deploy_mate 0.1 → 0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +19 -0
- data/Gemfile.lock +9 -7
- data/README.md +57 -29
- data/deploy-mate.gemspec +5 -8
- data/lib/capistrano/configs/application.pill.erb +59 -0
- data/lib/capistrano/configs/fail2ban-nginx-request-limit-filter.conf.erb +13 -0
- data/lib/capistrano/configs/fail2ban-nginx-request-limit-jail.conf.erb +494 -0
- data/lib/capistrano/configs/logrotate.erb +2 -2
- data/lib/capistrano/configs/nginx_app.conf.erb +9 -4
- data/lib/capistrano/configs/nginx_base.conf.erb +1 -1
- data/lib/capistrano/configs/puma.rb.erb +64 -0
- data/lib/capistrano/configs/upstart.conf.erb +1 -1
- data/lib/capistrano/deploy_mate_capfile.rb +2 -2
- data/lib/capistrano/deploy_mate_defaults.rb +5 -4
- data/lib/capistrano/helpers.rb +4 -2
- data/lib/capistrano/modules/shell.rb +7 -0
- data/lib/capistrano/modules/user_management.rb +11 -0
- data/lib/capistrano/scripts/create_ubuntu_user.sh +9 -0
- data/lib/capistrano/scripts/set_defaults.sh +2 -1
- data/lib/capistrano/tasks/bluepill.rake +29 -5
- data/lib/capistrano/tasks/elasticsearch.rake +18 -0
- data/lib/capistrano/tasks/fail2ban.rake +22 -0
- data/lib/capistrano/tasks/logrotate.rake +1 -0
- data/lib/capistrano/tasks/machine.rake +99 -17
- data/lib/capistrano/tasks/nginx.rake +7 -4
- data/lib/capistrano/tasks/puma.rake +18 -0
- data/lib/capistrano/tasks/unicorn.rake +1 -17
- data/lib/capistrano/tasks/upstart.rake +2 -0
- data/lib/deploy_mate/tasks.rake +52 -45
- data/lib/deploy_mate/templates/Capfile.erb +9 -2
- data/lib/deploy_mate/templates/deploy/stage.rb.erb +4 -4
- data/lib/deploy_mate/templates/deploy.rb.erb +22 -4
- data/lib/deploy_mate/templates/deploy_mate.yml.erb +79 -0
- data/lib/deploy_mate.rb +9 -0
- metadata +19 -5
- data/lib/capistrano/configs/unicorn.pill.erb +0 -28
@@ -0,0 +1,494 @@
|
|
1
|
+
# Fail2Ban configuration file.
|
2
|
+
#
|
3
|
+
# This file was composed for Debian systems from the original one
|
4
|
+
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
|
5
|
+
# for additional examples.
|
6
|
+
#
|
7
|
+
# Comments: use '#' for comment lines and ';' for inline comments
|
8
|
+
#
|
9
|
+
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
|
10
|
+
# and rather provide your changes in /etc/fail2ban/jail.local
|
11
|
+
#
|
12
|
+
|
13
|
+
# The DEFAULT allows a global definition of the options. They can be overridden
|
14
|
+
# in each jail afterwards.
|
15
|
+
|
16
|
+
[DEFAULT]
|
17
|
+
|
18
|
+
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
19
|
+
# ban a host which matches an address in this list. Several addresses can be
|
20
|
+
# defined using space separator.
|
21
|
+
ignoreip = 127.0.0.1/8 217.111.74.210
|
22
|
+
|
23
|
+
# "bantime" is the number of seconds that a host is banned.
|
24
|
+
bantime = 600
|
25
|
+
|
26
|
+
# A host is banned if it has generated "maxretry" during the last "findtime"
|
27
|
+
# seconds.
|
28
|
+
findtime = 600
|
29
|
+
maxretry = 3
|
30
|
+
|
31
|
+
# "backend" specifies the backend used to get files modification.
|
32
|
+
# Available options are "pyinotify", "gamin", "polling" and "auto".
|
33
|
+
# This option can be overridden in each jail as well.
|
34
|
+
#
|
35
|
+
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
36
|
+
# If pyinotify is not installed, Fail2ban will use auto.
|
37
|
+
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
38
|
+
# If Gamin is not installed, Fail2ban will use auto.
|
39
|
+
# polling: uses a polling algorithm which does not require external libraries.
|
40
|
+
# auto: will try to use the following backends, in order:
|
41
|
+
# pyinotify, gamin, polling.
|
42
|
+
backend = auto
|
43
|
+
|
44
|
+
# "usedns" specifies if jails should trust hostnames in logs,
|
45
|
+
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
|
46
|
+
#
|
47
|
+
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
|
48
|
+
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
|
49
|
+
# but it will be logged as a warning.
|
50
|
+
# no: if a hostname is encountered, will not be used for banning,
|
51
|
+
# but it will be logged as info.
|
52
|
+
usedns = warn
|
53
|
+
|
54
|
+
#
|
55
|
+
# Destination email address used solely for the interpolations in
|
56
|
+
# jail.{conf,local} configuration files.
|
57
|
+
destemail = root@localhost
|
58
|
+
|
59
|
+
#
|
60
|
+
# Name of the sender for mta actions
|
61
|
+
sendername = Fail2Ban
|
62
|
+
|
63
|
+
#
|
64
|
+
# ACTIONS
|
65
|
+
#
|
66
|
+
|
67
|
+
# Default banning action (e.g. iptables, iptables-new,
|
68
|
+
# iptables-multiport, shorewall, etc) It is used to define
|
69
|
+
# action_* variables. Can be overridden globally or per
|
70
|
+
# section within jail.local file
|
71
|
+
banaction = iptables-multiport
|
72
|
+
|
73
|
+
# email action. Since 0.8.1 upstream fail2ban uses sendmail
|
74
|
+
# MTA for the mailing. Change mta configuration parameter to mail
|
75
|
+
# if you want to revert to conventional 'mail'.
|
76
|
+
mta = sendmail
|
77
|
+
|
78
|
+
# Default protocol
|
79
|
+
protocol = tcp
|
80
|
+
|
81
|
+
# Specify chain where jumps would need to be added in iptables-* actions
|
82
|
+
chain = INPUT
|
83
|
+
|
84
|
+
#
|
85
|
+
# Action shortcuts. To be used to define action parameter
|
86
|
+
|
87
|
+
# The simplest action to take: ban only
|
88
|
+
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
89
|
+
|
90
|
+
# ban & send an e-mail with whois report to the destemail.
|
91
|
+
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
92
|
+
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
|
93
|
+
|
94
|
+
# ban & send an e-mail with whois report and relevant log lines
|
95
|
+
# to the destemail.
|
96
|
+
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
97
|
+
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
|
98
|
+
|
99
|
+
# Choose default action. To change, just override value of 'action' with the
|
100
|
+
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
101
|
+
# globally (section [DEFAULT]) or per specific section
|
102
|
+
action = %(action_)s
|
103
|
+
|
104
|
+
#
|
105
|
+
# JAILS
|
106
|
+
#
|
107
|
+
|
108
|
+
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
|
109
|
+
# was shipped in Debian. Enable any defined here jail by including
|
110
|
+
#
|
111
|
+
# [SECTION_NAME]
|
112
|
+
# enabled = true
|
113
|
+
|
114
|
+
#
|
115
|
+
# in /etc/fail2ban/jail.local.
|
116
|
+
#
|
117
|
+
# Optionally you may override any other parameter (e.g. banaction,
|
118
|
+
# action, port, logpath, etc) in that section within jail.local
|
119
|
+
|
120
|
+
[ssh]
|
121
|
+
|
122
|
+
enabled = true
|
123
|
+
port = ssh
|
124
|
+
filter = sshd
|
125
|
+
logpath = /var/log/auth.log
|
126
|
+
maxretry = 6
|
127
|
+
|
128
|
+
[dropbear]
|
129
|
+
|
130
|
+
enabled = false
|
131
|
+
port = ssh
|
132
|
+
filter = dropbear
|
133
|
+
logpath = /var/log/auth.log
|
134
|
+
maxretry = 6
|
135
|
+
|
136
|
+
# Generic filter for pam. Has to be used with action which bans all ports
|
137
|
+
# such as iptables-allports, shorewall
|
138
|
+
[pam-generic]
|
139
|
+
|
140
|
+
enabled = false
|
141
|
+
# pam-generic filter can be customized to monitor specific subset of 'tty's
|
142
|
+
filter = pam-generic
|
143
|
+
# port actually must be irrelevant but lets leave it all for some possible uses
|
144
|
+
port = all
|
145
|
+
banaction = iptables-allports
|
146
|
+
port = anyport
|
147
|
+
logpath = /var/log/auth.log
|
148
|
+
maxretry = 6
|
149
|
+
|
150
|
+
[xinetd-fail]
|
151
|
+
|
152
|
+
enabled = false
|
153
|
+
filter = xinetd-fail
|
154
|
+
port = all
|
155
|
+
banaction = iptables-multiport-log
|
156
|
+
logpath = /var/log/daemon.log
|
157
|
+
maxretry = 2
|
158
|
+
|
159
|
+
|
160
|
+
[ssh-ddos]
|
161
|
+
|
162
|
+
enabled = false
|
163
|
+
port = ssh
|
164
|
+
filter = sshd-ddos
|
165
|
+
logpath = /var/log/auth.log
|
166
|
+
maxretry = 6
|
167
|
+
|
168
|
+
|
169
|
+
# Here we use blackhole routes for not requiring any additional kernel support
|
170
|
+
# to store large volumes of banned IPs
|
171
|
+
|
172
|
+
[ssh-route]
|
173
|
+
|
174
|
+
enabled = false
|
175
|
+
filter = sshd
|
176
|
+
action = route
|
177
|
+
logpath = /var/log/sshd.log
|
178
|
+
maxretry = 6
|
179
|
+
|
180
|
+
# Here we use a combination of Netfilter/Iptables and IPsets
|
181
|
+
# for storing large volumes of banned IPs
|
182
|
+
#
|
183
|
+
# IPset comes in two versions. See ipset -V for which one to use
|
184
|
+
# requires the ipset package and kernel support.
|
185
|
+
[ssh-iptables-ipset4]
|
186
|
+
|
187
|
+
enabled = false
|
188
|
+
port = ssh
|
189
|
+
filter = sshd
|
190
|
+
banaction = iptables-ipset-proto4
|
191
|
+
logpath = /var/log/sshd.log
|
192
|
+
maxretry = 6
|
193
|
+
|
194
|
+
[ssh-iptables-ipset6]
|
195
|
+
|
196
|
+
enabled = false
|
197
|
+
port = ssh
|
198
|
+
filter = sshd
|
199
|
+
banaction = iptables-ipset-proto6
|
200
|
+
logpath = /var/log/sshd.log
|
201
|
+
maxretry = 6
|
202
|
+
|
203
|
+
|
204
|
+
#
|
205
|
+
# HTTP servers
|
206
|
+
#
|
207
|
+
|
208
|
+
[apache]
|
209
|
+
|
210
|
+
enabled = false
|
211
|
+
port = http,https
|
212
|
+
filter = apache-auth
|
213
|
+
logpath = /var/log/apache*/*error.log
|
214
|
+
maxretry = 6
|
215
|
+
|
216
|
+
# default action is now multiport, so apache-multiport jail was left
|
217
|
+
# for compatibility with previous (<0.7.6-2) releases
|
218
|
+
[apache-multiport]
|
219
|
+
|
220
|
+
enabled = false
|
221
|
+
port = http,https
|
222
|
+
filter = apache-auth
|
223
|
+
logpath = /var/log/apache*/*error.log
|
224
|
+
maxretry = 6
|
225
|
+
|
226
|
+
[apache-noscript]
|
227
|
+
|
228
|
+
enabled = false
|
229
|
+
port = http,https
|
230
|
+
filter = apache-noscript
|
231
|
+
logpath = /var/log/apache*/*error.log
|
232
|
+
maxretry = 6
|
233
|
+
|
234
|
+
[apache-overflows]
|
235
|
+
|
236
|
+
enabled = false
|
237
|
+
port = http,https
|
238
|
+
filter = apache-overflows
|
239
|
+
logpath = /var/log/apache*/*error.log
|
240
|
+
maxretry = 2
|
241
|
+
|
242
|
+
# Ban attackers that try to use PHP's URL-fopen() functionality
|
243
|
+
# through GET/POST variables. - Experimental, with more than a year
|
244
|
+
# of usage in production environments.
|
245
|
+
|
246
|
+
[php-url-fopen]
|
247
|
+
|
248
|
+
enabled = false
|
249
|
+
port = http,https
|
250
|
+
filter = php-url-fopen
|
251
|
+
logpath = /var/www/*/logs/access_log
|
252
|
+
|
253
|
+
# A simple PHP-fastcgi jail which works with lighttpd.
|
254
|
+
# If you run a lighttpd server, then you probably will
|
255
|
+
# find these kinds of messages in your error_log:
|
256
|
+
# ALERT – tried to register forbidden variable ‘GLOBALS’
|
257
|
+
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
|
258
|
+
|
259
|
+
[lighttpd-fastcgi]
|
260
|
+
|
261
|
+
enabled = false
|
262
|
+
port = http,https
|
263
|
+
filter = lighttpd-fastcgi
|
264
|
+
logpath = /var/log/lighttpd/error.log
|
265
|
+
|
266
|
+
# Same as above for mod_auth
|
267
|
+
# It catches wrong authentifications
|
268
|
+
|
269
|
+
[lighttpd-auth]
|
270
|
+
|
271
|
+
enabled = false
|
272
|
+
port = http,https
|
273
|
+
filter = suhosin
|
274
|
+
logpath = /var/log/lighttpd/error.log
|
275
|
+
|
276
|
+
[nginx-http-auth]
|
277
|
+
|
278
|
+
enabled = false
|
279
|
+
filter = nginx-http-auth
|
280
|
+
port = http,https
|
281
|
+
logpath = /var/log/nginx/error.log
|
282
|
+
|
283
|
+
# Monitor roundcube server
|
284
|
+
|
285
|
+
[roundcube-auth]
|
286
|
+
|
287
|
+
enabled = false
|
288
|
+
filter = roundcube-auth
|
289
|
+
port = http,https
|
290
|
+
logpath = /var/log/roundcube/userlogins
|
291
|
+
|
292
|
+
|
293
|
+
[sogo-auth]
|
294
|
+
|
295
|
+
enabled = false
|
296
|
+
filter = sogo-auth
|
297
|
+
port = http, https
|
298
|
+
# without proxy this would be:
|
299
|
+
# port = 20000
|
300
|
+
logpath = /var/log/sogo/sogo.log
|
301
|
+
|
302
|
+
|
303
|
+
#
|
304
|
+
# FTP servers
|
305
|
+
#
|
306
|
+
|
307
|
+
[vsftpd]
|
308
|
+
|
309
|
+
enabled = false
|
310
|
+
port = ftp,ftp-data,ftps,ftps-data
|
311
|
+
filter = vsftpd
|
312
|
+
logpath = /var/log/vsftpd.log
|
313
|
+
# or overwrite it in jails.local to be
|
314
|
+
# logpath = /var/log/auth.log
|
315
|
+
# if you want to rely on PAM failed login attempts
|
316
|
+
# vsftpd's failregex should match both of those formats
|
317
|
+
maxretry = 6
|
318
|
+
|
319
|
+
|
320
|
+
[proftpd]
|
321
|
+
|
322
|
+
enabled = false
|
323
|
+
port = ftp,ftp-data,ftps,ftps-data
|
324
|
+
filter = proftpd
|
325
|
+
logpath = /var/log/proftpd/proftpd.log
|
326
|
+
maxretry = 6
|
327
|
+
|
328
|
+
|
329
|
+
[pure-ftpd]
|
330
|
+
|
331
|
+
enabled = false
|
332
|
+
port = ftp,ftp-data,ftps,ftps-data
|
333
|
+
filter = pure-ftpd
|
334
|
+
logpath = /var/log/syslog
|
335
|
+
maxretry = 6
|
336
|
+
|
337
|
+
|
338
|
+
[wuftpd]
|
339
|
+
|
340
|
+
enabled = false
|
341
|
+
port = ftp,ftp-data,ftps,ftps-data
|
342
|
+
filter = wuftpd
|
343
|
+
logpath = /var/log/syslog
|
344
|
+
maxretry = 6
|
345
|
+
|
346
|
+
|
347
|
+
#
|
348
|
+
# Mail servers
|
349
|
+
#
|
350
|
+
|
351
|
+
[postfix]
|
352
|
+
|
353
|
+
enabled = false
|
354
|
+
port = smtp,ssmtp,submission
|
355
|
+
filter = postfix
|
356
|
+
logpath = /var/log/mail.log
|
357
|
+
|
358
|
+
|
359
|
+
[couriersmtp]
|
360
|
+
|
361
|
+
enabled = false
|
362
|
+
port = smtp,ssmtp,submission
|
363
|
+
filter = couriersmtp
|
364
|
+
logpath = /var/log/mail.log
|
365
|
+
|
366
|
+
|
367
|
+
#
|
368
|
+
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
|
369
|
+
# all relevant ports get banned
|
370
|
+
#
|
371
|
+
|
372
|
+
[courierauth]
|
373
|
+
|
374
|
+
enabled = false
|
375
|
+
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
|
376
|
+
filter = courierlogin
|
377
|
+
logpath = /var/log/mail.log
|
378
|
+
|
379
|
+
|
380
|
+
[sasl]
|
381
|
+
|
382
|
+
enabled = false
|
383
|
+
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
|
384
|
+
filter = postfix-sasl
|
385
|
+
# You might consider monitoring /var/log/mail.warn instead if you are
|
386
|
+
# running postfix since it would provide the same log lines at the
|
387
|
+
# "warn" level but overall at the smaller filesize.
|
388
|
+
logpath = /var/log/mail.log
|
389
|
+
|
390
|
+
[dovecot]
|
391
|
+
|
392
|
+
enabled = false
|
393
|
+
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
|
394
|
+
filter = dovecot
|
395
|
+
logpath = /var/log/mail.log
|
396
|
+
|
397
|
+
# To log wrong MySQL access attempts add to /etc/my.cnf:
|
398
|
+
# log-error=/var/log/mysqld.log
|
399
|
+
# log-warning = 2
|
400
|
+
[mysqld-auth]
|
401
|
+
|
402
|
+
enabled = false
|
403
|
+
filter = mysqld-auth
|
404
|
+
port = 3306
|
405
|
+
logpath = /var/log/mysqld.log
|
406
|
+
|
407
|
+
|
408
|
+
# DNS Servers
|
409
|
+
|
410
|
+
|
411
|
+
# These jails block attacks against named (bind9). By default, logging is off
|
412
|
+
# with bind9 installation. You will need something like this:
|
413
|
+
#
|
414
|
+
# logging {
|
415
|
+
# channel security_file {
|
416
|
+
# file "/var/log/named/security.log" versions 3 size 30m;
|
417
|
+
# severity dynamic;
|
418
|
+
# print-time yes;
|
419
|
+
# };
|
420
|
+
# category security {
|
421
|
+
# security_file;
|
422
|
+
# };
|
423
|
+
# };
|
424
|
+
#
|
425
|
+
# in your named.conf to provide proper logging
|
426
|
+
|
427
|
+
# !!! WARNING !!!
|
428
|
+
# Since UDP is connection-less protocol, spoofing of IP and imitation
|
429
|
+
# of illegal actions is way too simple. Thus enabling of this filter
|
430
|
+
# might provide an easy way for implementing a DoS against a chosen
|
431
|
+
# victim. See
|
432
|
+
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
|
433
|
+
# Please DO NOT USE this jail unless you know what you are doing.
|
434
|
+
#[named-refused-udp]
|
435
|
+
#
|
436
|
+
#enabled = false
|
437
|
+
#port = domain,953
|
438
|
+
#protocol = udp
|
439
|
+
#filter = named-refused
|
440
|
+
#logpath = /var/log/named/security.log
|
441
|
+
|
442
|
+
[named-refused-tcp]
|
443
|
+
|
444
|
+
enabled = false
|
445
|
+
port = domain,953
|
446
|
+
protocol = tcp
|
447
|
+
filter = named-refused
|
448
|
+
logpath = /var/log/named/security.log
|
449
|
+
|
450
|
+
# Multiple jails, 1 per protocol, are necessary ATM:
|
451
|
+
# see https://github.com/fail2ban/fail2ban/issues/37
|
452
|
+
[asterisk-tcp]
|
453
|
+
|
454
|
+
enabled = false
|
455
|
+
filter = asterisk
|
456
|
+
port = 5060,5061
|
457
|
+
protocol = tcp
|
458
|
+
logpath = /var/log/asterisk/messages
|
459
|
+
|
460
|
+
[asterisk-udp]
|
461
|
+
|
462
|
+
enabled = false
|
463
|
+
filter = asterisk
|
464
|
+
port = 5060,5061
|
465
|
+
protocol = udp
|
466
|
+
logpath = /var/log/asterisk/messages
|
467
|
+
|
468
|
+
|
469
|
+
# Jail for more extended banning of persistent abusers
|
470
|
+
# !!! WARNING !!!
|
471
|
+
# Make sure that your loglevel specified in fail2ban.conf/.local
|
472
|
+
# is not at DEBUG level -- which might then cause fail2ban to fall into
|
473
|
+
# an infinite loop constantly feeding itself with non-informative lines
|
474
|
+
[recidive]
|
475
|
+
|
476
|
+
enabled = false
|
477
|
+
filter = recidive
|
478
|
+
logpath = /var/log/fail2ban.log
|
479
|
+
action = iptables-allports[name=recidive]
|
480
|
+
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
|
481
|
+
bantime = 604800 ; 1 week
|
482
|
+
findtime = 86400 ; 1 day
|
483
|
+
maxretry = 5
|
484
|
+
|
485
|
+
|
486
|
+
[nginx-req-limit]
|
487
|
+
|
488
|
+
enabled = true
|
489
|
+
filter = nginx-req-limit
|
490
|
+
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
|
491
|
+
logpath = <%= shared_path %>/log/nginx_error.log
|
492
|
+
findtime = 600
|
493
|
+
bantime = 7200
|
494
|
+
maxretry = 50
|
@@ -17,6 +17,6 @@
|
|
17
17
|
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
|
18
18
|
endscript
|
19
19
|
lastaction
|
20
|
-
[ ! -f <%= shared_path %>/system/pids
|
20
|
+
[ ! -f <%= shared_path %>/system/pids/<%= fetch(:app_server) %>.pid ] || kill -USR1 `cat <%= shared_path %>/system/pids/<%= fetch(:app_server) %>.pid`
|
21
21
|
endscript
|
22
|
-
}
|
22
|
+
}
|
@@ -1,7 +1,9 @@
|
|
1
|
-
upstream
|
2
|
-
server unix:<%= shared_path %>/system/sockets
|
1
|
+
upstream appserver_upstream {
|
2
|
+
server unix:<%= shared_path %>/system/sockets/<%= fetch(:app_server) %>.sock;
|
3
3
|
}
|
4
4
|
|
5
|
+
limit_req_zone $binary_remote_addr zone=rate_limit:10m rate=10r/s;
|
6
|
+
|
5
7
|
server {
|
6
8
|
listen 80;
|
7
9
|
server_name <%= fetch(:nginx_server_name) %>;
|
@@ -16,12 +18,15 @@ server {
|
|
16
18
|
root <%= current_path %>/public;
|
17
19
|
|
18
20
|
location @<%= fetch(:application) %> {
|
21
|
+
limit_req zone=rate_limit burst=20;
|
22
|
+
limit_req_status 444;
|
23
|
+
|
19
24
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
20
|
-
proxy_set_header X-Forwarded-Proto
|
25
|
+
proxy_set_header X-Forwarded-Proto $scheme;
|
21
26
|
proxy_set_header Host $http_host;
|
22
27
|
proxy_redirect off;
|
23
28
|
|
24
|
-
proxy_pass http://
|
29
|
+
proxy_pass http://appserver_upstream;
|
25
30
|
break;
|
26
31
|
}
|
27
32
|
|
@@ -25,7 +25,7 @@ http {
|
|
25
25
|
gzip_comp_level 6;
|
26
26
|
gzip_proxied any;
|
27
27
|
gzip_types text/plain text/css text/xml text/javascript text/comma-separated-values
|
28
|
-
application/json application/x-javascript application/xml application/xml+rss;
|
28
|
+
application/json application/x-javascript application/xml application/xml+rss image/svg+xml;
|
29
29
|
|
30
30
|
# see http://blog.leetsoft.com/2007/7/25/nginx-gzip-ssl
|
31
31
|
gzip_buffers 16 8k;
|
@@ -0,0 +1,64 @@
|
|
1
|
+
# puma configuration
|
2
|
+
|
3
|
+
shared_path = "<%= shared_path %>"
|
4
|
+
environment_name = "<%= fetch(:environment) %>"
|
5
|
+
|
6
|
+
begin
|
7
|
+
require 'dotenv'
|
8
|
+
dotenv_path = '<%= fetch(:dotenv_path, shared_path.join(".env.#{fetch(:environment)}")) %>'
|
9
|
+
Dotenv.load(dotenv_path)
|
10
|
+
rescue LoadError
|
11
|
+
puts "Dotenv not found, skipping load of env vars..."
|
12
|
+
end
|
13
|
+
|
14
|
+
# Puma can serve each request in a thread from an internal thread pool.
|
15
|
+
# The `threads` method setting takes two numbers a minimum and maximum.
|
16
|
+
# Any libraries that use thread pools should be configured to match
|
17
|
+
# the maximum value specified for Puma. Default is set to 5 threads for minimum
|
18
|
+
# and maximum, this matches the default thread size of Active Record.
|
19
|
+
#
|
20
|
+
threads_count = ENV.fetch("PUMA_THREADS", <%= fetch(:puma_threads) %>)
|
21
|
+
threads threads_count, threads_count
|
22
|
+
|
23
|
+
# Specifies the `environment` that Puma will run in.
|
24
|
+
#
|
25
|
+
environment environment_name
|
26
|
+
|
27
|
+
# Specifies the number of `workers` to boot in clustered mode.
|
28
|
+
# Workers are forked webserver processes. If using threads and workers together
|
29
|
+
# the concurrency of the application would be max `threads` * `workers`.
|
30
|
+
# Workers do not work on JRuby or Windows (both of which do not support
|
31
|
+
# processes).
|
32
|
+
#
|
33
|
+
workers ENV.fetch("PUMA_WORKERS", <%= fetch(:puma_workers) %>)
|
34
|
+
|
35
|
+
# Use the `preload_app!` method when specifying a `workers` number.
|
36
|
+
# This directive tells Puma to first boot the application and load code
|
37
|
+
# before forking the application. This takes advantage of Copy On Write
|
38
|
+
# process behavior so workers use less memory. If you use this option
|
39
|
+
# you need to make sure to reconnect any threads in the `on_worker_boot`
|
40
|
+
# block.
|
41
|
+
#
|
42
|
+
preload_app!
|
43
|
+
|
44
|
+
# The code in the `on_worker_boot` will be called if you are using
|
45
|
+
# clustered mode by specifying a number of `workers`. After each worker
|
46
|
+
# process is booted this block will be run, if you are using `preload_app!`
|
47
|
+
# option you will want to use this block to reconnect to any threads
|
48
|
+
# or connections that may have been created at application boot, Ruby
|
49
|
+
# cannot share connections between processes.
|
50
|
+
#
|
51
|
+
on_worker_boot do
|
52
|
+
ActiveRecord::Base.establish_connection if defined?(ActiveRecord)
|
53
|
+
end
|
54
|
+
|
55
|
+
# Set up socket location
|
56
|
+
bind "unix://#{shared_path}/system/sockets/puma.sock"
|
57
|
+
|
58
|
+
# Logging
|
59
|
+
stdout_redirect "#{shared_path}/log/puma.stdout.log", "#{shared_path}/log/puma.stderr.log", true
|
60
|
+
|
61
|
+
# Set master PID and state locations
|
62
|
+
pidfile "#{shared_path}/system/pids/puma.pid"
|
63
|
+
state_path "#{shared_path}/system/pids/puma.state"
|
64
|
+
activate_control_app
|
@@ -4,6 +4,6 @@ start on runlevel [2]
|
|
4
4
|
stop on runlevel [016]
|
5
5
|
|
6
6
|
expect daemon
|
7
|
-
exec /home/ubuntu/.rvm/wrappers/default/bluepill load <%= shared_path %>/config
|
7
|
+
exec /home/ubuntu/.rvm/wrappers/default/bluepill load <%= shared_path %>/config/<%= fetch(:application)%>.pill
|
8
8
|
|
9
9
|
respawn
|
@@ -23,11 +23,11 @@ require 'capistrano/bundler'
|
|
23
23
|
require "capistrano/helpers.rb"
|
24
24
|
|
25
25
|
# Load custom modules with helper functions
|
26
|
-
%w(aptitude bluepill upstart).each do |m|
|
26
|
+
%w(aptitude bluepill upstart user_management shell).each do |m|
|
27
27
|
load File.expand_path("../modules/#{m}.rb", __FILE__)
|
28
28
|
end
|
29
29
|
|
30
30
|
# Loads custom tasks from `lib/capistrano/tasks' if you have any defined.
|
31
|
-
%w(bluepill logrotate machine nginx rvm unicorn upstart).each do |t|
|
31
|
+
%w(bluepill fail2ban logrotate machine elasticsearch nginx rvm unicorn puma upstart).each do |t|
|
32
32
|
import File.expand_path("../tasks/#{t}.rake", __FILE__)
|
33
33
|
end
|
@@ -9,7 +9,7 @@ set :rvm_ruby_version, "ruby-2.2.0"
|
|
9
9
|
set :rvm_map_bins, %w{gem rake ruby rvmsudo bundle}
|
10
10
|
|
11
11
|
set :deploy_to, "/srv/#{fetch(:application)}"
|
12
|
-
set :linked_dirs,
|
12
|
+
set :linked_dirs, fetch(:linked_dirs, []).push(*%w{log vendor/bundle system/pids system/sockets public/assets})
|
13
13
|
|
14
14
|
set :keep_releases, 3
|
15
15
|
set :ssh_options, { forward_agent: true }
|
@@ -19,12 +19,13 @@ set :bundle_flags, "--deployment"
|
|
19
19
|
set :bundle_without, %w{development test}.join(' ')
|
20
20
|
set :bundle_exec, "bundle exec"
|
21
21
|
|
22
|
+
# app server
|
23
|
+
set :app_server, "unicorn" # default to unicorn if nothing set
|
24
|
+
|
22
25
|
namespace :deploy do
|
23
26
|
desc 'Restart application'
|
24
27
|
task :restart do
|
25
|
-
|
26
|
-
invoke "unicorn:phased_restart"
|
27
|
-
end
|
28
|
+
invoke "bluepill:restart"
|
28
29
|
end
|
29
30
|
|
30
31
|
desc 'Ensure that the app folder is present'
|
data/lib/capistrano/helpers.rb
CHANGED
@@ -2,7 +2,9 @@
|
|
2
2
|
# This file is loaded before the tasks
|
3
3
|
|
4
4
|
def template(from, to)
|
5
|
-
|
5
|
+
path = File.expand_path("lib/capistrano/configs/#{from}", ENV['PWD'])
|
6
|
+
path = File.expand_path("../configs/#{from}", __FILE__) unless File.exists?(path)
|
7
|
+
erb = File.read(path)
|
6
8
|
compiled = ERB.new(erb).result(binding)
|
7
9
|
io = StringIO.new(compiled)
|
8
10
|
upload! io, to
|
@@ -17,4 +19,4 @@ def execute_script(name, params = "")
|
|
17
19
|
execute "chmod 755 #{name}"
|
18
20
|
execute "./#{name} #{params}"
|
19
21
|
execute "rm #{name}"
|
20
|
-
end
|
22
|
+
end
|