Added frontend proxy stuff with NGinx

apache-default-upstream-proxy.txt

@@ -0,0 +1,25 @@
+########## Backend Apache
+# This apache only listens on localhost to port 8200.
+# It also has php and mod_rpaf installed. It does not gzip/deflate or access.log. It *Does* error log.
+# Basically, your backend apache is fairly normal. You should disable keepalive too by setting
+# Keepalive Off
+# in your main config.
+# mod_rpaf allows your backend apache to see the real IP address of the request, instead of the address of 
+# your frontend proxy.
+Listen 8200
+
+NameVirtualHost 127.0.0.1:8200
+
+<VirtualHost 127.0.0.1:8200>
+        ServerName www.DOMAIN_NAME
+        RewriteEngine on
+        DocumentRoot /var/www/DOMAIN_NAME
+        ServerAdmin webmaster@DOMAIN_NAME
+
+    #block POSTS without referrers. 
+        RewriteCond %{REQUEST_METHOD} POST
+        RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
+        RewriteCond %{HTTP_REFERER} !.*blog.example.org.* [OR]
+        RewriteCond %{HTTP_USER_AGENT} ^$
+        RewriteRule (.*) - [R=403,L]
+</VirtualHost>

fabfile.py

@@ -19,12 +19,14 @@ def deploy_all():
                       'git://github.com/btompkins/CodeBetter.Com-MySql.git')
     install_mail()
     install_ftp()
-    setup_website('codebetter.com')
+    setup_website_as_upstream_server('codebetter.com')
     copy_git_website('codebetter.com',
                      'git://github.com/btompkins/CodeBetter.Com-Wordpress.git',
                      'wp_codebetter',
                      'dbuser',
                      'dbpass')
+    install_nginx()
+    configure_nginx()
 
 def new_user(admin_username, admin_password):   
     env.user = 'root'
@@ -149,6 +151,27 @@ def setup_website(domain_name):
         '</IfModule>'], '/etc/apache2/apache2.conf', use_sudo=True)
     runcmd('/etc/init.d/apache2 restart')
 
+def setup_website_as_upstream_server(domain_name):
+    runcmd('mkdir /var/www/{domain}'.format(domain=domain_name))
+    runcmd('rm /etc/apache2/sites-enabled/000-default')
+    upload_template('.\\apache-default-upstream-proxy.txt'.format(
+        domain=domain_name), '/etc/apache2/sites-enabled/{domain}'.format(
+        domain=domain_name), use_sudo=True)
+    sed('/etc/apache2/sites-enabled/{domain}'.format(
+        domain=domain_name), 'DOMAIN_NAME', domain_name, use_sudo=True,)
+    runcmd('rm /etc/apache2/sites-enabled/*.bak')
+
+  # Note that the following will only work once!
+    append(['<IfModule mod_rewrite.c>',
+        '   RewriteLog "/var/log/apache2/rewrite.log"',
+        '   RewriteLogLevel 1',
+        '   RewriteMap rewritemap txt:/var/www/{domain}/permalinkmap.txt'
+            .format(domain=domain_name),
+        '   LimitInternalRecursion 5',
+        '</IfModule>'], '/etc/apache2/apache2.conf', use_sudo=True)
+
+    runcmd('/etc/init.d/apache2 restart')
+
 def copy_git_website(domain_name, repository_uri, database_name, database_user, database_password):
     with cd('/var/www/{domain}'.format(domain=domain_name)):
         runcmd('git clone {repo} .'.format(repo=repository_uri))
@@ -165,14 +188,17 @@ def copy_git_website(domain_name, repository_uri, database_name, database_user,
         runcmd('/etc/init.d/apache2 restart')
 
 def install_nginx():
-        runcmd('echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu '
-               '$(lsb_release -cs) main" > '
-               '/etc/apt/sources.list.d/nginx-stable-$(lsb_release -cs).list')
-        runcmd('apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C')
-        runcmd('apt-get update')
-        runcmd('apt-get -y install nginx')
-
-
+    runcmd('echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu '
+        '$(lsb_release -cs) main" > '
+        '/etc/apt/sources.list.d/nginx-stable-$(lsb_release -cs).list')
+    runcmd('apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C')
+    runcmd('apt-get update')
+    runcmd('apt-get -y install nginx')
+
+def configure_nginx():
+    upload_template('.\\nginx-default.txt', '/etc/nginx/sites-available/default', use_sudo=True)
+    runcmd('/etc/init.d/nginx restart')
+
 # Helpers    
 def runcmd(arg):
     if env.user != "root":

nginx-default.txt

@@ -0,0 +1,85 @@
+# And then in the file /etc/nginx/sites-enabled/default
+# This file shows you a few ways you can tweak your caching policies by inspecting URLs.
+# The most important rule is to leave admin-looking URLs uncached, otherwise you won't be able to log in.
+# From there, please feel free to set longer or shorter cache times based on your particular traffic.
+
+# set some parameters: two levels deep for the filesystem
+# set the name of the cache to "staticfilecache", giving it a maximum cache time of 3 hours and 500meg in size.
+proxy_cache_path  /var/lib/nginx/cache  levels=1:2   keys_zone=staticfilecache:180m  max_size=500m;
+proxy_temp_path /var/lib/nginx/proxy;
+proxy_connect_timeout 30;
+proxy_read_timeout 120;
+proxy_send_timeout 120;
+
+#IMPORTANT - this sets the basic cache key that's used in the static file cache.
+proxy_cache_key "$scheme://$host$request_uri";
+
+upstream wordpressapache {
+        #The upstream apache server. You can have many of these and weight them accordingly,
+        #allowing nginx to function as a caching load balancer (oh my. Awesomeness abounds.)
+        server 127.0.0.1:8200 weight=1 fail_timeout=120s;
+}
+
+server {
+        #Only cache 200 responses, and for a default of 20 minutes.
+        proxy_cache_valid 200 20m;
+
+        #Probably not needed, as the proxy will pass back the host in "proxy_set_header"
+        server_name codebetter.tld;
+
+        # "combined" matches apache's concept of "combined". Neat.
+        access_log  /var/log/apache2/nginx-access.log combined;
+
+        # Set the real IP.
+        proxy_set_header X-Real-IP  $remote_addr;
+
+        # Set the hostname
+        proxy_set_header Host $host;
+
+        #Set the forwarded-for header.
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        location / {
+                        # If logged in, don't cache.
+                        if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
+                                set $do_not_cache 1;
+                        }
+                        proxy_cache_key "$scheme://$host$request_uri $do_not_cache";
+                        proxy_cache staticfilecache;
+                        proxy_pass http://wordpressapache;
+        }
+
+        location ~* wp\-.*\.php|wp\-admin {
+                        # Don't static file cache admin-looking things.
+                        proxy_pass http://wordpressapache;
+        }
+
+        location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
+                        # Cache static-looking files for 120 minutes, setting a 10 day expiry time in the HTTP header,
+                        # whether logged in or not (may be too heavy-handed).
+                        proxy_cache_valid 200 120m;
+                        expires 864000;
+                        proxy_pass http://wordpressapache;
+                        proxy_cache staticfilecache;
+        }
+
+        location ~* \/[^\/]+\/(feed|\.xml)\/? {
+                        # Cache RSS looking feeds for 45 minutes unless logged in.
+                        if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
+                                set $do_not_cache 1;
+                        }
+                        proxy_cache_key "$scheme://$host$request_uri $do_not_cache";
+                        proxy_cache_valid 200 45m;
+                        proxy_cache staticfilecache;
+                        proxy_pass http://wordpressapache;
+        }
+
+        location = /50x.html {
+                root   /var/www/nginx-default;
+        }
+
+        # No access to .htaccess files.
+        location ~ /\.ht {
+                deny  all;
+        }
+}