[ARVADOS] updated: 434be0f7e6420fee1b99e78466ee4a4d734734c1
git at public.curoverse.com
git at public.curoverse.com
Mon Aug 3 14:05:25 EDT 2015
Summary of changes:
doc/install/install-api-server.html.textile.liquid | 32 ++++++---
doc/install/install-sso.html.textile.liquid | 79 +++++++++++++++++-----
.../install-workbench-app.html.textile.liquid | 23 +++----
3 files changed, 94 insertions(+), 40 deletions(-)
via 434be0f7e6420fee1b99e78466ee4a4d734734c1 (commit)
via b6f800ae7e474f1ceeb827fc9712296a96514592 (commit)
via b5b88cdaefb4f35b877c3279d6556fae7d62afcf (commit)
via a812a13a6e9854f37ecebccedeb163b8cbe7130e (commit)
via 93655055b823716a4e45abc4f35f6ba06920e11b (commit)
via d44692dedcf0af87f53653afc27154c38a7b72a5 (commit)
from 4d6e05c25c6a5d72afee37f8165b006267b4183d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 434be0f7e6420fee1b99e78466ee4a4d734734c1
Merge: 4d6e05c b6f800a
Author: Brett Smith <brett at curoverse.com>
Date: Mon Aug 3 14:04:21 2015 -0400
Merge branch '6591-6674-6676-nginx-docs-wip'
Closes #6591, #6674, #6676, #6739 (woo!).
commit b6f800ae7e474f1ceeb827fc9712296a96514592
Author: Brett Smith <brett at curoverse.com>
Date: Mon Aug 3 14:03:27 2015 -0400
6591: Add ssl_certificate lines to sample install nginx configs.
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 8625e7f..3c188e3 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -277,6 +277,8 @@ server {
server_name <span class="userinput">uuid_prefix.your.domain</span>;
ssl on;
+ ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
+ ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
index index.html index.htm index.php;
@@ -299,6 +301,8 @@ server {
server_name ws.<span class="userinput">uuid_prefix.your.domain</span>;
ssl on;
+ ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
+ ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
index index.html index.htm index.php;
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 7a89fc1..af999e9 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -243,6 +243,8 @@ server {
server_name auth.<span class="userinput">your.domain</span>;
ssl on;
+ ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
+ ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
index index.html index.htm index.php;
diff --git a/doc/install/install-workbench-app.html.textile.liquid b/doc/install/install-workbench-app.html.textile.liquid
index e4cc8a5..5fc4111 100644
--- a/doc/install/install-workbench-app.html.textile.liquid
+++ b/doc/install/install-workbench-app.html.textile.liquid
@@ -139,6 +139,8 @@ server {
server_name workbench.<span class="userinput">uuid-prefix.your.domain</span>;
ssl on;
+ ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
+ ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
index index.html index.htm index.php;
commit b5b88cdaefb4f35b877c3279d6556fae7d62afcf
Author: Brett Smith <brett at curoverse.com>
Date: Sat Aug 1 15:07:04 2015 -0400
6676: Install docs recommend running SSO server behind Nginx.
This provides a straightforward way to get the server running as a
daemon, and matches our suggestions for other Web servers for
simplicity.
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 4fe1fb1..7a89fc1 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -210,29 +210,74 @@ In order to use Google+ authentication, you must use the <a href="https://consol
google_oauth2_client_id: <span class="userinput">"---YOUR---CLIENT---ID---HERE--"-</span>
google_oauth2_client_secret: <span class="userinput">"---YOUR---CLIENT---SECRET---HERE--"-</span></code></pre></notextile>
-h2(#start). Start the SSO server
+h2(#start). Set up a Web server
-h3. Run a standalone passenger server
+For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend to serve the SSO server. To do that:
<notextile>
-<pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production passenger start</span>
-=============== Phusion Passenger Standalone web server started ===============
-...
+<ol>
+<li><a href="https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html">Install Nginx and Phusion Passenger</a>.</li>
+
+<li><p>Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for it. You might add a block like the following, adding SSL and logging parameters to taste:</p>
+
+<pre><code>server {
+ listen 127.0.0.1:8900;
+ server_name localhost-sso;
+
+ root <span class="userinput">/YOUR/PATH/TO/sso-devise-omniauth-provider/public</span>;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+ # If you're using RVM, uncomment the line below.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+upstream sso {
+ server 127.0.0.1:8900 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen <span class="userinput">[your public IP address]</span>:443 ssl;
+ server_name auth.<span class="userinput">your.domain</span>;
+
+ ssl on;
+
+ index index.html index.htm index.php;
+
+ location / {
+ proxy_pass http://sso;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
</code></pre>
+</li>
+
+<li>Restart Nginx.</li>
+
+</ol>
</notextile>
-You can now test your installation by going to the page reported by passenger as "Accessible via: ..."
+{% include 'notebox_begin' %}
-Note: if you get the following warning "you may safely ignore it:":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning
+If you see the following warning "you may safely ignore it":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning:
<pre>
-Connecting to database specified by database.yml
-App 4574 stderr: SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
-App 4574 stderr: This poses a security threat. It is strongly recommended that you
-App 4574 stderr: provide a secret to prevent exploits that may be possible from crafted
-App 4574 stderr: cookies. This will not be supported in future versions of Rack, and
-App 4574 stderr: future versions will even invalidate your existing user cookies.
-App 4574 stderr:
-App 4574 stderr: Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.
-App 4592 stdout:
+SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+This poses a security threat. It is strongly recommended that you
+provide a secret to prevent exploits that may be possible from crafted
+cookies. This will not be supported in future versions of Rack, and
+future versions will even invalidate your existing user cookies.
+
+Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.
</pre>
+
+{% include 'notebox_end' %}
commit a812a13a6e9854f37ecebccedeb163b8cbe7130e
Author: Brett Smith <brett at curoverse.com>
Date: Sat Aug 1 15:05:23 2015 -0400
6591: Suggest proxy timeouts in install doc Nginx configs.
These settings match what we use in production. The defaults are more
aggressive and can cause 503 responses for larger requests.
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 2fbea09..8625e7f 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -283,6 +283,8 @@ server {
location / {
proxy_pass http://api;
proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
@@ -303,6 +305,8 @@ server {
location / {
proxy_pass http://websockets;
proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
diff --git a/doc/install/install-workbench-app.html.textile.liquid b/doc/install/install-workbench-app.html.textile.liquid
index 6e91178..e4cc8a5 100644
--- a/doc/install/install-workbench-app.html.textile.liquid
+++ b/doc/install/install-workbench-app.html.textile.liquid
@@ -145,6 +145,8 @@ server {
location / {
proxy_pass http://workbench;
proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
commit 93655055b823716a4e45abc4f35f6ba06920e11b
Author: Brett Smith <brett at curoverse.com>
Date: Sat Aug 1 15:03:15 2015 -0400
6591: Improve install docs around $external_client variable.
Our Nginx configuration uses this variable to automatically set
X-External-Client: 1 in API request headers when clients don't have
direct access to Keep stores.
* Document the variable definition, and how to customize it, in the
suggested API server configuration.
* Remove the variable from the Workbench configuration. Workbench
does not currently read this header, so it isn't necessary.
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 090f7ff..2fbea09 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -262,6 +262,16 @@ upstream websockets {
proxy_http_version 1.1;
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1. Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+ default 1;
+ <span class="userinput">10.20.30.0/24</span> 0;
+}
+
server {
listen <span class="userinput">[your public IP address]</span>:443 ssl;
server_name <span class="userinput">uuid_prefix.your.domain</span>;
diff --git a/doc/install/install-workbench-app.html.textile.liquid b/doc/install/install-workbench-app.html.textile.liquid
index 0b6a1d9..6e91178 100644
--- a/doc/install/install-workbench-app.html.textile.liquid
+++ b/doc/install/install-workbench-app.html.textile.liquid
@@ -148,7 +148,6 @@ server {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
- proxy_set_header X-External-Client $external_client;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
commit d44692dedcf0af87f53653afc27154c38a7b72a5
Author: Brett Smith <brett at curoverse.com>
Date: Sat Aug 1 14:59:42 2015 -0400
6674: Install docs use Phusion's install instructions exclusively.
Don't suggest installing nginx packages from a distribution or
backports collection, because that conflicts with the instructions
provided by Phusion.
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index ad31d96..090f7ff 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -16,21 +16,19 @@ h3(#install_postgres). Install PostgreSQL
{% include 'install_postgres' %}
-h3(#build_tools_apiserver). Build tools
-
-On older distributions, you may need to use a backports repository to satisfy these requirements. For example, on older Red Hat-based systems, consider using the "postgresql92":https://www.softwarecollections.org/en/scls/rhscl/postgresql92/ and "nginx16":https://www.softwarecollections.org/en/scls/rhscl/nginx16/ Software Collections.
+h2(#install_apiserver). Install API server and dependencies
On a Debian-based system, install the following packages:
<notextile>
-<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential libcurl4-openssl-dev git nginx arvados-api-server</span>
+<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server</span>
</code></pre>
</notextile>
On a Red Hat-based system, install the following packages:
<notextile>
-<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ libcurl-devel nginx git arvados-api-server</span>
+<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server</span>
</code></pre>
</notextile>
@@ -214,11 +212,9 @@ For best performance, we recommend you use Nginx as your Web server front-end, w
<notextile>
<ol>
-<li>Install Nginx via your distribution or a backports repository.</li>
-
-<li><a href="https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html">Install Phusion Passenger for Nginx</a>.</li>
+<li><a href="https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html">Install Nginx and Phusion Passenger</a>.</li>
-<li><p>Puma is already included with the API server's gems. We recommend you use a tool like <a href="http://smarden.org/runit/">runit</a> or something similar. Here's a sample run script for that:</p>
+<li><p>Puma is already included with the API server's gems. We recommend you run it as a service under <a href="http://smarden.org/runit/">runit</a> or a similar tool. Here's a sample runit script for that:</p>
<pre><code>#!/bin/bash
diff --git a/doc/install/install-workbench-app.html.textile.liquid b/doc/install/install-workbench-app.html.textile.liquid
index 662a5e5..0b6a1d9 100644
--- a/doc/install/install-workbench-app.html.textile.liquid
+++ b/doc/install/install-workbench-app.html.textile.liquid
@@ -12,32 +12,24 @@ h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
-h3(#build_tools_workbench). Build tools
+h2(#install_workbench). Install Workbench and dependencies
Workbench doesn't need its own database, so it does not need to have PostgreSQL installed.
-On older distributions, you may need to use a backports repository to satisfy these requirements. For example, on older Red Hat-based systems, consider using the "nginx16":https://www.softwarecollections.org/en/scls/rhscl/nginx16/ Software Collection.
-
On a Debian-based system, install the following packages:
<notextile>
-<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential graphviz git nginx python-arvados-python-client arvados-workbench</span>
+<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential graphviz git python-arvados-python-client arvados-workbench</span>
</code></pre>
</notextile>
On a Red Hat-based system, install the following packages:
<notextile>
-<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ graphviz git nginx python27-python-arvados-python-client arvados-workbench</span>
+<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ graphviz git python27-python-arvados-python-client arvados-workbench</span>
</code></pre>
</notextile>
-{% include 'notebox_begin' %}
-
-If you intend to use specific versions of these packages from Software Collections, you may have to adapt some of the package names to match; e.g., @nginx16 at .
-
-{% include 'notebox_end' %}
-
{% include 'note_python27_sc' %}
h2. Set up configuration files
@@ -120,9 +112,7 @@ For best performance, we recommend you use Nginx as your Web server front-end, w
<notextile>
<ol>
-<li>Install Nginx via your distribution or a backports repository.</li>
-
-<li><a href="https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html">Install Phusion Passenger for Nginx</a>.</li>
+<li><a href="https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html">Install Nginx and Phusion Passenger</a>.</li>
<li><p>Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for it. You might add a block like the following, adding SSL and logging parameters to taste:</p>
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list