Nephwork (Browse Miscellaneous / nephwork.renalreg.org - Bitbucket (ukrdc.org)) is deployed on the renalreg server on the url https://nephwork.renalreg.org. (it is also configured for https://nephwork.renal.org )
The service is run under the nephwork user using the software collection apache 2.4 ( /opt/rh/httpd24 ) server as a proxy (config files in /opt/rh/httpd24/root/etc/httpd/conf.d ). Currently the site makes use of the sqlite database but probably will need to switch to a postgresql one in due course due to the limits of the sqlite database when used in a multiuser environment.
nephwork.conf
# nepwhork.renal.org
# nephwork.renalreg.org
<VirtualHost *:80>
ServerName nephwork.renal.org
Redirect permanent / https://nephwork.renal.org/
Header always set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
<VirtualHost *:80>
ServerName nephwork.renalreg.org
Redirect permanent / https://nephwork.renal.org/
Header always set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
<VirtualHost *:443>
ServerName nephwork.renal.org
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/renal.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/renal.org.key
SSLCertificateChainFile /etc/pki/tls/certs/IntermediateCA.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Off
Alias "/static" "/home/nephwork/nephworksite/static"
<Directory "/home/nephwork/nephworksite/static">
Require all granted
</Directory>
<Location "/static">
ProxyPass !
</Location>
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:9887/
ProxyPassReverse / http://127.0.0.1:9887/
</VirtualHost>
<VirtualHost *:443>
ServerName nephwork.renalreg.org
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star_renalreg_org.crt
SSLCertificateKeyFile /etc/pki/tls/private/star_renalreg_org.key
SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Off
Alias "/static" "/home/nephwork/nephworksite/static"
<Directory "/home/nephwork/nephworksite/static">
Require all granted
</Directory>
<Location "/static">
ProxyPass !
</Location>
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:9887/
ProxyPassReverse / http://127.0.0.1:9887/
</VirtualHost>
The site code is located in /home/nephwork/nephwork.renalreg.org and is run on port 9887.
The site is managed using a script in /home/nephwork/bin/nephwork which takes commands start, stop, force-reload/restart
nephwork
#! /bin/bash
### BEGIN INIT INFO
# Provides: nephwork
# Required-Start: nginx/apache
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: The main django process
# Description: The gunicorn process that receives HTTP requests
# from nginx/apache
#
### END INIT INFO
#
# Author: Tim Whitlock <tim.whitlock@renalregistry.nhs.uk>
#
# Replace this with absolute path to project directory if used as init.d script
#PROJDIR="$(dirname `dirname "${BASH_SOURCE[0]}"`)";
PROJDIR="/home/nephwork/nephwork.renalreg.org";
APPNAME=nephwork
USER=nephwork
PATH=/bin:/usr/bin:/sbin:/usr/sbin
ACTIVATE=$PROJDIR/venv/bin/activate
APPMODULE=nephwork.wsgi
DAEMON=gunicorn
BIND=127.0.0.1:9887
# Put under /var/run and /var/log to make more consistent with other init.d scripts
# Subdriectories in /var/run and /var/log need to be owned by this user for logging and pid to be saved.
#PIDFILE=$PROJDIR/$DAEMON-nephwork.pid
PIDFILE=/var/run/nephwork/$DAEMON-nephwork.pid
#LOGFILE=$PROJDIR/logs/$DAEMON-nephwork.log
LOGFILE=/var/log/nephwork/$DAEMON-nephwork.log
WORKERS=2
#if [ ! -d "$PROJDIR/logs" ]; then
# mkdir -p "$PROJDIR/logs";
#fi
if [ ! -d "/var/log/nephwork" ]; then
mkdir -p "/var/log/nephwork";
fi
. /lib/lsb/init-functions
if [ -e "/etc/default/$APPNAME" ]
then
. /etc/default/$APPNAME
fi
case "$1" in
start)
# log_daemon_msg "Starting deferred execution scheduler" "$APPNAME"
source $ACTIVATE
$DAEMON --daemon --bind=$BIND --pid=$PIDFILE --workers=$WORKERS --user=$USER --log-file=$LOGFILE $APPMODULE
RETVAL=$?
if [ $RETVAL = 0 ]; then
log_success_msg "$APPNAME has started";
else
log_failure_msg "Failed to start $APPNAME";
fi
;;
stop)
# log_daemon_msg "Stopping deferred execution scheduler" "$APPNAME"
killproc -p $PIDFILE $DAEMON
RETVAL=$?
if [ $RETVAL = 0 ]; then
log_success_msg "$APPNAME has stopped";
else
log_failure_msg "Failed to stop $APPNAME";
fi
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ./bin/$APPNAME {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0