Versions Compared

Old Version 6

changes.mady.by.user Tilmann

Saved on

compared with

New Version Current

changes.mady.by.user Tilmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Hardware

AMD Phenom(tm) II X4 965 Processor

16 GB DDR3

2x 1TB SATA HDD, Raid 1 (~850 GB usable)

 

Usage

The yuca server is sponsored by manitu for yunity development and foodsharing purposes.

  • project.yunity.org: Project description webpage (Currently on OctoberCMS with migration plans)
  • yuca.yunity.org: Wordpress test setup for project page
  • piwik.yunity.org: Analytics server
  • different smaller PHP/mysql projects from an older server 
  • (todo) development preview of yunity software
  • (todo) build server of yunity software
    • (todo

    )

    beta launch of yunity software(todo) foodsharing.de 2.0 launch server, at that time, all other purposes are moved to banana

     

    Software setup

    Operating system

    Debian Jessie is used.

    Must-have packages

    • tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
    • imagemagick as it will be used by some web projects for graphics manipulation

    Network configuration

    • 100 MBps connection (...)
    • 89.238.64.138/24
    • 2a00:1828:2000:873664::2/64

    Webserver

    Nginx, php5-fpm 5.6

    Firewall

    We use the ufw firewall software. Type "ufw status" to see which ports are allowed.

    Default: deny (incoming), allow (outgoing)

    SSL

    All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.

    SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. Just add all domains (including subdomains) in the script in /opt/letsencrypt/update_keys. sh and rerun that. The webserver is automatically reloaded if certificates change.

    HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).

    Monitoring

    https://yuca-admin.yunity.org/ provides links to

    • munin (please activate reasonable plugins when you add services or sites, especially PHP status)
    • PHP OPCache statistics (please increase SHM when neccessary)

    Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.

    Adding a new site/project

    Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.

    Websites

     

    Code Block
    languagebash
    /var/www/create.sh <projectname>

    Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.

    After that, edit

    Code Block
    /var/www/<projectname>/cert/dns

    file to have all your domains, one per line, included.

    Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.

    Edit

    Code Block
    /etc/nginx/sites-available/<projectname>

    to have the right ServerName and additional webserver configuration.

    Edit

    Code Block
    /etc/php5/fpm/pool.d/<projectname>

    to reflect your necessary special PHP settings.

    Link your site to be enabled:

    Code Block
    ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled



    Adding a new virtual host name

    Create a new user

    We are using one user per hosting environment.

    Code Block
    adduser --home /var/www/<name> <name>

    PHP-FPM

    Create a FPM pool file in

    Code Block
    /etc/php5/fpm/pool.d/


    This generates a unix socket file.

    Nginx

    Add the FPM socket file in

    Code Block
    /etc/nginx/conf.d/php-upstream.conf

     

    Create a nginx config file in

    Code Block
    /etc/nginx/sites-available/

    and link it in

    Code Block
    /etc/nginx/sites-enabled/

     

    Encryption

    Create the file 

    Code Block
    /var/www/<name>/cert/dns

    and enter the domains of the virtual host.

    Run

    Code Block
    /opt/letsencrypt/update_keys.sh

     

    Log directory

    Create a directory

    Code Block
     /var/www/<name>/log

    to allow startup and logging of PHP-FPM.


    Foodsaving Tool deployment

    CircleCI deploys the frontend and the backend to yuca. Deploy user is "deploy", change there with "sudo -i -u deploy && cd ~".

    Frontend is just static files in "foodsaving-frontend/<branch>", served by nginx via "/etc/nginx/sites-enabled/foodsaving-world".

    The same nginx config also calls the backend on /api/ via UWSGI. The upstream config is in "/etc/nginx/conf.d/uwsgi-upstream.conf", the socket definitions are in "/etc/uwsgi/sites-enabled/". This links back to the deploy directory in "foodsaving-backend/". Take care of the "config" directory, especially local_setting.py and secrets.py.

    After changing the UWSGI config, call "systemctl restart uwsgi".

    After changing nginx config, call "nginx -t" to test the config and "systemctl reload nginx" to make it active.

    After changing domains in "/var/www/*/cert/dns", call "/opt/letsencrypt/update_keys.sh" to update certificates.