From 0e4c9be723c716ee8a99d2504c26b02bfea3b4c2 Mon Sep 17 00:00:00 2001 From: Dominik Sander Date: Sat, 20 Jun 2015 21:21:21 +0200 Subject: [PATCH] First version of the manual deployment guide --- .gitignore | 1 + Gemfile | 2 +- Gemfile.lock | 6 +- Procfile | 20 +- config/unicorn.rb.example | 35 ++++ doc/README.md | 11 ++ doc/install/README.md | 5 + doc/install/installation.md | 341 +++++++++++++++++++++++++++++++++++ doc/install/requirements.md | 68 +++++++ lib/support/logrotate/huginn | 20 ++ lib/support/nginx/huginn | 70 +++++++ lib/support/nginx/huginn-ssl | 119 ++++++++++++ 12 files changed, 691 insertions(+), 7 deletions(-) create mode 100644 config/unicorn.rb.example create mode 100644 doc/README.md create mode 100644 doc/install/README.md create mode 100644 doc/install/installation.md create mode 100644 doc/install/requirements.md create mode 100644 lib/support/logrotate/huginn create mode 100644 lib/support/nginx/huginn create mode 100644 lib/support/nginx/huginn-ssl diff --git a/.gitignore b/.gitignore index e85f3386e1..1a9b4ce84f 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ deployment/cookbooks .ruby-gemset .ruby-version manifest.yml +config/unicorn.rb \ No newline at end of file diff --git a/Gemfile b/Gemfile index d6e9b34354..74cee4884f 100644 --- a/Gemfile +++ b/Gemfile @@ -120,6 +120,7 @@ end group :production do gem 'rack', '> 1.5.0' + gem 'unicorn', '~> 4.9.0' end # Platform requirements. @@ -145,6 +146,5 @@ end on_heroku do gem 'pg' - gem 'unicorn' gem 'rails_12factor', group: :production end diff --git a/Gemfile.lock b/Gemfile.lock index 683628047b..9ecfe29e29 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -230,7 +230,7 @@ GEM kaminari (0.16.1) actionpack (>= 3.0.0) activesupport (>= 3.0.0) - kgio (2.9.2) + kgio (2.9.3) kramdown (1.3.3) launchy (2.4.2) addressable (~> 2.3) @@ -472,7 +472,7 @@ GEM unf (0.1.4) unf_ext unf_ext (0.0.7.1) - unicorn (4.8.3) + unicorn (4.9.0) kgio (~> 2.6) rack raindrops (~> 0.7) @@ -576,7 +576,7 @@ DEPENDENCIES tzinfo (>= 1.2.0) tzinfo-data uglifier (>= 1.3.0) - unicorn + unicorn (~> 4.9.0) vcr webmock (~> 1.17.4) weibo_2! diff --git a/Procfile b/Procfile index feafae9749..af004e855b 100644 --- a/Procfile +++ b/Procfile @@ -1,13 +1,27 @@ +################# +# DEVELOPMENT # +################# + # Procfile for development using the new threaded worker (scheduler, twitter stream and delayed job) web: bundle exec rails server -b0.0.0.0 jobs: bundle exec rails runner bin/threaded.rb -# Possible Profile configuration for production: -# web: bundle exec unicorn -c config/unicorn/production.rb +# Old version with separate processes (use this if you have issues with the threaded version) +# web: bundle exec rails server +# schedule: bundle exec rails runner bin/schedule.rb +# twitter: bundle exec rails runner bin/twitter_stream.rb +# dj: bundle exec script/delayed_job run + +################# +# PRODUCTION # +################# + +# Using the threaded worker (consumes less RAM but can run slower) +# web: bundle exec unicorn -c config/unicorn.rb # jobs: bundle exec rails runner bin/threaded.rb # Old version with separate processes (use this if you have issues with the threaded version) -# web: bundle exec rails server -b0.0.0.0 +# web: bundle exec unicorn -c config/unicorn.rb # schedule: bundle exec rails runner bin/schedule.rb # twitter: bundle exec rails runner bin/twitter_stream.rb # dj: bundle exec script/delayed_job run diff --git a/config/unicorn.rb.example b/config/unicorn.rb.example new file mode 100644 index 0000000000..465c7a8cbc --- /dev/null +++ b/config/unicorn.rb.example @@ -0,0 +1,35 @@ +wd = "/home/huginn/huginn" + +app_path = wd + +worker_processes 2 +preload_app true +timeout 180 +listen "#{wd}/tmp/sockets/unicorn.socket" + +working_directory app_path + +rails_env = ENV['RAILS_ENV'] || 'production' + +# Log everything to one file +stderr_path "log/unicorn.log" +stdout_path "log/unicorn.log" + +# Set master PID location +pid "#{wd}/tmp/pids/unicorn.pid" + +before_fork do |server, worker| + ActiveRecord::Base.connection.disconnect! + old_pid = "#{server.config[:pid]}.oldbin" + if File.exist?(old_pid) && server.pid != old_pid + begin + Process.kill("QUIT", File.read(old_pid).to_i) + rescue Errno::ENOENT, Errno::ESRCH + # someone else did our job for us + end + end +end + +after_fork do |server, worker| + ActiveRecord::Base.establish_connection +end diff --git a/doc/README.md b/doc/README.md new file mode 100644 index 0000000000..dcaf53256b --- /dev/null +++ b/doc/README.md @@ -0,0 +1,11 @@ +# Documentation + +## User documentation + +- [Check out Huginn with Docker](./tobewritten.md) Run a local Huginn installation using Docker + + +## Administrator documentation + +- [Install](install/README.md) Requirements, directory structures and installation from source. +- [Update](update/README.md) Update guides to upgrade your installation. diff --git a/doc/install/README.md b/doc/install/README.md new file mode 100644 index 0000000000..0e83c9487a --- /dev/null +++ b/doc/install/README.md @@ -0,0 +1,5 @@ +# Installation + +- [Requirements](requirements.md) Software and hardware requirements to run the Huginn installation +- [Install](installation.md) Installation guide for Ubundu/Debian +- [Update](update.md) Update an existing Huginn installation \ No newline at end of file diff --git a/doc/install/installation.md b/doc/install/installation.md new file mode 100644 index 0000000000..b1af6601c0 --- /dev/null +++ b/doc/install/installation.md @@ -0,0 +1,341 @@ +# Installation from source + + +## Important Notes + +This guide is long because it covers many cases and includes all commands you need. + +This installation guide was created for and tested on **Debian/Ubuntu** operating systems. Please read [doc/install/requirements.md](./requirements.md) for hardware and operating system requirements. + +This is the official installation guide to set up a production server. To set up a **development installation** or for many other installation options please see [the getting started section of the readme](https://github.com/cantino/huginn#getting-started). + +The following steps have been known to work. Please **use caution when you deviate** from this guide. Make sure you don't violate any assumptions Huginn makes about its environment. For example many people run into permission problems because they change the location of directories or run services as the wrong user. + +If you find a bug/error in this guide please **submit a merge request**. + +## Overview + +The Huginn installation consists of setting up the following components: + +1. Packages / Dependencies +1. Ruby +1. System Users +1. Database +1. Huginn +1. Nginx + +## 1. Packages / Dependencies + +`sudo` is not installed on Debian by default. Make sure your system is +up-to-date and install it. + + # run as root! + apt-get update -y + apt-get upgrade -y + apt-get install sudo -y + +**Note:** During this installation some files will need to be edited manually. If you are familiar with vim set it as default editor with the commands below. If you are not familiar with vim please skip this and keep using the default editor. + + # Install vim and set as default editor + sudo apt-get install -y vim + sudo update-alternatives --set editor /usr/bin/vim.basic + +Import node.js repository (can be skipped on Ubuntu and Debian Jessie): + + curl -sL https://deb.nodesource.com/setup_0.12 | sudo bash - + +Install the required packages (needed to compile Ruby and native extensions to Ruby gems): + + sudo apt-get install -y build-essential git zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate python-docutils pkg-config cmake nodejs graphviz + + +## 2. Ruby + + +The use of Ruby version managers such as [RVM](http://rvm.io/), [rbenv](https://github.com/sstephenson/rbenv) or [chruby](https://github.com/postmodern/chruby) with Huginn in production frequently leads to hard-to-diagnose problems. Version managers are not supported and we strongly advise everyone to follow the instructions below to use a system Ruby. + +Remove the old Ruby versions if present: + + sudo apt-get remove -y ruby1.8 ruby1.9 + +Download Ruby and compile it: + + mkdir /tmp/ruby && cd /tmp/ruby + curl -L --progress http://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.2.tar.bz2 | tar xj + cd ruby-2.2.2 + ./configure --disable-install-rdoc + make -j`nproc` + sudo make install + +Install the bundler and foreman gems: + + sudo gem install bundler foreman --no-ri --no-rdoc + +## 3. System Users + +Create a user for Huginn: + + sudo adduser --disabled-login --gecos 'Huginn' huginn + +## 4. Database + +Install the database packages + + sudo apt-get install -y mysql-server mysql-client libmysqlclient-dev + + # Pick a MySQL root password (can be anything), type it and press enter, + # retype the MySQL root password and press enter + +Check the installed MySQL version (remeber if its >= 5.5.3 for the `.env` configuration done later): + + mysql --version + +Secure your installation + + sudo mysql_secure_installation + +Login to MySQL + + mysql -u root -p + + # Type the MySQL root password + +Create a user for Huginn do not type the `mysql>`, this is part of the prompt. Change `$password` in the command below to a real password you pick + + mysql> CREATE USER 'huginn'@'localhost' IDENTIFIED BY '$password'; + +Ensure you can use the InnoDB engine which is necessary to support long indexes + + mysql> SET storage_engine=INNODB; + + # If this fails, check your MySQL config files (e.g. `/etc/mysql/*.cnf`, `/etc/mysql/conf.d/*`) + # for the setting "innodb = off" + +Grant the Huginn user necessary permissions on the database + + mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES ON `huginn_production`.* TO 'huginn'@'localhost'; + +Quit the database session + + mysql> \q + +Try connecting to the new database with the new user + + sudo -u huginn -H mysql -u huginn -p -D huginn_production + + # Type the password you replaced $password with earlier + +You should now see `ERROR 1049 (42000): Unknown database 'huginn_production'` which is fine because we will create the database later. + +You are done installing the database and can go back to the rest of the installation. + + +## 6. Huginn + +### Clone the Source + + # We'll install Huginn into home directory of the user "huginn" + cd /home/huginn + + # Clone Huginn repository + #sudo -u huginn -H git clone https://github.com/cantino/huginn.git -b master huginn + # **FIXME** + sudo -u huginn -H git clone https://github.com/dsander/huginn.git -b deployment-guide huginn + + # Go to Huginn installation folder + cd /home/huginn/huginn + + # Copy the example Huginn config + sudo -u huginn -H cp .env.example .env + + # Create the log/, tmp/pids/ and tmp/sockets/ directories + sudo -u huginn mkdir -p log tmp/pids tmp/sockets + + # Make sure Huginn can write to the log/ and tmp/ directories + sudo chown -R huginn log/ tmp/ + sudo chmod -R u+rwX,go-w log/ tmp/ + + # Make sure permissions are set correctly + sudo chmod -R u+rwX,go-w log/ + sudo chmod -R u+rwX tmp/ + sudo -u huginn -H chmod o-rwx .env + + # Copy the example Unicorn config + sudo -u huginn -H cp config/unicorn.rb.example config/unicorn.rb + +### Install Gems + +**Note:** As of bundler 1.5.2, you can invoke `bundle install -jN` (where `N` the number of your processor cores) and enjoy parallel gem installation with measurable difference in completion time (~60% faster). Check the number of your cores with `nproc`. For more information check this [post](http://robots.thoughtbot.com/parallel-gem-installing-using-bundler). First make sure you have bundler >= 1.5.2 (run `bundle -v`) as it addresses some [issues](https://devcenter.heroku.com/changelog-items/411) that were [fixed](https://github.com/bundler/bundler/pull/2817) in 1.5.2. + + sudo -u huginn -H bundle install --deployment --without development test + + +### Configure it + + # Update Huginn config file and follow the instructions + sudo -u huginn -H editor .env + +If you are using a local MySQL server the database configuration should look like this (use the password of the huginn MySQL user you created earlier): + + DATABASE_ADAPTER=mysql2 + DATABASE_ENCODING=utf8 + DATABASE_RECONNECT=true + DATABASE_NAME=huginn_production + DATABASE_POOL=20 + DATABASE_USERNAME=huginn + DATABASE_PASSWORD="" + #DATABASE_HOST=your-domain-here.com + #DATABASE_PORT=3306 + #DATABASE_SOCKET=/tmp/mysql.sock + +**Important**: Uncomment the RAILS_ENV setting to run Huginn in the production rails environment + + RAILS_ENV=production + +Change the Unicorn config if needed, the [requirements.md](./requirements.md#unicorn-workers) has a section explaining the suggested amount of unicorn workers: + + # Increase the amount of workers if you expect to have a high load instance. + # 2 are enough for most use cases, if the server has less then 2GB of RAM + # decrease the worker amount to 1 + sudo -u huginn -H editor config/unicorn.rb + + +**Important Note:** Make sure to edit both `.env` and `unicorn.rb` to match your setup. + +**Note:** If you want to use HTTPS, see [Using HTTPS](#using-https) for the additional steps. + + +### Initialize Database + + # Create the database + sudo -u huginn -H bundle exec rake db:create RAILS_ENV=production + + # Migrate to the latest version + sudo -u huginn -H bundle exec rake db:migrate RAILS_ENV=production + + # Create admin user and example agents + sudo -u huginn -H bundle exec rake db:seed RAILS_ENV=production + +When done you see `See the Huginn Wiki for more Agent examples! https://github.com/cantino/huginn/wiki` + +**Note:** This will create an initial user, you can set the username and password by supplying it in environmental variables `SEED_USERNAME` and`SEED_PASSWORD` as seen below. If you don't set the password (and it is set to the default one) please wait with exposing Huginn to the public internet until the installation is done and you've logged into the server and changed your password. + + sudo -u huginn -H bundle exec rake db:seed RAILS_ENV=production SEED_USERNAME=admin SEED_PASSWORD=yourpassword + +### Install Init Script + +Huginn uses foreman to generate the init scripts based on a `Procfile` + +Edit the `Procfile` and choose one of the suggested versions for production + + sudo -u huginn -H editor Procfile + +**Debian only** Install upstart and reboot the system (skip this step on Ubuntu): + + sudo apt-get install -y --force-yes upstart + sudo reboot + # After you you logged back in go to Huginn installation folder + cd /home/huginn/huginn + +Export the init scripts using foreman: + + sudo foreman export upstart -a huginn /etc/init + +**Note:** You have to re-export the init script every time you change the configuration in `.env`! + +### Setup Logrotate + + sudo cp lib/support/logrotate/huginn /etc/logrotate.d/huginn + +### Compile Assets + + sudo -u huginn -H bundle exec rake assets:precompile RAILS_ENV=production + +### Start Your Huginn Instance + + sudo start huginn + +## 7. Nginx + +**Note:** Nginx is the officially supported web server for Huginn. If you cannot or do not want to use Nginx as your web server, the wiki has a page on how to configure [apache](https://github.com/cantino/huginn/wiki/Apache-Huginn-configuration). + +### Installation + + sudo apt-get install -y nginx + +### Site Configuration + +Copy the example site config: + + sudo cp lib/support/nginx/huginn /etc/nginx/sites-available/huginn + sudo ln -s /etc/nginx/sites-available/huginn /etc/nginx/sites-enabled/huginn + +Make sure to edit the config file to match your setup, if you are running multiple nginx sites remove the `default_server` argument from the `listen` directives: + + # Change YOUR_SERVER_FQDN to the fully-qualified + # domain name of your host serving Huginn. + sudo editor /etc/nginx/sites-available/huginn + +Remove the default nginx site, **if huginn is the only enabled nginx site**: + + sudo rm /etc/nginx/sites-enabled/default + +**Note:** If you want to use HTTPS, replace the `huginn` Nginx config with `huginn-ssl`. See [Using HTTPS](#using-https) for HTTPS configuration details. + +### Test Configuration + +Validate your `huginn` or `huginn-ssl` Nginx config file with the following command: + + sudo nginx -t + +You should receive `syntax is okay` and `test is successful` messages. If you receive errors check your `huginn` or `huginn-ssl` Nginx config file for typos, etc. as indicated in the error message given. + +### Restart + + sudo service nginx restart + +# Done! + +### Initial Login + +Visit YOUR_SERVER in your web browser for your first Huginn login. The setup has created a default admin account for you. You can use it to log in: + + admin + password + + +**Enjoy!** + +You can use `sudo start huginn` and `sudo stop huginn` to start and stop Huginn. + +## Advanced Setup Tips + +### Using HTTPS + +To use Huginn with HTTPS: + +1. In `.env`: + 1. Set the `FORCE_SSL` option to `true`. +1. Use the `huginn-ssl` Nginx example config instead of the `huginn` config: + 1. `sudo cp lib/support/nginx/huginn-ssl /etc/nginx/sites-available/huginn` + 1. Update `YOUR_SERVER_FQDN`. + 1. Update `ssl_certificate` and `ssl_certificate_key`. + 1. Review the configuration file and consider applying other security and performance enhancing features. + +Restart Nginx, export the init script and restart Huginn: + +``` +cd /home/huginn/huginn +sudo service nginx restart +sudo foreman export upstart -a huginn /etc/init +sudo restart huginn +``` + +Using a self-signed certificate is discouraged, but if you must use it follow the normal directions. Then generate the certificate: + +``` +sudo mkdir -p /etc/nginx/ssl/ +cd /etc/nginx/ssl/ +sudo openssl req -newkey rsa:2048 -x509 -nodes -days 3560 -out huginn.crt -keyout huginn.key +sudo chmod o-r huginn.key +``` diff --git a/doc/install/requirements.md b/doc/install/requirements.md new file mode 100644 index 0000000000..c4084938e9 --- /dev/null +++ b/doc/install/requirements.md @@ -0,0 +1,68 @@ +# Requirements + +## Operating Systems + +### Supported Unix distributions + +- Ubuntu (12.04 and 14.04) +- Debian (Jessie and Wheezy) + +### Unsupported Unix distributions + +- CentOS +- Red Hat Enterprise Linux +- OS X +- Arch Linux +- Fedora +- Gentoo +- FreeBSD + +On the above unsupported distributions is still possible to install Huginn. Follow the [installation guide](./installation.md) and substitute the `apt` commands with the corresponding package manager commands of your distribution. + +### Non-Unix operating systems such as Windows + +Huginn is developed for Unix operating systems. +Huginn does **not** run on Windows and we have no plans of supporting it in the near future. +Please consider using a virtual machine to run Huginn. + +## Ruby versions + +Huginn requires Ruby (MRI) 2.0, 2.1 or 2.2 +You will have to use the standard MRI implementation of Ruby. +We love [JRuby](http://jruby.org/) and [Rubinius](http://rubini.us/) but Huginn needs several Gems that have native extensions. + +## Hardware requirements + +### CPU + +- _single core_ setups will work but depending on the amount of Huginn Agents and users it will run a bit slower since the application server and background jobs can not run simultaneously +- _dual core_ setups are the **recommended** system/vps and will work well for a decent amount of Agents +- 3+ cores can be needed when running multiple DelayedJob workers + +### Memory + +You need at least 0.5GB of physical and 0.5GB of addressable memory (swap) to install and use Huginn with the default configuration! +With less memory you need to manually adjust the `Gemfile` and Huginn can respond with internal server errors when accessing the web interface. + +- 256MB RAM + 0.5GB of swap is the absolute minimum but we strongly **advise against** this amount of memory. See the Wiki page about running Huginn on [systems with low memory](https://github.com/cantino/huginn/wiki/Running-Huginn-on-minimal-systems-with-low-RAM-&-CPU-e.g.-Raspberry-Pi) +- 0.5GB RAM + 0.5GB swap will work relatively well with SSD drives, but can feel a bit slow due to swapping +- 1GB RAM + 1GB swap will work with two unicorn workers and the threaded background worker +- **2GB RAM** is the **recommended** memory size, it will support 2 unicorn workers and both the threaded and the old separate workers +- for each 300MB of additional RAM you can run one extra DelayedJob worker + +## Unicorn Workers + +It's possible to increase the amount of unicorn workers and this will usually help for to reduce the response time of the applications and increase the ability to handle parallel requests. + +For most instances we recommend using: CPU cores = unicorn workers. + +If you have a 512MB machine we recommend to configure only one Unicorn worker and use the threaded background worker to prevent excessive swapping. + + +## DelayedJob Workers + +A DelayedJob worker is a separate process which runs your Huginn Agents. It fetches Websites, polls external services for updates, etc. Depending on the amount of Agents and the check frequency of those you might need to run more than one worker (like it is done in the threaded setup). + +Estimating the amount of workers needed is easy. One worker can perform just one check at a time. +If you have 60 Agents checking websites every minute which take about 1 second to respond, one worker is fine. +If you need more Agents or are dealing with slow/unreliable websites/services, you should consider running additional workers. \ No newline at end of file diff --git a/lib/support/logrotate/huginn b/lib/support/logrotate/huginn new file mode 100644 index 0000000000..3ccb42dea9 --- /dev/null +++ b/lib/support/logrotate/huginn @@ -0,0 +1,20 @@ +/home/huginn/huginn/log/*.log { + daily + missingok + rotate 180 + # must use with delaycompress below + compress + dateext + + # this is important if using "compress" since we need to call + # the "lastaction" script below before compressing: + delaycompress + + # note the lack of the evil "copytruncate" option in this + # config. Unicorn supports the USR1 signal and we send it + # as our "lastaction" action: + lastaction + pid=/home/huginn/huginn/tmp/pids/unicorn.pid + test -s $pid && kill -USR1 "$(cat $pid)" + endscript +} \ No newline at end of file diff --git a/lib/support/nginx/huginn b/lib/support/nginx/huginn new file mode 100644 index 0000000000..8e6b841306 --- /dev/null +++ b/lib/support/nginx/huginn @@ -0,0 +1,70 @@ +## Huginn +## +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################### +## configuration ## +################################### +## +## See installation.md#using-https for additional HTTPS configuration details. + +upstream huginn { + server unix:/home/huginn/huginn/tmp/sockets/unicorn.socket fail_timeout=0; +} + +## Normal HTTP host +server { + listen 0.0.0.0:80 default_server; + listen [::]:80 ipv6only=on default_server; + server_name YOUR_SERVER_FQDN; ## Replace this with something like huginn.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /home/huginn/huginn/public; + + ## Increase this if you want to upload large attachments + client_max_body_size 20m; + + ## Individual nginx logs for this Huginn vhost + access_log /var/log/nginx/huginn_access.log; + error_log /var/log/nginx/huginn_error.log; + + location / { + ## Serve static files from defined root folder. + ## @huginn is a named location for the upstream fallback, see below. + try_files $uri $uri/index.html $uri.html @huginn; + } + + ## If a file, which is not found in the root folder is requested, + ## then the proxy passes the request to the upsteam (huginn unicorn). + location @huginn { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + # gzip off; + + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://huginn; + } + + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support + location ~ ^/(assets)/ { + root /home/huginn/huginn/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +} diff --git a/lib/support/nginx/huginn-ssl b/lib/support/nginx/huginn-ssl new file mode 100644 index 0000000000..932fcf3c05 --- /dev/null +++ b/lib/support/nginx/huginn-ssl @@ -0,0 +1,119 @@ +## Huginn +## +## Modified from nginx http version +## Modified from http://blog.phusion.nl/2012/04/21/tutorial-setting-up-gitlab-on-debian-6/ +## Modified from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +## Modified from https://github.com/gitlabhq/gitlabhq/blob/master/lib/support/nginx/gitlab-ssl +## +## Lines starting with two hashes (##) are comments with information. +## Lines starting with one hash (#) are configuration parameters that can be uncommented. +## +################################### +## configuration ## +################################### +## +## See installation.md#using-https for additional HTTPS configuration details. + +upstream huginn { + server unix:/home/huginn/huginn/tmp/sockets/unicorn.socket fail_timeout=0; +} + +## Redirects all HTTP traffic to the HTTPS host +server { + listen 0.0.0.0:80; + listen [::]:80 ipv6only=on default_server; + server_name YOUR_SERVER_FQDN; ## Replace this with something like huginn.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + return 301 https://$server_name$request_uri; + access_log /var/log/nginx/huginn_access.log; + error_log /var/log/nginx/huginn_error.log; +} + + +## HTTPS host +server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ipv6only=on ssl default_server; + server_name YOUR_SERVER_FQDN; ## Replace this with something like huginn.example.com + server_tokens off; ## Don't show the nginx version number, a security best practice + root /home/git/huginn/public; + + ## Increase this if you want to upload large attachments + ## Or if you want to accept large git objects over http + client_max_body_size 20m; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ssl on; + ssl_certificate /etc/nginx/ssl/huginn.crt; + ssl_certificate_key /etc/nginx/ssl/huginn.key; + + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + + ## See app/controllers/application_controller.rb for headers set + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + ## [Optional] Generate a stronger DHE parameter: + ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 + ## + # ssl_dhparam /etc/ssl/certs/dhparam.pem; + + ## Individual nginx logs for this huginn vhost + access_log /var/log/nginx/huginn_access.log; + error_log /var/log/nginx/huginn_error.log; + + location / { + ## Serve static files from defined root folder. + ## @huginn is a named location for the upstream fallback, see below. + try_files $uri $uri/index.html $uri.html @huginn; + } + + ## If a file, which is not found in the root folder is requested, + ## then the proxy passes the request to the upsteam (huginn unicorn). + location @huginn { + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + + proxy_pass http://huginn; + } + + ## Enable gzip compression as per rails guide: + ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression + ## WARNING: If you are using relative urls remove the block below + ## See config/application.rb under "Relative url support" for the list of + ## other files that need to be changed for relative url support + location ~ ^/(assets)/ { + root /home/huginn/huginn/public; + gzip_static on; # to serve pre-gzipped version + expires max; + add_header Cache-Control public; + } + + error_page 502 /502.html; +}