUeDlPa_Dnvms6Zqf6uh6lMbpXtzcsCjKO_x3PrpxxGDR5E6YnDB5PFg== | ||||||
|  | 
 | ||||||
|  | wobisch2: | ||||||
|  | 
 | ||||||
|  | admin: admin7355 | ||||||
|  | Org: wobischorg | ||||||
|  | Bucket: wobischbucket | ||||||
|  | RW-Token: Dl1ogBm4U9IgDgMqsHgFX04g4Rn9VyPqc94teQ9QzLztFUSttMTAwkch3TrdUk4c4vtr3eysZbsTaFrTQa-JqA== | ||||||
|  | RO-Token: hVK-DQk3kQhrTndYCvv8T1c99nSdpUe2wPAzEMH77rpuDKLbEdsI-Ten6S09EPlgKBCPVypYohMNO9AYbt0MlQ== | ||||||
|  | 
 | ||||||
|  | ## Redis Dump | ||||||
|  | 
 | ||||||
|  | Backup/Restore Tool fuer Redis von https://github.com/yannh/redis-dump-go | ||||||
|  | 
 | ||||||
|  | ` | ||||||
|  | # cd /var/tmp && wget https://github.com/yannh/redis-dump-go/releases/download/v0.4.1/redis-dump-go-linux-amd64.tar.gz | ||||||
|  | # tar xzvf redis-dump-go-linux-amd64.tar.gz | ||||||
|  | # cp redis-dump-go /usr/local/bin | ||||||
|  | 
 | ||||||
|  | Zum Backup: | ||||||
|  | $ redis-dump-go -output commands >redis-backup-$(date +%Y%m%W).out | ||||||
|  | 
 | ||||||
|  | Zum Restore: | ||||||
|  | $ redis-cli --pipe < redis-backup.out | ||||||
|  | ` | ||||||
|  |    | ||||||
|  |  | ||||||
|  | @ -7,4 +7,5 @@ mail_forward_address=joerg.lehmann@nbit.ch | ||||||
| document_root=/home/appuser/wo-bisch-web | document_root=/home/appuser/wo-bisch-web | ||||||
| 
 | 
 | ||||||
| [wo_bisch_servers] | [wo_bisch_servers] | ||||||
| wobisch1.wo-bisch.ch | wobisch1.wo-bisch.ch letsEncryptDomain=dev.wo-bisch.ch | ||||||
|  | wobisch2.wo-bisch.ch letsEncryptDomain=wo-bisch.ch | ||||||
|  |  | ||||||
|  | @ -16,6 +16,8 @@ | ||||||
|     - socat |     - socat | ||||||
|     - unzip |     - unzip | ||||||
|     - wget |     - wget | ||||||
|  |     - git | ||||||
|  |     - bzip2 | ||||||
| 
 | 
 | ||||||
| - name: Enable SELinux | - name: Enable SELinux | ||||||
|   selinux: |   selinux: | ||||||
|  |  | ||||||
|  | @ -28,9 +28,9 @@ | ||||||
|     - wo-bisch-web.css |     - wo-bisch-web.css | ||||||
|     - wo-bisch-web-custom.css |     - wo-bisch-web-custom.css | ||||||
| 
 | 
 | ||||||
| - name: Allow apache to read files in /root/.acme.sh/wo-bisch.ch | - name: Allow apache to read files in /root/.acme.sh/{{ letsEncryptDomain }} | ||||||
|   sefcontext: |   sefcontext: | ||||||
|     target: '/root/.acme.sh/mail2.nbit.ch(/.*)?' |     target: '/root/.acme.sh/{{ letsEncryptDomain }}(/.*)?' | ||||||
|     setype: httpd_sys_content_t |     setype: httpd_sys_content_t | ||||||
|     state: present |     state: present | ||||||
|   notify: |   notify: | ||||||
|  |  | ||||||
|  | @ -26,6 +26,14 @@ http { | ||||||
|     include             /etc/nginx/mime.types; |     include             /etc/nginx/mime.types; | ||||||
|     default_type        application/octet-stream; |     default_type        application/octet-stream; | ||||||
| 
 | 
 | ||||||
|  |     # GZip Settings | ||||||
|  |     gzip on; | ||||||
|  |     gzip_vary on; | ||||||
|  |     gzip_min_length 10240; | ||||||
|  |     gzip_proxied expired no-cache no-store private auth; | ||||||
|  |     gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript; | ||||||
|  |     gzip_disable "MSIE [1-6]\."; | ||||||
|  | 
 | ||||||
|     server { |     server { | ||||||
|         listen       80 default_server; |         listen       80 default_server; | ||||||
|         listen       [::]:80 default_server; |         listen       [::]:80 default_server; | ||||||
|  | @ -46,6 +54,12 @@ http { | ||||||
|             proxy_pass http://127.0.0.1:8080; |             proxy_pass http://127.0.0.1:8080; | ||||||
|         } |         } | ||||||
| 
 | 
 | ||||||
|  |         location /static { | ||||||
|  |             autoindex off; | ||||||
|  |             root {{ document_root }}/; | ||||||
|  |             expires 30d; | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|         location / { try_files $uri @wo-bisch; } |         location / { try_files $uri @wo-bisch; } | ||||||
|         location @wo-bisch { |         location @wo-bisch { | ||||||
|             proxy_pass http://127.0.0.1:4000; |             proxy_pass http://127.0.0.1:4000; | ||||||
|  | @ -53,8 +67,8 @@ http { | ||||||
| 
 | 
 | ||||||
|         listen [::]:443 ssl ipv6only=on;  |         listen [::]:443 ssl ipv6only=on;  | ||||||
|         listen 443 ssl;  |         listen 443 ssl;  | ||||||
|         ssl_certificate /root/.acme.sh/wo-bisch.ch/fullchain.cer; |         ssl_certificate /root/.acme.sh/{{ letsEncryptDomain }}/fullchain.cer; | ||||||
|         ssl_certificate_key /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key; |         ssl_certificate_key /root/.acme.sh/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
| } | } | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue