wiki:Crin4

Version 16 (modified by russell, 19 months ago) (diff)

--

Table of Contents

  1. SSH Fingerprints
  2. dev.crin.org and stage.crin.org
    1. HTTPS Certificates
    2. MySQL
    3. Nginx
      1. Env vars
      2. robots.txt
      3. /sites/default/files
  3. Access from live servers
  4. ssh access
  5. Munin
  6. Current crin4 tickets
  7. Closed crin4 tickets

crin4.crin.org

The crin4.crin.org development / staging server, at 93.95.228.222 is a 1GB RAM, 4 CPU core, virtual server running 64 bit Debian 8.0, Jessie, which was configured in July 2015 on ticket:23.

SSH Fingerprints

These were produced using the SshFingerprints script: 

1024 ea:4e:63:e7:cf:57:bc:15:1b:96:68:e7:d3:85:cb:d6 /etc/ssh/ssh_host_dsa_key.pub (DSA)
256 15:1a:8f:4a:a5:22:55:0a:99:12:28:77:91:e2:f1:2e /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
256 33:71:79:f5:1c:3e:b6:89:52:9a:a7:a5:56:f2:6c:2d /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
2048 e2:33:7b:fd:f3:ee:cd:4a:38:b3:68:dc:fb:c0:af:07 /etc/ssh/ssh_host_rsa_key.pub (RSA)

dev.crin.org and stage.crin.org

The two main sites on the server are:

HTTPS Certificates

These sites use a CAcert certificate.

MySQL

MySQL is running on Crin1 and that server also has phpMyAdmin available, users need a ~/.my.cnf file as follows for drush: 

[client]
host=crin1
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/ssl/cacert/cacert.pem
ssl-cert=/etc/ssl/cacert/crin1_cert.pem
ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem

If databases need to be copied best do this on Crin1 as the root user has root access to MySQL, there isn't (intentionally) root MySQL access to Crin1 the live MySQL server from Crin4, the dev server.

Nginx

The key Nginx config differences from the live site follow.

Env vars

These env vars are set: 

fastcgi_param SITE_ENV crin_dev;

fastcgi_param SITE_ENV crin_stage;

See ticket:23#comment:22 and ticket:23#comment:50

robots.txt

That a different robots.txt file is served to prevent the sites form being indexed: 

         location = /robots.txt {
                root /var/www/html;
        }

/sites/default/files

And if files are not found locally in /sites/default/files then they are reverse proxied off the live server as there isn't room for a full copy of these files: 

        location /sites/default/files {
                try_files   $uri @proxy_to_live;
        }
        location @proxy_to_live {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass   http://www.crin.org$uri;
        }

Access from live servers

The live servers, Crin2 which runs nginx and php5-fpm and Crin1 which runs MySQL are both set up with root access to Crin4 so you can simply copy files between the servers, for example: 

rsync -av /var/example/ crin4:/var/example/

There isn't ssh access from the Crin4, the dev server to the live servers, Crin1 and Crin2 -- it is intentionally set up so there is only access from live to dev.

ssh access

The server is set up to only allow access via ssh keys, to add a new user: 

export NEWUSER="username"
adduser --disabled-password $NEWUSER
adduser $NEWUSER sudo
mkdir /home/$NEWUSER/.ssh
chmod 700 /home/$NEWUSER/.ssh
touch /home/$NEWUSER/.ssh/authorized_keys
chmod 600 /home/$NEWUSER/.ssh/authorized_keys
chown -R $NEWUSER:$NEWUSER  /home/$NEWUSER/.ssh
vi /home/$NEWUSER/.ssh/authorized_keys

Munin

Current crin4 tickets

Ticket Summary Owner Reporter
#122 DB sync failed chris russell
#103 Upgrade CRIN4 to 2GB of RAM chris chris
#102 Security certificate issue chris russell
#92 dev.crin.org needs /en appending the the URL for CSS to load chris chris
#49 Frozen emails on crin4 chris chris

Closed crin4 tickets

Ticket Summary Owner Reporter
#48 crin4 /tmp filling up chris chris
#23 Development and staging environment chris chris