mori — Mon, 10 Aug 2015 15:37:52 GMT

Hi Chris,

Can you please start with the first two items in the list

'Chris to create a new entry for the new prod site on CRIN2'

I've checked out the new codebase under /var/www/newprod/docroot. Please use it as the docroot of the new prod. The site should be accessible via newprod.crin.org

Chris to create a new database for the new prod site on CRIN1

Please create a new database newprod, along with a new user and its password. Can you create a file in CRIN4:/home/mori/ and store the username and password in there?

Thanks,

Mori

hours changed; totalhours set

chris — Tue, 11 Aug 2015 10:01:13 GMT

hours changed from 0 to 0.65
totalhours set to 0.65

Sounds like a very sensible set of steps.

Creating the database on Crin1:

mysql> CREATE DATABASE newprod;
mysql> GRANT ALL ON newprod.* to 'newprod'@'crin2' identified by 'XXX' REQUIRE SSL;
mysql> FLUSH PRIVILEGES;

Test the MySQL database and user from Crin2:

mysql -unewprod -p -hcrin1 newprod

That works fine. DB details saved to /home/mori/newprod.txt on Crin4.

Creating the directory on Crin2:

mkdir -p /var/www/newprod/docroot/

Copy live Nginx config:

cd /etc/nginx/sites-available
cp crin.org newprod.crin.org

Change these lines for the port 80 config:

        listen 80;
        #listen 80 default_server;
        #server_name www.crin.org;
        server_name newprod.crin.org;
        root /var/www/newprod/docroot;
        access_log /var/log/nginx/newprod.crin.org.access.log;
        error_log  /var/log/nginx/newprod.crin.org.error.log info;
        # login redirect
        location ~ /user {
                #rewrite ^/(.*)$ https://www.crin.org/$1? permanent;
                rewrite ^/(.*)$ https://newprod.crin.org/$1? permanent;
                #rewrite ^/(.*)$ https://$server_name/$1? permanent;
                #rewrite ^/(.*)$ https://crin.web1.crin.webarch.net/$1? permanent;
        }
#server {
#       listen 80;
#        server_name crin.org;
#
#        access_log /var/log/nginx/crin.org.access.log;
#        error_log  /var/log/nginx/crin.org.error.log info;
#
#        location / {
#               return      301 http://www.crin.org$request_uri;
#       }
#
#}

And these for port 443:

        #listen 443 ssl spdy default_server;
        listen 443 ssl spdy;
        server_name newprod.crin.org;
        #server_name www.crin.org;
        root /var/www/newprod/docroot;
        access_log /var/log/nginx/newprod.crin.org.ssl_access.log;
        error_log  /var/log/nginx/newprod.crin.org.ssl_error.log info;
#server {
#       listen 443 ssl spdy;
#        server_name crin.org;
#       return      301 https://www.crin.org$request_uri;
#        ssl  on;
#        ssl_certificate     /etc/ssl/gandi/crin.org.chained.pem;
#        ssl_certificate_key /etc/ssl/gandi/crin.org.key.pem;
#        #ssl_certificate  /etc/ssl/cacert/web1.crin.webarch.net.chained.pem;
#        #ssl_certificate_key  /etc/ssl/cacert/web1.crin.webarch.net.key.pem;
#       ssl_dhparam /etc/ssl/gandi/dhparam.pem;
#        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
#        ssl_prefer_server_ciphers on;
#       #add_header Strict-Transport-Security max-age=15768000;
#       # 24 hours
#       #add_header Strict-Transport-Security max-age=86400;
#       ## Use a SSL/TLS cache for SSL session resume.
#       ssl_session_cache shared:SSL:60m;
#       ssl_session_timeout 30m;
#       # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
#
#        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
#        add_header X-Frame-Options SAMEORIGIN;
#
#       # OCSP Stapling -- this needs a newer version of Nginx
#       # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
#       # https://packages.debian.org/wheezy-backports/nginx-extras
#       # fetch OCSP records from URL in ssl_certificate and cache them
#       #ssl_stapling on;
#       #ssl_stapling_verify on;
#       ## verify chain of trust of OCSP response using Root CA and Intermediate certs
#       #ssl_trusted_certificate /etc/ssl/gandi/gandi.pem;
#}

Enable new config:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/newprod.crin.org 01-newprod.crin.org

Test:

service nginx configtest
Testing nginx configuration:.

Add the new DNS entry.

newprod 900 IN A 93.95.228.180

This will take some time to propagate.

Restart services on Crin2:

service nginx restart
service php5-fpm restart

I think that is everything I need to do for the first two steps?

mori — Tue, 11 Aug 2015 15:24:25 GMT

Thanks Chris.

Can you please add a new env var 'newprod' as well, if you haven't already?

chris — Tue, 11 Aug 2015 18:45:05 GMT

On Tue 11-Aug-2015 at 03:24:26PM -0000, CRIN Trac wrote:
>
>  Can you please add a new env var 'newprod' as well, if you haven't
>  already?
Have done now, sorry to have missed that earlier.

status changed; resolution set

chris — Thu, 07 Jan 2016 12:13:48 GMT

status changed from new to closed
resolution set to fixed

CRIN Trac: Ticket #31: Preparation for deployment to new prod

hours changed; totalhours set

status changed; resolution set