-
Notifications
You must be signed in to change notification settings - Fork 0
VM Node 01
IPv4: 5.196.206.61
Virtual MAC: 02:00:00:b3:ce:47
OS: Ubuntu 14.04
Installed from VM-template
Managed via PVE interface:
- Global configuration:
- Input policy: Drop
- Output policy: Accept
- Proxmox server specific configuration
- Input Accept SSH macro
- Input Accept HTTP macro
- Input Accept HTTPS macro
Configure network interface
$ vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 5.196.206.61
netmask 255.255.255.255
broadcast 5.196.206.61
post-up route add 37.59.46.254 dev eth0
post-up route add default gw 37.59.46.254
pre-down route del 37.59.46.254 dev eth0
pre-down route del default gw 37.59.46.254
dns-nameservers 8.8.8.8 8.8.4.4
Change hostname
$ echo "node01" | sudo tee /etc/hostname
$ sudo vi /etc/hosts
127.0.0.1 localhost
127.0.1.1 node01.donut.me node01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Install and configure stunnel to secure MongoDB connexion
$ sudo apt-get install stunnel4
$ sudo vi /etc/stunnel/stunnel.conf
client = yes
[mongodb]
accept = 27017
connect = 5.196.206.60:27018
$ sudo vi /etc/default/stunnel4
ENABLED=1
$ sudo service stunnel4 start
Install and configure Exim4
$ sudo apt-get install exim4 $ sudo dpkg-reconfigure exim4-config
- System mail name: node01.donut.me
- IP-addresses to listen on for incoming SMTP connections: 127.0.0.1 ; ::1
- Other destinations for which mail is accepted:
- Domains to relay mail for:
- Machines to relay mail for:
- Keep number of DNS-queries minimal (Dial-on-Demand)? No
- Delivery method for local mail: mbox format in /var/mail/
- Split configuration into small files? No
Add a forward rule 80 => 3000 (http://www.lauradhamilton.com/how-to-set-up-a-nodejs-web-server-on-amazon-ec2) :
$ sudo apt-get install iptables-persistent
$ sudo vim /etc/sysctl.conf
uncomment net.ipv4.ip_forward=1
$ sudo sysctl -p /etc/sysctl.conf
$ cat /proc/sys/net/ipv4/ip_forward
return a 1 now
$ sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
$ sudo iptables-save | sudo tee /etc/iptables/rules.v4After nginx addition, the redirection is no longer required. Removed with:
$ sudo iptables -L -t nat --line-numbers
$ sudo iptables -t nat -D PREROUTING 1
$ sudo iptables -L -t nat --line-numbers
$ sudo iptables-save | sudo tee /etc/iptables/rules.v4
Install nginx (as root):
apt-get install nginx
vi /etc/nginx/nginx.conf
user www-data;
worker_processes 6;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Request optimisation
##
open_file_cache max=50000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
reset_timedout_connection on;
client_body_buffer_size 16K;
client_header_buffer_size 4k;
client_max_body_size 2m;
large_client_header_buffers 4 64k;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
##
# DDOS Protection
##
#Connexions maximum par ip
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 20;
#Nombre de requêtes/s maximum par ip
limit_req_zone $binary_remote_addr zone=allips:10m rate=50r/s;
limit_req zone=allips burst=200 nodelay;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
vi /etc/nginx/donut-error.conf
error_page 403 @donut403;
error_page 404 @donut404;
error_page 500 @donut500;
error_page 501 @donut501;
error_page 502 @donut502;
error_page 503 @donut503;
error_page 504 @donut504;
location @donut403 {
root /home/donut/app/server;
try_files /403.html =403;
}
location @donut404 {
root /home/donut/app/server;
try_files /404.html =404;
}
location @donut500 {
root /home/donut/app/server;
try_files /50x.html =500;
}
location @donut501 {
root /home/donut/app/server;
try_files /50x.html =501;
}
location @donut502 {
root /home/donut/app/server;
try_files /50x.html =502;
}
location @donut503 {
root /home/donut/app/server;
try_files /50x.html =503;
}
location @donut504 {
root /home/donut/app/server;
try_files /50x.html =504;
}
vi /etc/nginx/donut-gzip.conf
gzip on; gzip_min_length 1100; gzip_buffers 16 32k; gzip_types text/plain application/x-javascript text/xml text/css; gzip_comp_level 6; gzip_proxied any; gzip_vary on;
vi /etc/nginx/donut-ssl.conf
ssl on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/GandiStandardSSLCA2.pem; ssl_certificate /etc/nginx/ssl/donut-sha256.pem; ssl_certificate_key /etc/nginx/ssl/donut.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_session_timeout 24h; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;
vi /etc/nginx/ws.test.donut-ssl.conf
ssl on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/GandiStandardSSLCA2.pem; ssl_certificate /etc/nginx/ssl/ws.test.donut-sha256.pem; ssl_certificate_key /etc/nginx/ssl/donut.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_session_timeout 24h; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;
vi /etc/nginx/sites-available/donut.conf
# donut
upstream io_nodes {
ip_hash;
server donut.me:3050;
server donut.me:3051;
}
server {
listen 80;
server_name www.donut.me;
rewrite ^(.*) http://donut.me$request_uri permanent;
}
server {
listen 80;
server_name donut.me;
rewrite ^(.*) https://donut.me$request_uri permanent;
}
server {
listen 443;
server_name donut.me;
location /socket.io {
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_pass http://io_nodes;
proxy_intercept_errors on;
}
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://donut.me:3000;
proxy_intercept_errors on;
}
include donut-gzip.conf;
include donut-ssl.conf;
include donut-error.conf;
}
Source: https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-an-ubuntu-14-04-server Install node.js from ppa:chris-lea/node.js:
$ sudo apt-get install software-properties-common # for having add-apt-repository
$ sudo add-apt-repository ppa:chris-lea/node.js
$ sudo apt-get update
$ sudo apt-get install nodejs
Install GIT (required) and "donut" user to run process
$ sudo apt-get install git
$ sudo useradd -s /bin/bash -m -d /home/donut -c "safe user for node process" donut
$ sudo usermod -aG sudo donut
As "donut" user install PM2 and node-gyp
$ sudo su - donut
$ sudo npm install pm2 -g
Install node-gyp to
$ sudo apt-get install gcc make build-essential
$ sudo npm install node-gyp -g
Update system startup script for automatically launch PM2 as user "donut" at boot
$ sudo pm2 startup ubuntu -u donut
Add additional project global packages:
$ sudo apt-get install g++
$ sudo npm install -g bower
$ sudo npm install -g grunt-cli
$ sudo npm install -g pomelo
$ sudo npm install -g pomelo-cli
Fix npm permission bug after a "npm install -g":
$ sudo chown -R donut:donut /home/donut/.pm2
$ sudo chown -R donut:donut /home/donut/.npm
See project README.md.
$ sudo apt update
$ sudo apt upgrade
$ curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -
$ sudo apt-get install nodejs
$ sudo bash configure-nginx.sh -a donut -u USERNAME
Note: outgoing tcp port 514
$ sudo apt install nodejs
$ sudo npm install -g npm
$ sudo npm install -g pm2
$ su donut
$ pm2 updatePM2
$ pm2 install pm2-redis
$ pm2 install pm2-mongodb
$ node -v
v4.2.3
$ npm -v
3.5.2
$ pm2 -v
0.15.10