Skip to content

C
configuration
Commit 764c536d by John Jarvis
Options

creates basic nginx configuration, default and lms, adds nginx handler

parent eb0f151d
Showing with 162 additions and 5 deletions
playbooks/edxapp_stage.yml
......@@ -7,4 +7,3 @@
roles:
- common
- nginx
- lms
playbooks/group_vars/all
# Variables for all playbooks
#
# These variables should apply to all roles and environments.
# All definitions can be overrided in the
# the group files that are in this directory
#
# If a new variable is added please document it!
---
nginx_cfg:
# - link - turn on
# - absent - turn off
sites_enabled:
basic_auth: link
edx_release: link
# path to version files for the basic
# nginx configuration
version_html: /opt/wwc/versions.html
version_json: /opt/wwc/versions.json
# default htpasswd contents set to edx/edx
# this value can be overiden in vars/secure/<group>.yml
htpasswd: |
edx:$apr1$2gWcIvlc$Nu7b/KTwd5HoIDEkSPNUk/
pkgs:
nginx:
state: installed
playbooks/roles/lms/tasks/main.yml
# requires:
# - common/tasks/main.yml
# - nginx/tasks/main.yml
---
- name: create lms application config
template: src=env.json.j2 dest=/opt/wwc/lms-env.json
......@@ -5,3 +8,5 @@
- name: create lms auth file
template: src=auth.json.j2 dest=/opt/wwc/lms-auth.json
sudo: True
- include: ../../nginx/tasks/nginx_site.yml state=link site_name=lms
playbooks/roles/nginx/handlers/main.yml 0 → 100644
---
- name: restart nginx
service: name=nginx state=restarted
sudo: True
playbooks/roles/nginx/tasks/main.yml
# requires:
# - common/tasks/main.yml
---
- name: Install nginx
sudo: True
apt: pkg=nginx state={{ pkgs.nginx.state }}
- include: nginx_site.yml state=link site_name=edx-release
notify: restart nginx
# removing default link
- name: Removing default nginx config
sudo: True
file: path=/etc/nginx/sites-available/default state=absent
notify: restart nginx
# Standard configuration that is common across all roles
# Default values for these variables are set in group_vars/all
- include: nginx_site.yml state="{{ nginx_cfg.sites_enabled.edx_release }}" site_name=edx-release
- include: nginx_site.yml state="{{ nginx_cfg.sites_enabled.basic_auth }}" site_name=basic-auth
# Default htpassword file, required for basic auth
- copy: content={{ nginx_cfg.htpasswd }} dest=/etc/nginx/nginx.htpasswd
sudo: True
- name: Ensuring that nginx is running
sudo: True
service: name=nginx state=started
playbooks/roles/nginx/tasks/nginx_site.yml
......@@ -3,7 +3,9 @@
- name: Copying nginx config
sudo: True
template: src={{ site_name }}.j2 dest=/etc/nginx/sites-available/{{ site_name }}
notify: restart nginx
- name: Creating nginx config link
sudo: True
file: src=/etc/nginx/sites-available/{{ site_name }} dest=/etc/nginx/sites-enabled/{{ site_name }} state={{ state }} owner=root group=root
notify: restart nginx
playbooks/roles/nginx/templates/basic-auth.j2 0 → 100644
server {
listen 80;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/nginx.htpasswd;
root /opt/wwc/main_static;
index index.html
proxy_set_header X-Forwarded-Proto https;
}
}
playbooks/roles/nginx/templates/edx-release.j2
......@@ -11,4 +11,3 @@ server {
alias {{ nginx_cfg.version_json }};
}
}
playbooks/roles/nginx/templates/lms.j2 0 → 100644
server {
listen 80;
server_name *.edx.org
#
# Send error response when request host isn't under our control
# We will no longer respond to proxy attempts like this with
# anything.
# curl -i -A '' -x http://www.edx.org:80 --proxy-negotiate -U u:p -u u:p http://chat.sdtz.com
#
set $reject 'no';
if ($host !~* (edx.org|edxonline.org)$ ) {
set $reject 'yes';
}
if ($request_uri ~ ^(/heartbeat)$) {
set $reject 'no';
}
if ( $reject = 'yes' ) {
return 444;
}
# CS184 requires uploads of up to 4MB for submitting screenshots.
# CMS requires larger value for course assest, values provided
# via hiera.
client_max_body_size 4M;
rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;
# CS188 rewrite rule for Arjun 9/19/12
rewrite ^/ai$ http://$host/courses/BerkeleyX/CS188.1x/2012_Fall/about last;
# redirect /ai to the about page for CS188.1x
rewrite ^/ai$ https://$host/courses/BerkeleyX/CS188.1x/2012_Fall/about last;
location @proxy_to_lms_app {
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://lms-backend;
}
location / {
try_files $uri @proxy_to_lms_app;
}
# No basic auth security on the github_service_hook url, so that github can use it for cms
location /github_service_hook {
try_files $uri @proxy_to_lms_app;
}
# No basic auth security on the heartbeat url, so that ELB can use it
location /heartbeat {
try_files $uri @proxy_to_lms_app;
}
# Check security on this
location ~ /static/(?P<file>.*) {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/lms.htpasswd;
root /opt/wwc;
try_files /staticfiles/$file /course_static/$file =404;
# return a 403 for static files that shouldn't be
# in the staticfiles directory
location ~ ^/static/(?:.*)(?:\.xml|\.json|README.TXT) {
return 403;
}
# Set django-pipelined files to maximum cache time
location ~ "/static/(?P<collected>.*\.[0-9a-f]{12}\..*)" {
expires max;
# Without this try_files, files that have been run through
# django-pipeline return 404s
try_files /staticfiles/$collected /course_static/$collected =404;
}
# Expire other static files immediately (there should be very few / none of these)
expires epoch;
}
# Forward to HTTPS if we're an HTTP request...
if ($http_x_forwarded_proto = "http") {
set $do_redirect "true";
}
# Run our actual redirect...
if ($do_redirect = "true") {
rewrite ^ https://$host$request_uri? permanent;
}
# Monitoring support for datadog.
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1/32;
deny all;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment