From a6d6804668de9cdc9202ebebc9511a24911f496a Mon Sep 17 00:00:00 2001 From: Jonathan A Rees Date: Fri, 1 May 2015 19:11:04 -0400 Subject: [PATCH] commit-message.tmp --- deploy/README.md | 2 +- deploy/as-admin.sh | 47 ++++++++---- deploy/restart-apache.sh | 32 ++++++++ deploy/setup/opentree-shared.conf | 123 ++++++++++++++++++++++++++++++ deploy/setup/opentree-ssl.conf | 38 +++++++++ deploy/setup/opentree.conf | 39 ++++++++++ deploy/setup/ssl-certs/README.md | 2 +- 7 files changed, 268 insertions(+), 15 deletions(-) create mode 100644 deploy/setup/opentree-shared.conf create mode 100644 deploy/setup/opentree-ssl.conf create mode 100644 deploy/setup/opentree.conf diff --git a/deploy/README.md b/deploy/README.md index d1bd04588..dfa1a51b9 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -162,7 +162,7 @@ should redirect all traffic to the editable github-pages sites. (Be sure to edit the text of this page to reflect the current situation and expected downtime.) -This should be done with a **302 Temporary** redirect. Currently, the easiest way to do this is by [un-commenting this line](https://github.com/OpenTreeOfLife/opentree/blob/d35768d9a2233908a1982846870cf57326450525/deploy/setup/apache-config-shared#L15-L16) in our shared apache configuration file. This should be on the server as `/etc/apache2/opentree-config-shared`. +This should be done with a **302 Temporary** redirect. Currently, the easiest way to do this is by [un-commenting this line](https://github.com/OpenTreeOfLife/opentree/blob/d35768d9a2233908a1982846870cf57326450525/deploy/setup/apache-config-shared#L15-L16) in our shared apache configuration file. This should be on the server as `/etc/apache2/opentree-shared.conf`. To avoid lost work in the [study curation app](http://tree.opentreeoflife.org/curator), we should also disable the creation and editing of studies in the hours before any diff --git a/deploy/as-admin.sh b/deploy/as-admin.sh index 91b2d50ec..4fc675b3b 100755 --- a/deploy/as-admin.sh +++ b/deploy/as-admin.sh @@ -197,22 +197,43 @@ fi # the default 'vhost'. The opentree config file gets put into # place later on in the setup sequence. -if [ -r /etc/apache2/sites-enabled/000-default ]; then - sudo rm -f /etc/apache2/sites-enabled/000-default -fi -if [ ! -r /etc/apache2/sites-enabled/000-opentree ]; then - (cd /etc/apache2/sites-enabled; \ - sudo ln -sf ../sites-available/opentree ./000-opentree) -fi - -# Enable the HTTPS site only if our SSL certs are found; else disable it -if [ -r /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem ]; then - if [ ! -r /etc/apache2/sites-enabled/001-opentree-ssl ]; then +if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then + # Keep old script transiently; flush this after full transition to 2.4+ + if [ -r /etc/apache2/sites-enabled/000-default ]; then + sudo rm -f /etc/apache2/sites-enabled/000-default + fi + if [ ! -r /etc/apache2/sites-enabled/000-opentree ]; then (cd /etc/apache2/sites-enabled; \ - sudo ln -sf ../sites-available/opentree-ssl ./001-opentree-ssl) + sudo ln -sf ../sites-available/opentree ./000-opentree) + fi + + # Enable the HTTPS site only if our SSL certs are found; else disable it + if [ -r /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem ]; then + if [ ! -r /etc/apache2/sites-enabled/001-opentree-ssl ]; then + (cd /etc/apache2/sites-enabled; \ + sudo ln -sf ../sites-available/opentree-ssl ./001-opentree-ssl) + fi + else + sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl fi else - sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl + sudo rm -f /etc/apache2/sites-enabled/000-default* + sudo rm -f /etc/apache2/sites-enabled/000-opentree + sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl + if [ ! -e /etc/apache2/sites-enabled/000-opentree.conf ]; then + (cd /etc/apache2/sites-enabled; \ + sudo ln -sf ../sites-available/opentree.conf ./000-opentree.conf) + fi + + # Enable the HTTPS site only if our SSL certs are found; else disable it + if [ -r /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem ]; then + if [ ! -r /etc/apache2/sites-enabled/001-opentree-ssl.conf ]; then + (cd /etc/apache2/sites-enabled; \ + sudo ln -sf ../sites-available/opentree-ssl.conf ./001-opentree-ssl.conf) + fi + else + sudo rm -f /etc/apache2/sites-enabled/001-opentree-ssl.conf + fi fi # ---------- UNPRIVILEGED USER ---------- diff --git a/deploy/restart-apache.sh b/deploy/restart-apache.sh index 44144e5dd..f400c8e57 100755 --- a/deploy/restart-apache.sh +++ b/deploy/restart-apache.sh @@ -3,6 +3,10 @@ OPENTREE_USER=$1 OPENTREE_HOME=$(bash <<< "echo ~$OPENTREE_USER") +if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then + +# Obscolescent code, apache 2.2 + if [ ! -r /etc/apache2/sites-available/opentree ] || \ ! cmp "$OPENTREE_HOME/setup/apache-config-vhost" /etc/apache2/sites-available/opentree; then echo "Installing opentree vhost config" @@ -24,5 +28,33 @@ if [ ! -r /etc/apache2/opentree-config-shared ] || \ fi rm $TMP +# ------------------------------------------------------- + +else + +# Modern code, apache 2.4+ + +if [ ! -r /etc/apache2/sites-available/opentree.conf ] || \ + ! cmp "$OPENTREE_HOME/setup/opentree.conf" /etc/apache2/sites-available/opentree; then + echo "Installing opentree vhost config" + sudo cp -p "$OPENTREE_HOME/setup/opentree.conf" /etc/apache2/sites-available/ || "Sudo failed" +fi + +if [ ! -r /etc/apache2/sites-available/opentree-ssl ] || \ + ! cmp "$OPENTREE_HOME/setup/opentree-ssl.conf" /etc/apache2/sites-available/opentree-ssl.conf; then + echo "Installing opentree ssl vhost config" + sudo cp -p "$OPENTREE_HOME/setup/opentree-ssl.conf" /etc/apache2/sites-available/ || "Sudo failed" +fi + +TMP=/tmp/$$.tmp +sed -e s+/home/opentree+$OPENTREE_HOME+ <"$OPENTREE_HOME/setup/opentree-shared.conf" >$TMP +if [ ! -r /etc/apache2/opentree-shared.conf ] || \ + ! cmp $TMP /etc/apache2/opentree-shared.conf; then + echo "Installing opentree vhosts shared config" + sudo cp -p $TMP /etc/apache2/opentree-shared.conf || "Sudo failed" +fi +rm $TMP +fi + echo "Restarting apache httpd..." sudo apache2ctl graceful || "Sudo failed" diff --git a/deploy/setup/opentree-shared.conf b/deploy/setup/opentree-shared.conf new file mode 100644 index 000000000..5ce24220d --- /dev/null +++ b/deploy/setup/opentree-shared.conf @@ -0,0 +1,123 @@ +# This file derives from the file /etc/apache2/sites-available/default +# in apache2 as installed in ubuntu 12.04. +# +# Now that we're supporting both HTTP and HTTPS, this file contains all the +# shared configuration for VirtualHosts in 'opentree.conf' and 'opentree-ssl.conf'. See +# http://serverfault.com/questions/83669/apache2-with-ssl-do-i-have-to-copy-virtualhost-blocks +# +# This file should be periodically reviewed as apache versions advance and +# 'best practice' for virtual host configurations changes. + + ServerAdmin webmaster@localhost + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # TEMPORARY REDIRECT to maintenance page + #RedirectMatch 302 ^(.*)$ http://opentreeoflife.github.io/maintenance.html + + # See http://stackoverflow.com/questions/13216837/install-web2py-in-virtual-hosting + # NOTE that we can only specify WSGIDaemonProcess once, so this has been + # retained in the main HTTP configuration 'opentree.conf'! + #WSGIDaemonProcess web2py user=opentree group=opentree display-name=%{GROUP} + WSGIProcessGroup web2py + WSGIScriptAlias / /home/opentree/web2py/wsgihandler.py + + # We don't want the scriptalias to override mappings for + # treemachine and taxomachine... seems not to. + + + AllowOverride None + Require all denied + + Require all granted + + + + AliasMatch ^/([^/]+)/static/(.*) /home/opentree/web2py/applications/$1/static/$2 + + Require all granted + + + # See https://github.com/OpenTreeOfLife/opentree/wiki/Open-Tree-of-Life-APIs + + # 7474 = treemachine neo4j + + + Require all granted + ProxyPass http://localhost:7474/db/data/ext/tree_of_life/graphdb + ProxyPassReverse http://localhost:7474/db/data/ext/tree_of_life/graphdb + + + + Require all granted + ProxyPass http://localhost:7474/db/data/ext/graph/graphdb + ProxyPassReverse http://localhost:7474/db/data/ext/graph/graphdb + + + # 7476 = taxomachine neo4j + + + Require all granted + ProxyPass http://localhost:7476/db/data/ext/tnrs_v2/graphdb + ProxyPassReverse http://localhost:7476/db/data/ext/tnrs_v2/graphdb + + + + Require all granted + ProxyPass http://localhost:7476/db/data/ext/taxonomy/graphdb + ProxyPassReverse http://localhost:7476/db/data/ext/taxonomy/graphdb + + + # 7478 = oti neo4j + + + Require all granted + ProxyPass http://localhost:7478/db/data/ext/studies/graphdb + ProxyPassReverse http://localhost:7478/db/data/ext/studies/graphdb + + + # phylesystem-api is provided via web2py + RewriteEngine on + RewriteRule ^/v2/study/(.*) /phylesystem/v1/study/$1 [PT] + + # ------------------------------------------------------------ + # Explicit routing for /cached/* URLs (in phylesystem-api) + + RewriteEngine on + RewriteRule ^/cached/(.*) /phylesystem/default/cached/$1 [PT] + + # ------------------------------------------------------------ + # v1 API retained for transition period (ending Nov 2014 ?) + + + Require all granted + ProxyPass http://localhost:7474/db/data/ext/GoLS/graphdb + ProxyPassReverse http://localhost:7474/db/data/ext/GoLS/graphdb + + + + Require all granted + ProxyPass http://localhost:7474/db/data/ext + + + + Require all granted + ProxyPass http://localhost:7476/db/data/ext/TNRS/graphdb + ProxyPassReverse http://localhost:7476/db/data/ext/TNRS/graphdb + + + + Require all granted + ProxyPass http://localhost:7476/db/data/ext + + + + Require all granted + ProxyPass http://localhost:7478/db/data/ext/QueryServices/graphdb + ProxyPassReverse http://localhost:7478/db/data/ext/QueryServices/graphdb + + + + Require all granted + ProxyPass http://localhost:7478/db/data/ext + diff --git a/deploy/setup/opentree-ssl.conf b/deploy/setup/opentree-ssl.conf new file mode 100644 index 000000000..03532aa34 --- /dev/null +++ b/deploy/setup/opentree-ssl.conf @@ -0,0 +1,38 @@ +# Adapting SSL settings (second VirtualHost) from /etc/apache2/sites-available/default-ssl +# in apache2 as installed in ubuntu 12.04. +# +# We support both HTTP and HTTPS, with two separate files in sites-available. +# This file holds only the settings unique to the HTTPS VirtualHost, with all +# shared configuration included from 'apache-confog-shared'. See +# http://serverfault.com/questions/83669/apache2-with-ssl-do-i-have-to-copy-virtualhost-blocks +# +# This file should be periodically reviewed as apache versions advance and +# 'best practice' for virtual host configurations changes. + + + + + ErrorLog ${APACHE_LOG_DIR}/ssl_error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem + SSLCertificateChainFile /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem + SSLCertificateKeyFile /etc/ssl/private/opentreeoflife.org.key + + # SSL Engine Options: + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # OPENTREE SHARED CONFIGURATION + Include /etc/apache2/opentree-shared.conf + + + diff --git a/deploy/setup/opentree.conf b/deploy/setup/opentree.conf new file mode 100644 index 000000000..114d1cd02 --- /dev/null +++ b/deploy/setup/opentree.conf @@ -0,0 +1,39 @@ +# This file derives from the file /etc/apache2/sites-available/default +# in apache2 as installed in ubuntu 12.04. +# +# We support both HTTP and HTTPS, with two separate files in sites-available. +# This file holds only the settings unique to the HTTP VirtualHost, with all +# shared configuration included from 'apache-confog-shared'. See +# http://serverfault.com/questions/83669/apache2-with-ssl-do-i-have-to-copy-virtualhost-blocks +# +# This file should be periodically reviewed as apache versions advance and +# 'best practice' for virtual host configurations changes. + + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + # Restrict web2py admin pages to admin users on localhost (SSH tunnel) + # TODO: Should this apply to the HTTPS VirtualHost as well? + + Require ip 127.0.0.1 + + + Require ip 127.0.0.1 + + + # See http://stackoverflow.com/questions/13216837/install-web2py-in-virtual-hosting + # + # NOTE that we can only specify WSGIDaemonProcess once, so this directive has been + # retained in this file. All other WSGI directives are shared + # across both vhosts + WSGIDaemonProcess web2py user=opentree group=opentree display-name=%{GROUP} + + # OPENTREE SHARED CONFIGURATION + Include /etc/apache2/opentree-shared.conf + + diff --git a/deploy/setup/ssl-certs/README.md b/deploy/setup/ssl-certs/README.md index 6ada829d5..83f14967b 100644 --- a/deploy/setup/ssl-certs/README.md +++ b/deploy/setup/ssl-certs/README.md @@ -18,7 +18,7 @@ Note that this script requires `wget` or `curl`, as well as `openssl` to run. The result is a new file `STAR_opentreeoflife_org.pem`. This includes the full chain of public certificates, and it's the file we actually specify in our apache configuration file `001-opentree-ssl`. (See -[template](https://github.com/OpenTreeOfLife/opentree/blob/master/deploy/setup/apache-config-vhost-ssl) +[template](https://github.com/OpenTreeOfLife/opentree/blob/master/deploy/setup/opentree-ssl.conf) and [installation script](https://github.com/OpenTreeOfLife/opentree/blob/master/deploy/restart-apache.sh) for details.)