gigpark-ec2onrails 0.9.10.3
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +190 -0
- data/COPYING +339 -0
- data/Manifest +160 -0
- data/README.textile +233 -0
- data/Rakefile +31 -0
- data/TODO +104 -0
- data/ec2onrails.gemspec +46 -0
- data/echoe_config.rb +27 -0
- data/examples/Capfile +3 -0
- data/examples/deploy.rb +103 -0
- data/examples/s3.yml +9 -0
- data/lib/ec2onrails.rb +20 -0
- data/lib/ec2onrails/capistrano_utils.rb +47 -0
- data/lib/ec2onrails/recipes.rb +146 -0
- data/lib/ec2onrails/recipes/db.rb +366 -0
- data/lib/ec2onrails/recipes/deploy.rb +26 -0
- data/lib/ec2onrails/recipes/server.rb +517 -0
- data/lib/ec2onrails/version.rb +29 -0
- data/server/build +74 -0
- data/server/files/etc/README +7 -0
- data/server/files/etc/aliases +5 -0
- data/server/files/etc/cron.d/ec2onrails +16 -0
- data/server/files/etc/cron.daily/app +31 -0
- data/server/files/etc/cron.daily/logrotate_post +25 -0
- data/server/files/etc/cron.hourly/app +31 -0
- data/server/files/etc/cron.monthly/app +31 -0
- data/server/files/etc/cron.weekly/app +31 -0
- data/server/files/etc/default/varnish +33 -0
- data/server/files/etc/default/varnishncsa +11 -0
- data/server/files/etc/denyhosts.conf +628 -0
- data/server/files/etc/dpkg/dpkg.cfg +13 -0
- data/server/files/etc/ec2onrails/rails_env +1 -0
- data/server/files/etc/ec2onrails/roles.yml +5 -0
- data/server/files/etc/environment +2 -0
- data/server/files/etc/event.d/god +8 -0
- data/server/files/etc/god/db_primary.god +16 -0
- data/server/files/etc/god/dkim_filter.god +17 -0
- data/server/files/etc/god/master.conf +40 -0
- data/server/files/etc/god/memcache.god +15 -0
- data/server/files/etc/god/notifications.god +11 -0
- data/server/files/etc/god/proxy.god +40 -0
- data/server/files/etc/god/system.god +37 -0
- data/server/files/etc/god/web.god +23 -0
- data/server/files/etc/init.d/ec2-every-startup +29 -0
- data/server/files/etc/init.d/ec2-first-startup +37 -0
- data/server/files/etc/init.d/nginx +78 -0
- data/server/files/etc/logrotate.d/nginx +10 -0
- data/server/files/etc/logrotate.d/rails +8 -0
- data/server/files/etc/logrotate.d/varnish +14 -0
- data/server/files/etc/memcached.conf +47 -0
- data/server/files/etc/motd.tail +13 -0
- data/server/files/etc/mysql/my.cnf +152 -0
- data/server/files/etc/nginx/conf.d/custom.conf +1 -0
- data/server/files/etc/nginx/nginx.conf.erb +152 -0
- data/server/files/etc/postfix/main.cf +4 -0
- data/server/files/etc/ssh/sshd_config +96 -0
- data/server/files/etc/sudoers +31 -0
- data/server/files/etc/syslog.conf +63 -0
- data/server/files/etc/varnish/default.vcl.erb +140 -0
- data/server/files/usr/local/ec2onrails/COPYING +339 -0
- data/server/files/usr/local/ec2onrails/bin/archive_file +44 -0
- data/server/files/usr/local/ec2onrails/bin/backup_app_db +160 -0
- data/server/files/usr/local/ec2onrails/bin/backup_dir +89 -0
- data/server/files/usr/local/ec2onrails/bin/ec2_meta_data +80 -0
- data/server/files/usr/local/ec2onrails/bin/exec_runner +76 -0
- data/server/files/usr/local/ec2onrails/bin/in_role +33 -0
- data/server/files/usr/local/ec2onrails/bin/init_services +43 -0
- data/server/files/usr/local/ec2onrails/bin/install_system_files +56 -0
- data/server/files/usr/local/ec2onrails/bin/optimize_mysql +346 -0
- data/server/files/usr/local/ec2onrails/bin/public-hostname +24 -0
- data/server/files/usr/local/ec2onrails/bin/rails_env +33 -0
- data/server/files/usr/local/ec2onrails/bin/rebundle +62 -0
- data/server/files/usr/local/ec2onrails/bin/restore_app_db +58 -0
- data/server/files/usr/local/ec2onrails/bin/set_rails_env +36 -0
- data/server/files/usr/local/ec2onrails/bin/set_roles +36 -0
- data/server/files/usr/local/ec2onrails/bin/uninstall_system_files +34 -0
- data/server/files/usr/local/ec2onrails/config +30 -0
- data/server/files/usr/local/ec2onrails/lib/aws_helper.rb +75 -0
- data/server/files/usr/local/ec2onrails/lib/god_helper.rb +84 -0
- data/server/files/usr/local/ec2onrails/lib/mysql_helper.rb +100 -0
- data/server/files/usr/local/ec2onrails/lib/roles_helper.rb +156 -0
- data/server/files/usr/local/ec2onrails/lib/s3_helper.rb +116 -0
- data/server/files/usr/local/ec2onrails/lib/system_files_helper.rb +110 -0
- data/server/files/usr/local/ec2onrails/lib/system_files_manifest.rb +107 -0
- data/server/files/usr/local/ec2onrails/lib/utils.rb +26 -0
- data/server/files/usr/local/ec2onrails/lib/vendor/ini.rb +268 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/every-startup/README +5 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/every-startup/create-mysqld-pid-dir +26 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/README +5 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/create-dirs +45 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/generate-default-web-cert-and-key +49 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/get-hostname +27 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/misc +27 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/prepare-mysql-data-dir +24 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/setup-credentials +32 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/setup-file-permissions +30 -0
- data/server/rakefile-wrapper +26 -0
- data/server/rakefile.rb +267 -0
- data/test/autobench.conf +60 -0
- data/test/spec/lib/s3_helper_spec.rb +154 -0
- data/test/spec/lib/s3_old.yml +3 -0
- data/test/spec/lib/system_files_manifest_spec.rb +122 -0
- data/test/spec/test_files/system_files1/_manifest +13 -0
- data/test/spec/test_files/system_files1/test1 +0 -0
- data/test/spec/test_files/system_files1/test2 +0 -0
- data/test/spec/test_files/system_files1/testfolder/test3 +0 -0
- data/test/spec/test_files/system_files2/_manifest +2 -0
- data/test/spec/test_files/system_files2/test1 +0 -0
- data/test/spec/test_files/system_files2/test2 +0 -0
- data/test/spec/test_files/system_files2/testfolder/test3 +0 -0
- data/test/spec/test_files/test2 +0 -0
- data/test/test_app/Capfile +3 -0
- data/test/test_app/README +243 -0
- data/test/test_app/Rakefile +10 -0
- data/test/test_app/app/controllers/application_controller.rb +10 -0
- data/test/test_app/app/controllers/db_fast_controller.rb +6 -0
- data/test/test_app/app/controllers/fast_controller.rb +5 -0
- data/test/test_app/app/controllers/slow_controller.rb +6 -0
- data/test/test_app/app/controllers/very_slow_controller.rb +6 -0
- data/test/test_app/app/helpers/application_helper.rb +3 -0
- data/test/test_app/config/boot.rb +110 -0
- data/test/test_app/config/database.yml +24 -0
- data/test/test_app/config/deploy.rb +22 -0
- data/test/test_app/config/ec2onrails/config.rb +5 -0
- data/test/test_app/config/environment.rb +41 -0
- data/test/test_app/config/environments/development.rb +17 -0
- data/test/test_app/config/environments/production.rb +28 -0
- data/test/test_app/config/environments/test.rb +28 -0
- data/test/test_app/config/initializers/backtrace_silencers.rb +7 -0
- data/test/test_app/config/initializers/inflections.rb +10 -0
- data/test/test_app/config/initializers/mime_types.rb +5 -0
- data/test/test_app/config/initializers/new_rails_defaults.rb +19 -0
- data/test/test_app/config/initializers/session_store.rb +15 -0
- data/test/test_app/config/locales/en.yml +5 -0
- data/test/test_app/config/routes.rb +43 -0
- data/test/test_app/doc/README_FOR_APP +2 -0
- data/test/test_app/public/404.html +30 -0
- data/test/test_app/public/422.html +30 -0
- data/test/test_app/public/500.html +30 -0
- data/test/test_app/public/favicon.ico +0 -0
- data/test/test_app/public/images/rails.png +0 -0
- data/test/test_app/public/index.html +275 -0
- data/test/test_app/public/javascripts/application.js +2 -0
- data/test/test_app/public/javascripts/controls.js +963 -0
- data/test/test_app/public/javascripts/dragdrop.js +973 -0
- data/test/test_app/public/javascripts/effects.js +1128 -0
- data/test/test_app/public/javascripts/prototype.js +4320 -0
- data/test/test_app/public/robots.txt +5 -0
- data/test/test_app/script/about +4 -0
- data/test/test_app/script/console +3 -0
- data/test/test_app/script/dbconsole +3 -0
- data/test/test_app/script/destroy +3 -0
- data/test/test_app/script/generate +3 -0
- data/test/test_app/script/performance/benchmarker +3 -0
- data/test/test_app/script/performance/profiler +3 -0
- data/test/test_app/script/plugin +3 -0
- data/test/test_app/script/runner +3 -0
- data/test/test_app/script/server +3 -0
- data/test/test_app/test/performance/browsing_test.rb +9 -0
- data/test/test_app/test/test_helper.rb +38 -0
- metadata +266 -0
@@ -0,0 +1,13 @@
|
|
1
|
+
|
2
|
+
EC2 on Rails
|
3
|
+
!!VERSION!!
|
4
|
+
http://rubyforge.org/projects/ec2onrails/
|
5
|
+
|
6
|
+
Copyright 2008 Paul Dowman, http://pauldowman.com/
|
7
|
+
|
8
|
+
Base AMI built using Eric Hammond's EC2 Ubuntu script:
|
9
|
+
http://alestic.com/
|
10
|
+
|
11
|
+
This is free software, and you are welcome to redistribute it under
|
12
|
+
certain conditions. This software comes with ABSOLUTELY NO WARRANTY.
|
13
|
+
See /usr/local/ec2onrails/COPYING for details.
|
@@ -0,0 +1,152 @@
|
|
1
|
+
#
|
2
|
+
# The MySQL database server configuration file.
|
3
|
+
#
|
4
|
+
# You can copy this to one of:
|
5
|
+
# - "/etc/mysql/my.cnf" to set global options,
|
6
|
+
# - "~/.my.cnf" to set user-specific options.
|
7
|
+
#
|
8
|
+
# One can use all long options that the program supports.
|
9
|
+
# Run program with --help to get a list of available options and with
|
10
|
+
# --print-defaults to see which it would actually understand and use.
|
11
|
+
#
|
12
|
+
# For explanations see
|
13
|
+
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
|
14
|
+
|
15
|
+
# This will be passed to all mysql clients
|
16
|
+
# It has been reported that passwords should be enclosed with ticks/quotes
|
17
|
+
# escpecially if they contain "#" chars...
|
18
|
+
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
|
19
|
+
[client]
|
20
|
+
port = 3306
|
21
|
+
socket = /var/run/mysqld/mysqld.sock
|
22
|
+
|
23
|
+
# Here is entries for some specific programs
|
24
|
+
# The following values assume you have at least 32M ram
|
25
|
+
|
26
|
+
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
|
27
|
+
[mysqld_safe]
|
28
|
+
socket = /var/run/mysqld/mysqld.sock
|
29
|
+
nice = 0
|
30
|
+
|
31
|
+
[mysqld]
|
32
|
+
#
|
33
|
+
# * Basic Settings
|
34
|
+
#
|
35
|
+
user = mysql
|
36
|
+
pid-file = /var/run/mysqld/mysqld.pid
|
37
|
+
socket = /var/run/mysqld/mysqld.sock
|
38
|
+
port = 3306
|
39
|
+
basedir = /usr
|
40
|
+
datadir = /mnt/mysql_data
|
41
|
+
tmpdir = /mnt/mysql_data/tmp
|
42
|
+
language = /usr/share/mysql/english
|
43
|
+
skip-external-locking
|
44
|
+
default-storage-engine = InnoDB
|
45
|
+
character-set-server = utf8
|
46
|
+
collation-server = utf8_general_ci
|
47
|
+
|
48
|
+
#
|
49
|
+
# Instead of skip-networking the default is now to listen only on
|
50
|
+
# localhost which is more compatible and is not less secure.
|
51
|
+
#bind-address = 127.0.0.1
|
52
|
+
#
|
53
|
+
# * Fine Tuning
|
54
|
+
#
|
55
|
+
key_buffer_size = 16M
|
56
|
+
max_allowed_packet = 16M
|
57
|
+
thread_stack = 128K
|
58
|
+
thread_cache_size = 8
|
59
|
+
#max_connections = 100
|
60
|
+
#table_cache = 64
|
61
|
+
#thread_concurrency = 10
|
62
|
+
#
|
63
|
+
# * Query Cache Configuration
|
64
|
+
#
|
65
|
+
query_cache_limit = 1M
|
66
|
+
query_cache_size = 64M
|
67
|
+
#
|
68
|
+
# * Logging and Replication
|
69
|
+
#
|
70
|
+
# Both location gets rotated by the cronjob.
|
71
|
+
# Be aware that this log type is a performance killer.
|
72
|
+
#log = /var/log/mysql/mysql.log
|
73
|
+
#
|
74
|
+
# Error logging goes to syslog. This is a Debian improvement :)
|
75
|
+
#
|
76
|
+
# Here you can see queries with especially long duration
|
77
|
+
log_slow_queries = /mnt/log/mysql/mysql-slow.log
|
78
|
+
long_query_time = 1
|
79
|
+
log-queries-not-using-indexes
|
80
|
+
#
|
81
|
+
# The following can be used as easy to replay backup logs or for replication.
|
82
|
+
#server-id = 1
|
83
|
+
log_bin = /mnt/log/mysql/mysql-bin.log
|
84
|
+
# WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!
|
85
|
+
expire_logs_days = 10
|
86
|
+
max_binlog_size = 100M
|
87
|
+
#binlog_do_db = include_database_name
|
88
|
+
#binlog_ignore_db = include_database_name
|
89
|
+
#
|
90
|
+
# * BerkeleyDB
|
91
|
+
#
|
92
|
+
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
|
93
|
+
skip-bdb
|
94
|
+
#
|
95
|
+
# * InnoDB
|
96
|
+
#
|
97
|
+
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
|
98
|
+
# Read the manual for more InnoDB related options. There are many!
|
99
|
+
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
|
100
|
+
#skip-innodb
|
101
|
+
innodb_data_file_path=ibdata1:100M:autoextend
|
102
|
+
innodb_buffer_pool_size=200M
|
103
|
+
innodb_additional_mem_pool_size=20M
|
104
|
+
innodb_log_file_size=128M
|
105
|
+
innodb_log_buffer_size=8M
|
106
|
+
innodb_flush_log_at_trx_commit=1
|
107
|
+
innodb_lock_wait_timeout=20
|
108
|
+
# innodb_flush_method=O_DIRECT
|
109
|
+
innodb_file_per_table
|
110
|
+
|
111
|
+
#
|
112
|
+
# * Security Features
|
113
|
+
#
|
114
|
+
# Read the manual, too, if you want chroot!
|
115
|
+
# chroot = /var/lib/mysql/
|
116
|
+
#
|
117
|
+
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
|
118
|
+
#
|
119
|
+
# ssl-ca=/etc/mysql/cacert.pem
|
120
|
+
# ssl-cert=/etc/mysql/server-cert.pem
|
121
|
+
# ssl-key=/etc/mysql/server-key.pem
|
122
|
+
|
123
|
+
|
124
|
+
|
125
|
+
[mysqldump]
|
126
|
+
quick
|
127
|
+
quote-names
|
128
|
+
max_allowed_packet = 16M
|
129
|
+
|
130
|
+
[mysql]
|
131
|
+
default-character-set = utf8
|
132
|
+
#no-auto-rehash # faster start of mysql but no tab completition
|
133
|
+
|
134
|
+
[isamchk]
|
135
|
+
key_buffer = 16M
|
136
|
+
|
137
|
+
#
|
138
|
+
# * NDB Cluster
|
139
|
+
#
|
140
|
+
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
|
141
|
+
#
|
142
|
+
# The following configuration is read by the NDB Data Nodes (ndbd processes)
|
143
|
+
# not from the NDB Management Nodes (ndb_mgmd processes).
|
144
|
+
#
|
145
|
+
# [MYSQL_CLUSTER]
|
146
|
+
# ndb-connectstring=127.0.0.1
|
147
|
+
|
148
|
+
|
149
|
+
#
|
150
|
+
# * IMPORTANT: Additional settings that can override those from this file!
|
151
|
+
#
|
152
|
+
!includedir /etc/mysql/conf.d/
|
@@ -0,0 +1 @@
|
|
1
|
+
# Overwrite this file with any custom configuration, it gets included inside the server directive
|
@@ -0,0 +1,152 @@
|
|
1
|
+
user nginx nginx;
|
2
|
+
worker_processes 6;
|
3
|
+
pid /var/run/nginx.pid;
|
4
|
+
|
5
|
+
events {
|
6
|
+
worker_connections 1024;
|
7
|
+
use epoll; # linux only!
|
8
|
+
}
|
9
|
+
|
10
|
+
http {
|
11
|
+
# global passenger settings
|
12
|
+
passenger_root <%= `/usr/bin/passenger-config --root`.strip %>;
|
13
|
+
passenger_default_user app;
|
14
|
+
passenger_pool_idle_time 0;
|
15
|
+
rails_framework_spawner_idle_time 0;
|
16
|
+
rails_app_spawner_idle_time 0;
|
17
|
+
|
18
|
+
# We leave passenger_max_pool_size at the default for now. (It might
|
19
|
+
# eventually be an ERB variable that can be set automatically based on the
|
20
|
+
# instance type and what roles it's in.)
|
21
|
+
# passenger_max_pool_size 6;
|
22
|
+
|
23
|
+
# We leave the rails_spawn_method at the default, but we might want a config setting
|
24
|
+
# to allow it to be changed.
|
25
|
+
# rails_spawn_method smart-lv2;
|
26
|
+
|
27
|
+
include /etc/nginx/mime.types;
|
28
|
+
|
29
|
+
# set a default type for the rare situation that
|
30
|
+
# nothing matches from the mime-type include
|
31
|
+
default_type application/octet-stream;
|
32
|
+
|
33
|
+
# configure log format
|
34
|
+
log_format main '$remote_addr [$time_local] '
|
35
|
+
'"$scheme $host $request" $status $body_bytes_sent "$http_referer" '
|
36
|
+
'"$http_user_agent" "$http_x_forwarded_for" '
|
37
|
+
'($request_time)';
|
38
|
+
|
39
|
+
access_log /mnt/log/nginx/access.log main;
|
40
|
+
|
41
|
+
# main error log - Do not comment out. If you do not want the log file set this to /dev/null
|
42
|
+
# use debug instead of notice if you want additional information
|
43
|
+
error_log /mnt/log/nginx/error.log notice;
|
44
|
+
|
45
|
+
sendfile on;
|
46
|
+
|
47
|
+
tcp_nopush on;
|
48
|
+
tcp_nodelay on;
|
49
|
+
gzip on;
|
50
|
+
gzip_http_version 1.1;
|
51
|
+
gzip_vary on;
|
52
|
+
gzip_comp_level 6;
|
53
|
+
gzip_proxied any;
|
54
|
+
gzip_types application/json application/x-javascript application/xhtml+xml application/xml application/xml+rss text/css text/javascript text/plain text/xml ;
|
55
|
+
# make sure gzip does not lose large gzipped js or css files
|
56
|
+
# see http://blog.leetsoft.com/2007/7/25/nginx-gzip-ssl
|
57
|
+
gzip_buffers 16 8k;
|
58
|
+
|
59
|
+
# Disable gzip for certain browsers. IE6 prior to SP2 doesn't handle gzip properly.
|
60
|
+
gzip_disable “MSIE [1-6].(?!.*SV1)”;
|
61
|
+
|
62
|
+
server {
|
63
|
+
listen <%= roles[:proxy] && roles[:proxy].include?("127.0.0.1") ? 81 : 80 %>;
|
64
|
+
server_name _;
|
65
|
+
|
66
|
+
# server-specific passenger settings
|
67
|
+
passenger_enabled on;
|
68
|
+
passenger_use_global_queue on;
|
69
|
+
rails_env <%= rails_env %>;
|
70
|
+
|
71
|
+
# Set the max size for file uploads to 50Mb
|
72
|
+
client_max_body_size 50M;
|
73
|
+
|
74
|
+
# uncomment to force a redirect to www
|
75
|
+
# if ($host ~* "^[ec2onrails].com$"){
|
76
|
+
# rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
|
77
|
+
# break;
|
78
|
+
# }
|
79
|
+
|
80
|
+
# uncomment if you want to allow or force some or all pages to go to http:// instead of https://
|
81
|
+
# if redirecting all to https, you won't need any of the other directives below their rewrite/break
|
82
|
+
# set $sub 'www';
|
83
|
+
# if ($host ~* "^(.+?)\.[ec2onrails].com$"){
|
84
|
+
# set $sub $1;
|
85
|
+
# }
|
86
|
+
#
|
87
|
+
# if ( $uri ~* "^/.+$") {
|
88
|
+
# rewrite ^(.*)$ https://$sub.[ec2onrails].com$1 permanent;
|
89
|
+
# break;
|
90
|
+
# }
|
91
|
+
|
92
|
+
root /mnt/app/current/public;
|
93
|
+
|
94
|
+
error_page 400 /400.html;
|
95
|
+
error_page 500 502 504 /500.html;
|
96
|
+
location = /500.html {
|
97
|
+
root /mnt/app/current/public;
|
98
|
+
}
|
99
|
+
|
100
|
+
#hide hidden files and folders
|
101
|
+
location ~ /\..+ {
|
102
|
+
deny all;
|
103
|
+
}
|
104
|
+
|
105
|
+
#do not show the nginx version number in the server header
|
106
|
+
server_tokens off;
|
107
|
+
|
108
|
+
# this allows people to use images and css in their maintenance.html file
|
109
|
+
if ($request_filename ~* \.(css|jpg|gif|png)$) {
|
110
|
+
break;
|
111
|
+
}
|
112
|
+
|
113
|
+
# this rewrites all the requests to the maintenance.html
|
114
|
+
# page if it exists in the doc root. This is for capistrano's
|
115
|
+
# disable web task
|
116
|
+
if (-f $document_root/system/maintenance.html) {
|
117
|
+
return 503;
|
118
|
+
}
|
119
|
+
error_page 503 @503;
|
120
|
+
location @503 {
|
121
|
+
rewrite ^(.*)$ /system/maintenance.html break;
|
122
|
+
}
|
123
|
+
|
124
|
+
|
125
|
+
# see http://wiki.codemongers.com/NginxHttpStubStatusModule
|
126
|
+
# for more information
|
127
|
+
location /nginx_status {
|
128
|
+
# copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
|
129
|
+
stub_status on;
|
130
|
+
access_log off;
|
131
|
+
#only allow from localhost
|
132
|
+
allow 127.0.0.1;
|
133
|
+
deny all;
|
134
|
+
}
|
135
|
+
|
136
|
+
include /etc/nginx/conf.d/*.conf;
|
137
|
+
}
|
138
|
+
|
139
|
+
# This server is setup for ssl. Uncomment if
|
140
|
+
# you are using ssl as well as port 80.
|
141
|
+
# server {
|
142
|
+
# # port to listen on. Can also be set to an IP:PORT
|
143
|
+
# listen 443;
|
144
|
+
#
|
145
|
+
# ssl on;
|
146
|
+
# ssl_certificate /etc/nginx/your_cert.crt;
|
147
|
+
# ssl_certificate_key /etc/nginx/your_cert.key;
|
148
|
+
#
|
149
|
+
# TODO SSL support
|
150
|
+
#
|
151
|
+
# }
|
152
|
+
}
|
@@ -0,0 +1,96 @@
|
|
1
|
+
# Package generated configuration file
|
2
|
+
# See the sshd(8) manpage for details
|
3
|
+
|
4
|
+
# HARDEN OpenSSH TODO's
|
5
|
+
# * specify AllowUsers
|
6
|
+
# * PermitRootLogin no # turn off root login access
|
7
|
+
# to do that, we will probably need to create a non-root user to escalate
|
8
|
+
# privileges to from capistrano, like 'admin'
|
9
|
+
# * change default port to something other than 22
|
10
|
+
|
11
|
+
# What ports, IPs and protocols we listen for
|
12
|
+
Port 22
|
13
|
+
# Use these options to restrict which interfaces/protocols sshd will bind to
|
14
|
+
#ListenAddress ::
|
15
|
+
#ListenAddress 0.0.0.0
|
16
|
+
Protocol 2
|
17
|
+
# HostKeys for protocol version 2
|
18
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
19
|
+
HostKey /etc/ssh/ssh_host_dsa_key
|
20
|
+
#Privilege Separation is turned on for security
|
21
|
+
UsePrivilegeSeparation yes
|
22
|
+
|
23
|
+
# Enable to harden the ssh host
|
24
|
+
# AllowUsers admin app
|
25
|
+
|
26
|
+
# Lifetime and size of ephemeral version 1 server key
|
27
|
+
KeyRegenerationInterval 3600
|
28
|
+
ServerKeyBits 768
|
29
|
+
|
30
|
+
# Logging
|
31
|
+
SyslogFacility AUTH
|
32
|
+
LogLevel INFO
|
33
|
+
|
34
|
+
# Authentication:
|
35
|
+
LoginGraceTime 120
|
36
|
+
PermitRootLogin without-password
|
37
|
+
UseDNS no
|
38
|
+
StrictModes yes
|
39
|
+
|
40
|
+
RSAAuthentication yes
|
41
|
+
PubkeyAuthentication yes
|
42
|
+
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
43
|
+
|
44
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
45
|
+
IgnoreRhosts yes
|
46
|
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
47
|
+
RhostsRSAAuthentication no
|
48
|
+
# similar for protocol version 2
|
49
|
+
HostbasedAuthentication no
|
50
|
+
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
51
|
+
#IgnoreUserKnownHosts yes
|
52
|
+
|
53
|
+
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
54
|
+
PermitEmptyPasswords no
|
55
|
+
|
56
|
+
# Change to yes to enable challenge-response passwords (beware issues with
|
57
|
+
# some PAM modules and threads)
|
58
|
+
ChallengeResponseAuthentication no
|
59
|
+
|
60
|
+
# Change to no to disable tunnelled clear text passwords
|
61
|
+
PasswordAuthentication no
|
62
|
+
|
63
|
+
# Kerberos options
|
64
|
+
#KerberosAuthentication no
|
65
|
+
#KerberosGetAFSToken no
|
66
|
+
#KerberosOrLocalPasswd yes
|
67
|
+
#KerberosTicketCleanup yes
|
68
|
+
|
69
|
+
# GSSAPI options
|
70
|
+
#GSSAPIAuthentication no
|
71
|
+
#GSSAPICleanupCredentials yes
|
72
|
+
|
73
|
+
X11Forwarding yes
|
74
|
+
X11DisplayOffset 10
|
75
|
+
PrintMotd no
|
76
|
+
PrintLastLog yes
|
77
|
+
TCPKeepAlive yes
|
78
|
+
ClientAliveInterval 30
|
79
|
+
ClientAliveCountMax 6
|
80
|
+
#UseLogin no
|
81
|
+
|
82
|
+
#MaxStartups 10:30:60
|
83
|
+
#Banner /etc/issue.net
|
84
|
+
|
85
|
+
# Allow client to pass locale environment variables
|
86
|
+
AcceptEnv LANG LC_*
|
87
|
+
|
88
|
+
Subsystem sftp /usr/lib/openssh/sftp-server
|
89
|
+
|
90
|
+
UsePAM yes
|
91
|
+
|
92
|
+
# PermitUserEnvironment yes
|
93
|
+
# AcceptEnv PATH
|
94
|
+
# AcceptEnv RUBYLIB
|
95
|
+
|
96
|
+
GatewayPorts clientspecified
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# /etc/sudoers
|
2
|
+
#
|
3
|
+
# This file MUST be edited with the 'visudo' command as root.
|
4
|
+
#
|
5
|
+
# See the man page for details on how to write a sudoers file.
|
6
|
+
# Host alias specification
|
7
|
+
|
8
|
+
Defaults !lecture,tty_tickets,!fqdn
|
9
|
+
|
10
|
+
root ALL=(ALL) ALL
|
11
|
+
|
12
|
+
# The 'app' user can only run /usr/bin/god using sudo, and will not be
|
13
|
+
# prompted for a password
|
14
|
+
app ALL = NOPASSWD: /usr/bin/god
|
15
|
+
|
16
|
+
# Users in the rootequiv group can run any command using sudo, without being
|
17
|
+
# prompted for a password.
|
18
|
+
# By default there are nousers in this group, but some EC2 on Rails Capistrano
|
19
|
+
# tasks (which log in as the 'app' user) require the ability to use sudo so
|
20
|
+
# they temporarily place the app user into this group for the duration of the
|
21
|
+
# task.
|
22
|
+
%rootequiv ALL=(ALL) NOPASSWD: ALL
|
23
|
+
|
24
|
+
# Users in the admin group can run any command via sudo, but will be
|
25
|
+
# prompted for their password.
|
26
|
+
# By default there are no users in this group, but if you add named
|
27
|
+
# administrator accounts, add them to this group. (You might do this if you
|
28
|
+
# have multiple sysadmins and you want to use separate user accounts rather
|
29
|
+
# than have multiple people sharing a root account.)
|
30
|
+
%admin ALL=(ALL) ALL
|
31
|
+
|