tune nginx, varia
This commit is contained in:
parent
4570e285eb
commit
3b48d6481a
48
README.md
48
README.md
|
|
@ -17,43 +17,87 @@ https://github.com/hetznercloud/cli
|
|||
|
||||
Temporaer einen API Key erstellen (nachher wieder loeschen)
|
||||
|
||||
`
|
||||
$ hcloud context create wo-bisch-server
|
||||
$ hcloud image list # zeigt moegliche Images
|
||||
$ hcloud server-type list # zeigt moegliche Typen
|
||||
`
|
||||
|
||||
`
|
||||
$ hcloud server create --name wobisch1 --image centos-8 --type cx11 --ssh-key joerg@cinnamon.nbit.ch
|
||||
$ hcloud server set-rdns wobisch1 --hostname wobisch1.nbit.ch
|
||||
$ IPV6="$(hcloud server ip wobisch1 -6)"
|
||||
$ hcloud server set-rdns wobisch1 --ip $IPV6 --hostname wobisch1.nbit.ch
|
||||
`
|
||||
|
||||
DNS Eintraege erstellen:
|
||||
`
|
||||
$ hcloud server ip wobisch1
|
||||
$ hcloud server ip wobisch1 -6
|
||||
`
|
||||
|
||||
Root-Passwort setzen (das machen wir von Hand)
|
||||
|
||||
`
|
||||
# yum update
|
||||
`
|
||||
|
||||
## Ansible Playbook laufen lassen
|
||||
|
||||
`
|
||||
$ cd ansible
|
||||
$ ansible-playbook -i production wo-bisch-server.yml
|
||||
$ ansible-playbook -i production wo-bisch-server.yml --limit wobisch1.wo-bisch.ch # or wobisch2.wo-bisch.ch
|
||||
`
|
||||
|
||||
Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)!
|
||||
|
||||
### Let's Encrypt Zertifikat einrichten
|
||||
|
||||
`
|
||||
# curl https://get.acme.sh | sh -s email=info@nbit.ch
|
||||
# acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web
|
||||
# systemctl stop nginx
|
||||
# acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web --standalone
|
||||
|
||||
|
||||
[Sa Feb 27 17:27:34 CET 2021] Your cert is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer
|
||||
[Sa Feb 27 17:27:34 CET 2021] Your cert key is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key
|
||||
[Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in /root/.acme.sh/wo-bisch.ch/ca.cer
|
||||
[Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there: /root/.acme.sh/wo-bisch.ch/fullchain.cer
|
||||
`
|
||||
|
||||
|
||||
|
||||
### Influxdb Users
|
||||
|
||||
wobisch1:
|
||||
|
||||
admin: admin7355
|
||||
Org: wobischorg
|
||||
Bucket: wobischbucket
|
||||
RW-Token: PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg==
|
||||
RO-Token: TQvQxxLLAj1kTKWuEqcx7BA-KfE6WtJUeDlPa_Dnvms6Zqf6uh6lMbpXtzcsCjKO_x3PrpxxGDR5E6YnDB5PFg==
|
||||
|
||||
wobisch2:
|
||||
|
||||
admin: admin7355
|
||||
Org: wobischorg
|
||||
Bucket: wobischbucket
|
||||
RW-Token: Dl1ogBm4U9IgDgMqsHgFX04g4Rn9VyPqc94teQ9QzLztFUSttMTAwkch3TrdUk4c4vtr3eysZbsTaFrTQa-JqA==
|
||||
RO-Token: hVK-DQk3kQhrTndYCvv8T1c99nSdpUe2wPAzEMH77rpuDKLbEdsI-Ten6S09EPlgKBCPVypYohMNO9AYbt0MlQ==
|
||||
|
||||
## Redis Dump
|
||||
|
||||
Backup/Restore Tool fuer Redis von https://github.com/yannh/redis-dump-go
|
||||
|
||||
`
|
||||
# cd /var/tmp && wget https://github.com/yannh/redis-dump-go/releases/download/v0.4.1/redis-dump-go-linux-amd64.tar.gz
|
||||
# tar xzvf redis-dump-go-linux-amd64.tar.gz
|
||||
# cp redis-dump-go /usr/local/bin
|
||||
|
||||
Zum Backup:
|
||||
$ redis-dump-go -output commands >redis-backup-$(date +%Y%m%W).out
|
||||
|
||||
Zum Restore:
|
||||
$ redis-cli --pipe < redis-backup.out
|
||||
`
|
||||
|
||||
|
|
|
|||
|
|
@ -7,4 +7,5 @@ mail_forward_address=joerg.lehmann@nbit.ch
|
|||
document_root=/home/appuser/wo-bisch-web
|
||||
|
||||
[wo_bisch_servers]
|
||||
wobisch1.wo-bisch.ch
|
||||
wobisch1.wo-bisch.ch letsEncryptDomain=dev.wo-bisch.ch
|
||||
wobisch2.wo-bisch.ch letsEncryptDomain=wo-bisch.ch
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@
|
|||
- socat
|
||||
- unzip
|
||||
- wget
|
||||
- git
|
||||
- bzip2
|
||||
|
||||
- name: Enable SELinux
|
||||
selinux:
|
||||
|
|
|
|||
|
|
@ -28,9 +28,9 @@
|
|||
- wo-bisch-web.css
|
||||
- wo-bisch-web-custom.css
|
||||
|
||||
- name: Allow apache to read files in /root/.acme.sh/wo-bisch.ch
|
||||
- name: Allow apache to read files in /root/.acme.sh/{{ letsEncryptDomain }}
|
||||
sefcontext:
|
||||
target: '/root/.acme.sh/mail2.nbit.ch(/.*)?'
|
||||
target: '/root/.acme.sh/{{ letsEncryptDomain }}(/.*)?'
|
||||
setype: httpd_sys_content_t
|
||||
state: present
|
||||
notify:
|
||||
|
|
|
|||
|
|
@ -26,6 +26,14 @@ http {
|
|||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# GZip Settings
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_min_length 10240;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript;
|
||||
gzip_disable "MSIE [1-6]\.";
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
|
@ -46,6 +54,12 @@ http {
|
|||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
|
||||
location /static {
|
||||
autoindex off;
|
||||
root {{ document_root }}/;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location / { try_files $uri @wo-bisch; }
|
||||
location @wo-bisch {
|
||||
proxy_pass http://127.0.0.1:4000;
|
||||
|
|
@ -53,8 +67,8 @@ http {
|
|||
|
||||
listen [::]:443 ssl ipv6only=on;
|
||||
listen 443 ssl;
|
||||
ssl_certificate /root/.acme.sh/wo-bisch.ch/fullchain.cer;
|
||||
ssl_certificate_key /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key;
|
||||
ssl_certificate /root/.acme.sh/{{ letsEncryptDomain }}/fullchain.cer;
|
||||
ssl_certificate_key /root/.acme.sh/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue