diff --git a/roles/bootnode/tasks/main.yml b/roles/bootnode/tasks/main.yml index 5596e12..6136b45 100644 --- a/roles/bootnode/tasks/main.yml +++ b/roles/bootnode/tasks/main.yml @@ -49,7 +49,6 @@ - git: repo=https://github.com/oraclesorg/oracles-dapps-voting.git dest={{ home }}/parity/dapps/Voting - git: repo=https://github.com/oraclesorg/oracles-dapps-validators.git dest={{ home }}/parity/dapps/ValidatorsList - - name: Download parity-nouncles get_url: url="{{ parity_nouncles }}" dest={{ home }}/parity-nouncles mode=0755 @@ -62,16 +61,32 @@ - name: Install oracles-pm2 service template: src=oracles-pm2.j2 dest=/etc/systemd/system/oracles-pm2.service owner=root group=root mode=0755 -- name: Ensure oracles-pm2 is running and enabled to start at boot - service: name=oracles-pm2 state=started enabled=yes - - name: Install npm pm2 npm: name="pm2" global="yes" +- name: Ensure oracles-pm2 is running and enabled to start at boot + service: name=oracles-pm2 state=started enabled=yes + - git: repo=https://github.com/oraclesorg/eth-net-intelligence-api dest={{ home }}/eth-net-intelligence-api - name: Install netstats config - template: src=app.json.j2 dest={{ home }}/eth-net-intelligence-api/app.json owner=root group=root mode=0644 + template: src=app.json.j2 dest={{ home }}/eth-net-intelligence-api/app.json owner=bootnode group=bootnode mode=0644 + +- git: repo=https://github.com/oraclesorg/oracles-initial-keys dest={{ home }}/oracles-initial-keys + +- file: path={{ home }} owner={{ username }} group={{ username }} recurse=yes + +- name: install npm netstats + shell: "cd /home/bootnode/eth-net-intelligence-api; /usr/bin/npm install" + become: true + become_user: "{{ username }}" + tags: test + +- name: install npm oracles-initial-keys + shell: "cd /home/bootnode/oracles-initial-keys; /usr/bin/npm install" + become: true + become_user: "{{ username }}" + tags: test - name: Install oracles-netstats service template: src=oracles-netstats.j2 dest=/etc/systemd/system/oracles-netstats.service owner=root group=root mode=0755 @@ -85,4 +100,3 @@ - name: Install oracles-logrotate cron template: src=oracles-logrotate.j2 dest=/etc/cron.hourly/oracles-logrotate owner=root group=root mode=0755 -- git: repo=https://github.com/oraclesorg/oracles-initial-keys dest={{ home }}/oracles-initial-keys diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index d4b777b..31e1e5f 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,17 +1,16 @@ --- -- name: Install nginx repo - template: src=nginx.repo.j2 dest=/etc/yum.repos.d/nginx.repo owner=root group=root mode=0644 - - name: Install nginx - yum: name=nginx state=latest + apt: name=nginx state=latest + tags: nginx -- name: Install nginx.conf - template: src={{ item }}.j2 dest=/etc/nginx/{{ item }} owner=root group=root mode=0644 - with_items: - - nginx.conf - - dhparam.pem +- file: path=/etc/nginx/ssl state=directory mode=0755 + tags: nginx + +- name: Generate self-signed SSL certificate + shell: openssl req -new -x509 -nodes -subj "/CN={{ ansible_host }}" -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt notify: - reload nginx + tags: nginx - name: Install nginx conf.d files template: src={{ item }}.j2 dest=/etc/nginx/conf.d/{{ item }} owner=root group=root mode=0644 @@ -19,10 +18,8 @@ - default.conf notify: - reload nginx + tags: nginx - name: Ensure nginx is running and enabled to start at boot service: name=nginx state=started enabled=yes - -- include: vars.yml - tags: - - nginx_vars + tags: nginx diff --git a/roles/nginx/templates/default.conf.j2 b/roles/nginx/templates/default.conf.j2 index 9cab747..043b1ec 100644 --- a/roles/nginx/templates/default.conf.j2 +++ b/roles/nginx/templates/default.conf.j2 @@ -1,231 +1,30 @@ -# {{ ansible_managed }} -proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=configs_cache:1m max_size=1g; - -log_format filter '$remote_addr - $remote_user [$time_local] ' - '"$temp" $status $request_length $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - -upstream app_admin { - {% for ip in nginx_pool %} - server {{ ip }}:5029; - {% endfor %} - keepalive 2000; - } - -upstream app_moderator { - {% for ip in nginx_pool %} - server {{ ip }}:5028; - {% endfor %} - keepalive 2000; - } - -upstream app_estimations { - {% for ip in nginx_pool %} - server {{ ip }}:5027; - {% endfor %} - keepalive 2000; - } - -upstream app_manager { - {% for ip in nginx_pool %} - server {{ ip }}:5026; - {% endfor %} - keepalive 2000; - } - -upstream app_support { - {% for ip in nginx_pool %} - server {{ ip }}:5025; - {% endfor %} - keepalive 2000; - } - -upstream app_call { - {% for ip in nginx_pool %} - server {{ ip }}:8000; - {% endfor %} - keepalive 2000; - } - -upstream app_prediction { - {% for ip in nginx_pool %} - server {{ ip }}:8010; - {% endfor %} - keepalive 2000; - } - server { - listen 80; - server_name www.owhealth.com api.owhealth.com owhealth.com; - root /home/website; + listen 443 ssl default_server; + listen [::]:443 ssl default_server; - location ~ /.well-known { - allow all; - root /home/www; + ssl_certificate /etc/nginx/ssl/server.crt; + ssl_certificate_key /etc/nginx/ssl/server.key; + + server_name _; + + location / { + proxy_set_header Host localhost:8545; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Content-Type application/json; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"; + + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Max-Age 600; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; } - - location /nginx-stats { - stub_status on; - access_log off; - allow 127.0.0.1; - allow 10.19.195.68; - deny all; - } - - location / { - return 301 https://$host$request_uri; - } -} - - -# Master backend server -server { - listen 443 ssl; - server_name api.owhealth.com owhealth.com *.owhealth.com; - - # Use certificate and key provided by Let's Encrypt: - ssl_certificate /etc/letsencrypt/live/api.owhealth.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/api.owhealth.com/privkey.pem; - ssl_session_timeout 20m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - #ssl_ciphers "EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4"; - ssl_dhparam /etc/nginx/dhparam.pem; - - set $temp $request; - - # Replace password in request with **** - if ($temp ~ (.*)password=[^&]*(.*)) { - set $temp $1password=****$2; - } - access_log off; - - # Manage static files - location ~ /\.git { - deny all; - } - - location = / { - return 301 https://flo.health/; - } - - location = /flo_about.html { - return 301 https://flo.health/about-us/; - } - - location / { - root /home/website/data/site; - try_files $uri $uri/ $uri/index.html =404; - } - - location /content { - root /home/api; - try_files $uri $uri/ $uri/index.html =404; - access_log /home/logging/content.access.log filter; - } - - location /call/v1/clientconfigs { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_call/v1/clientconfigs; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - - proxy_cache configs_cache; - proxy_cache_valid 10m; - } - - location /call { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_call/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_buffer_size 32k; - proxy_buffers 32 32k; - client_body_buffer_size 1m; - } - - location /call/v1/estimations { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_prediction/v1/estimations; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - } - - location /call/v2/estimations { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_prediction/v2/estimations; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - } - - location /support { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_support/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - allow 64.58.116.236; - deny all; - } - - location /manager { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_manager/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - allow 64.58.116.236; - deny all; - } - - location /estimations { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_estimations/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - } - - location /moderator { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_moderator/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - } - - location /admin { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://app_admin/; - proxy_ssl_session_reuse off; - proxy_set_header Host $http_host; - proxy_redirect off; - allow 64.58.116.236; - deny all; - } + proxy_pass http://localhost:8545; + } }