Partial CMS configuration

* Needs more work, but seems to have many of the basics.

Partial CMS configuration
* Needs more work, but seems to have many of the basics.
d0eec731 · Joe Blaylock · b4484d5e · d0eec731 · d0eec731 · d0eec731
Commit d0eec731 authored May 02, 2013 by Joe Blaylock
7 changed files
--- a/playbooks/roles/cms/tasks/main.yml
+++ b/playbooks/roles/cms/tasks/main.yml
+# requires:
+#  - group_vars/all
+#  - common/tasks/main.yml
+#  - nginx/tasks/main.yml
+---
+- name: create cms application config
+  template: src=env.json.j2 dest=$app_base_dir/cms.env.json
+  sudo: True
+  tags:
+  - cms
+
+- name: create cms auth file
+  template: src=auth.json.j2 dest=$app_base_dir/cms.auth.json
+  sudo: True
+  tags:
+  - cms
+
+- include: ../../nginx/tasks/nginx_site.yml state=link site_name=cms
+- include: ../../nginx/tasks/nginx_site.yml state=link site_name=cms-backend
--- a/playbooks/roles/cms/templates/auth.json.j2
+++ b/playbooks/roles/cms/templates/auth.json.j2
+{{ auth_config | to_nice_json }}
--- a/playbooks/roles/cms/templates/env.json.j2
+++ b/playbooks/roles/cms/templates/env.json.j2
+{{ env_config | to_nice_json }}
--- a/playbooks/roles/cms/vars/main.yml
+++ b/playbooks/roles/cms/vars/main.yml
+# variables common to the cms role, automatically loaded
+# when the role is included
+---
+auth_config:
+  'CONTENTSTORE':
+    'ENGINE':  'xmodule.contentstore.mongo.MongoContentStore'
+  'MODULESTORE':
+    'default':
+      'ENGINE':  'xmodule.modulestore.mongo.MongoModuleStore'
+ 
+env_config:
+  'CACHES':
+    'default':
+      'BACKEND':  'django.core.cache.backends.memcached.MemcachedCache'
+      'KEY_FUNCTION':  'util.memcache.safe_key'
+    'mongo_metadata_inheritance':
+      'BACKEND':  'django.core.cache.backends.memcached.MemcachedCache'
+      'KEY_FUNCTION':  'util.memcache.safe_key'
+      'TIMEOUT': 300
+    'staticfiles':
+      'BACKEND':  'django.core.cache.backends.memcached.MemcachedCache'
+      'KEY_FUNCTION':  'util.memcache.safe_key'
+  'LOG_DIR': '/mnt/logs/edx'
+  'LOGGING_ENV': 'lms-dev'
+  'SITE_NAME': 'studio.lms-dev.m.edx.org'
+  'SYSLOG_SERVER': 'syslog.a.m.i4x.org'
+  'LMS_BASE': 'lms-dev.m.edx.org'
+  'SESSION_COOKIE_DOMAIN': '.lms-dev.m.edx.org'
+
--- a/playbooks/roles/lms/vars/main.yml
+++ b/playbooks/roles/lms/vars/main.yml
@@ -97,11 +97,11 @@ lms_debian_pkgs:
  - perl
  - pkg-config
  - postfix
-  - puppet
-  - puppet-common
-  - puppet-lint
-  - puppetmaster
-  - puppetmaster-common
+  #- puppet
+  #- puppet-common
+  #- puppet-lint
+  #- puppetmaster
+  #- puppetmaster-common
  - pylint
  - python-boto
  - python-coverage-test-runner

--- a/playbooks/roles/nginx/templates/cms-backend.j2
+++ b/playbooks/roles/nginx/templates/cms-backend.j2
+upstream cms-backend {
+    # For a TCP configuration:
+    server 127.0.0.1:8010 fail_timeout=0;
+}
--- a/playbooks/roles/nginx/templates/cms.j2
+++ b/playbooks/roles/nginx/templates/cms.j2
+server {
+  # CMS configuration file for nginx, templated by ansible
+      
+  listen 80;
+
+  server_name trace-cms.*
+              studio.lms-dev.m.edx.org;
+
+  #
+  # Send error response when request host isn't under our control
+  # We will no longer respond to proxy attempts like this with 
+  # anything.
+  # curl -i -A '' -x http://www.edx.org:80 --proxy-negotiate -U u:p -u u:p http://chat.sdtz.com
+  #
+
+  set $reject 'no';
+
+  if ($host !~* (edx.org|edxonline.org)$ ) {
+    set $reject 'yes';
+  }
+
+  if ($request_uri ~ ^(/heartbeat)$) {
+    set $reject 'no';
+  }
+
+  if ( $reject = 'yes' ) {
+    return 444;
+  }
+
+  
+  # CS184 requires uploads of up to 4MB for submitting screenshots. 
+  # CMS requires larger value for course assest, values provided 
+  # via hiera.
+  client_max_body_size 100M;
+  
+  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;
+
+  location @proxy_to_cms_app {
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+    proxy_set_header X-Forwarded-For $http_x_forwarded_for;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+    proxy_pass http://cms-backend;
+  }
+
+  location / {
+    try_files $uri @proxy_to_cms_app;
+  }
+
+  # No basic auth security on the github_service_hook url, so that github can use it for cms
+  location /github_service_hook {
+    try_files $uri @proxy_to_cms_app;
+  }
+
+  # No basic auth security on the heartbeat url, so that ELB can use it
+  location /heartbeat {
+    try_files $uri @proxy_to_cms_app;
+  }
+
+  # Check security on this
+  location ~ /static/(?P<file>.*) {
+    auth_basic            "Restricted";
+    auth_basic_user_file  /etc/nginx/nginx.htpasswd;
+    root {{app_base_dir}};
+    try_files /staticfiles/$file /course_static/$file =404;
+
+    # return a 403 for static files that shouldn't be
+    # in the staticfiles directory
+    location ~ ^/static/(?:.*)(?:\.xml|\.json|README.TXT) {
+        return 403;
+    }
+    # Set django-pipelined files to maximum cache time
+    location ~ "/static/(?P<collected>.*\.[0-9a-f]{12}\..*)" {
+        expires max;
+
+        # Without this try_files, files that have been run through
+        # django-pipeline return 404s
+        try_files /staticfiles/$collected /course_static/$collected =404;
+    }
+
+    # Expire other static files immediately (there should be very few / none of these)
+    expires epoch;
+  }
+
+  # Forward to HTTPS if we're an HTTP request...
+  if ($http_x_forwarded_proto = "http") {
+    set $do_redirect "true";
+  }
+
+  # Run our actual redirect...
+  if ($do_redirect = "true") {
+    rewrite ^ https://$host$request_uri? permanent;
+  }
+
+}