ArielGlenn has submitted this change and it was merged.
Change subject: dumps: switch from lighttpd to nginx
......................................................................
dumps: switch from lighttpd to nginx
nginx is better supported internally these days and we've settled on it.
Switch to using it for dumps, which thanks to better puppetization,
simplifies the manifests.
Change-Id: I2729610f82e061057d2b6fac222cb7cb7a71ee3e
---
D modules/dumps/files/lighttpd.conf
A modules/dumps/files/nginx.download.conf
A modules/dumps/files/nginx.dumps.conf
M modules/dumps/manifests/init.pp
4 files changed, 33 insertions(+), 239 deletions(-)
Approvals:
ArielGlenn: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/dumps/files/lighttpd.conf
b/modules/dumps/files/lighttpd.conf
deleted file mode 100644
index be80335..0000000
--- a/modules/dumps/files/lighttpd.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-# Debian lighttpd configuration file
-#
-
-############ Options you really have to take care of ####################
-
-## modules to load
-# mod_access, mod_accesslog and mod_alias are loaded by default
-# all other module should only be loaded if neccesary
-# - saves some time
-# - saves memory
-
-server.modules = (
- "mod_access",
- "mod_alias",
- "mod_accesslog",
-# "mod_compress",
-# "mod_rewrite",
- "mod_redirect",
-# "mod_evhost",
-# "mod_usertrack",
-# "mod_rrdtool",
-# "mod_webdav",
-# "mod_expire",
-# "mod_flv_streaming",
- "mod_evasive"
-)
-
-## a static document-root, for virtual-hosting take look at the
-## server.virtual-* options
-server.document-root = "/data/xmldatadumps/public"
-
-## where to upload files to, purged daily.
-server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
-
-## where to send error-messages to
-server.errorlog = "/var/log/lighttpd/error.log"
-
-## files to check for if .../ is requested
-index-file.names = ( "index.php", "index.html",
- "index.htm", "default.htm",
- "index.lighttpd.html" )
-
-
-## Use the "Content-Type" extended attribute to obtain mime type if possible
-# mimetype.use-xattr = "enable"
-
-#### accesslog module
-accesslog.filename = "/var/log/lighttpd/access.log"
-
-## deny access the file-extensions
-#
-# ~ is for backupfiles from vi, emacs, joe, ...
-# .inc is often used for code includes which should in general not be part
-# of the document-root
-url.access-deny = ( "~", ".inc" )
-
-##
-# which extensions should not be handle via static-file transfer
-#
-# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
-static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
-
-
-######### Options that are good to be but not neccesary to be changed #######
-
-## Use ipv6 only if available.
-#include_shell "/usr/share/lighttpd/use-ipv6.pl"
-
-## bind to port (default: 80)
-server.port = 80
-
-## bind to localhost only (default: all interfaces)
-## server.bind = "localhost"
-
-## error-handler for status 404
-#server.error-handler-404 = "/error-handler.html"
-#server.error-handler-404 = "/error-handler.php"
-
-## to help the rc.scripts
-server.pid-file = "/var/run/lighttpd.pid"
-
-##
-## Format: <errorfile-prefix><status>.html
-## -> ..../status-404.html for 'File not found'
-#server.errorfile-prefix = "/var/www/"
-
-## virtual directory listings
-dir-listing.encoding = "utf-8"
-server.dir-listing = "enable"
-
-## send unhandled HTTP-header headers to error-log
-#debug.dump-unknown-headers = "enable"
-
-### only root can use these options
-#
-# chroot() to directory (default: no chroot() )
-#server.chroot = "/"
-
-## change uid to <uid> (default: don't care)
-server.username = "www-data"
-
-## change uid to <uid> (default: don't care)
-server.groupname = "www-data"
-
-server.max-fds = 8192
-
-#### compress module
-#compress.cache-dir = "/var/cache/lighttpd/compress/"
-#compress.filetype = ("text/plain", "text/html",
"application/x-javascript", "text/css")
-
-
-#### url handling modules (rewrite, redirect, access)
-# url.rewrite = ( "^/$" => "/server-status" )
-# url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1";
)
-
-#
-# define a pattern for the host url finding
-# %% => % sign
-# %0 => domain name + tld
-# %1 => tld
-# %2 => domain name without tld
-# %3 => subdomain 1 name
-# %4 => subdomain 2 name
-#
-# evhost.path-pattern = "/home/storage/dev/www/%3/htdocs/"
-
-#### expire module
-# expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" =>
"access plus 1 seconds 2 minutes")
-
-#### rrdtool
-# rrdtool.binary = "/usr/bin/rrdtool"
-# rrdtool.db-name = "/var/www/lighttpd.rrd"
-
-#### variable usage:
-## variable name without "." is auto prefixed by "var." and becomes "var.bar"
-#bar = 1
-#var.mystring = "foo"
-
-## integer add
-#bar += 1
-## string concat, with integer cast as string, result: "www.foo1.com"
-#server.name = "www." + mystring + var.bar + ".com"
-## array merge
-#index-file.names = (foo + ".php") + index-file.names
-#index-file.names += (foo + ".php")
-
-
-#### external configuration files
-## mimetype mapping
-include_shell "/usr/share/lighttpd/create-mime.assign.pl"
-
-## load enabled configuration files,
-## read /etc/lighttpd/conf-available/README first
-include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
-
-#### handle Debian Policy Manual, Section 11.5. urls
-## by default allow them only from localhost
-## (This must come last due to #445459)
-## Note: =~ "127.0.0.1" works with ipv6 enabled, whereas == "127.0.0.1" doesn't
-$HTTP["remoteip"] =~ "127.0.0.1" {
- alias.url += (
- "/doc/" => "/usr/share/doc/",
- "/images/" => "/usr/share/images/"
- )
- $HTTP["url"] =~ "^/doc/|^/images/" {
- dir-listing.activate = "enable"
- }
-}
-
-# webazilla.com, blocked for bulk retrieval of garbage urls and bandwidth
hogging,
-# 23 Aug 2011 -- atg
-$HTTP["remoteip"] == "78.140.0.0/16" {
- url.access-deny = ("")
-}
-
-$HTTP["remoteip"] == "199.101.0.0/16" {
- url.access-deny = ("")
-}
-# choopa.net 23 aug 2011, atg
-$HTTP["remoteip"] == "108.61.0.0/16" {
- url.access-deny = ("")
-}
-
-# we.love.servers.ioflood.com, 23 aug 2011, atg
-$HTTP["remoteip"] == "199.167.134.0/24" {
- url.access-deny = ("")
-}
-
-# rate limit anyone that's not us to 10 mbps per connection
-$HTTP["remoteip"] !~
"^(10\.0\.|208\.80\.152\.|208\.80\.154\.|91\.198\.174\.|10\.64\.|10\.65\.)" {
- connection.kbytes-per-second = 10000,
- evasive.max-conns-per-ip = 2
-}
-
-mimetype.assign += (
- ".gz" => "application/x-gzip",
- ".bz2" => "application/x-bzip"
-)
-
-$HTTP["scheme"] == "http" {
- # mobile and mediawiki tarballs are served at releases.wikimedia.org now
- url.redirect = ( "^/other/(iOS|PlayBook|win8|android)(|/.*)$" =>
"http://releases.wikimedia.org/mobile/$1$2";,
- "^/(other/)?mediawiki(|/.*)$" =>
"http://releases.wikimedia.org/mediawiki/$2"; )
-
- $HTTP["host"] =~ "^download\.wiki[pm]edia\.org" {
- url.redirect = ( "^/(.*)" => "http://dumps.wikimedia.org/$1"; )
- }
-}
-
-$HTTP["scheme"] == "https" {
- # mobile and mediawiki tarballs are served at releases.wikimedia.org now
- url.redirect = ( "^/other/(iOS|PlayBook|win8|android)(|/.*)$" =>
"https://releases.wikimedia.org/mobile/$1$2";,
- "^/(other/)?mediawiki(|/.*)$" =>
"https://releases.wikimedia.org/mediawiki/$2"; )
-
- $HTTP["host"] =~ "^download\.wiki[pm]edia\.org" {
- url.redirect = ( "^/(.*)" => "https://dumps.wikimedia.org/$1"; )
- }
-}
-
-$SERVER["socket"] == ":443" {
- ssl.engine = "enable"
- ssl.ca-file = "/etc/ssl/certs/RapidSSL_CA.pem"
- ssl.pemfile = "/etc/ssl/private/dumps.wikimedia.org.pem"
-}
diff --git a/modules/dumps/files/nginx.download.conf
b/modules/dumps/files/nginx.download.conf
new file mode 100644
index 0000000..c9b784e
--- /dev/null
+++ b/modules/dumps/files/nginx.download.conf
@@ -0,0 +1,5 @@
+server {
+ listen 80;
+ server_name download.wikimedia.org download.wikipedia.org;
+ rewrite ^ $scheme://dumps.wikimedia.org$request_uri permanent;
+}
diff --git a/modules/dumps/files/nginx.dumps.conf
b/modules/dumps/files/nginx.dumps.conf
new file mode 100644
index 0000000..ab9580c
--- /dev/null
+++ b/modules/dumps/files/nginx.dumps.conf
@@ -0,0 +1,21 @@
+server {
+ listen 80 default;
+ listen 443 default ssl;
+ servername dumps.wikimedia.org;
+
+ ssl_certificate /etc/ssl/localcerts/dumps.wikimedia.org.chained.crt;
+ ssl_certificate_key /etc/ssl/private/dumps.wikimedia.org.key;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+
+ root /data/xmldatadumps/public;
+
+ location / {
+ index index.html index.htm;
+ autoindex on;
+ charset utf-8;
+ }
+
+ rewrite ^/other/(iOS|PlayBook|win8|android)(|/.*)$
$scheme://releases.wikimedia.org/mobile/$1$2
+ rewrite ^/(other/)?mediawiki(|/.*)$
$scheme://releases.wikimedia.org/mediawiki/$2
+}
diff --git a/modules/dumps/manifests/init.pp b/modules/dumps/manifests/init.pp
index bc9dd3d..ad8e99a 100644
--- a/modules/dumps/manifests/init.pp
+++ b/modules/dumps/manifests/init.pp
@@ -1,21 +1,13 @@
class dumps {
- package { 'lighttpd':
- ensure => latest,
- }
-
install_certificate{ 'dumps.wikimedia.org': ca => 'RapidSSL_CA.pem' }
- file { '/etc/lighttpd/lighttpd.conf':
- mode => '0444',
- owner => 'root',
- group => 'root',
- path => '/etc/lighttpd/lighttpd.conf',
- source => 'puppet:///modules/dumps/lighttpd.conf',
+ include ::nginx
+ nginx::site { 'dumps':
+ source => 'puppet:///modules/dumps/nginx.dumps.conf',
+ notify => Service['nginx'],
}
-
- service { 'lighttpd':
- ensure => running,
+ nginx::site { 'download':
+ source => 'puppet:///modules/dumps/nginx.download.conf',
+ notify => Service['nginx'],
}
-
- include vm::higher_min_free_kbytes
}
--
To view, visit https://gerrit.wikimedia.org/r/185151
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2729610f82e061057d2b6fac222cb7cb7a71ee3e
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
