Nephwork Server Config
- Tim Whitlock (Deactivated)
- Andre Ortega Alban
Ensure python3.6 and git25 are selected in this environment.
The default python is 2.7 and the default git 1.7 neither of these are new enough to use for this project. Newer versions from the software collection have been installed and can be enabled by:
scl enable rh-python36 bash
scl enable sclo-git25 bash
Nephwork (Browse Miscellaneous / nephwork.renalreg.org - Bitbucket (ukrdc.org)) is deployed on the renalreg server on the url https://nephwork.renalreg.org. (it is also configured for https://nephwork.renal.org )
The service is run under the nephwork user using the software collection apache 2.4 ( /opt/rh/httpd24 ) server as a proxy (config files in /opt/rh/httpd24/root/etc/httpd/conf.d ). Currently the site makes use of the sqlite database but probably will need to switch to a postgresql one in due course due to the limits of the sqlite database when used in a multiuser environment.
# nepwhork.renal.org
# nephwork.renalreg.org
<VirtualHost *:80>
ServerName nephwork.renal.org
Redirect permanent / https://nephwork.renal.org/
Header always set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
<VirtualHost *:80>
ServerName nephwork.renalreg.org
Redirect permanent / https://nephwork.renal.org/
Header always set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
<VirtualHost *:443>
ServerName nephwork.renal.org
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/renal.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/renal.org.key
SSLCertificateChainFile /etc/pki/tls/certs/IntermediateCA.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Off
Alias "/static" "/home/nephwork/nephworksite/static"
<Directory "/home/nephwork/nephworksite/static">
Require all granted
</Directory>
<Location "/static">
ProxyPass !
</Location>
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:9887/
ProxyPassReverse / http://127.0.0.1:9887/
</VirtualHost>
<VirtualHost *:443>
ServerName nephwork.renalreg.org
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star_renalreg_org.crt
SSLCertificateKeyFile /etc/pki/tls/private/star_renalreg_org.key
SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Off
Alias "/static" "/home/nephwork/nephworksite/static"
<Directory "/home/nephwork/nephworksite/static">
Require all granted
</Directory>
<Location "/static">
ProxyPass !
</Location>
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://127.0.0.1:9887/
ProxyPassReverse / http://127.0.0.1:9887/
</VirtualHost>
The site code is located in /home/nephwork/nephwork.renalreg.org and is run on port 9887.
The standard construct used for configuring the required Django settings is used where by there is a settings folder containing settings files for different environments. There is a base settings file and then individualised settings files for the different environments (local and production in this case). The selection of the correct settings file is done by using the DJANGO_SETTINGS_MODULE environment variable.
When running the site ensure the environment variable is appropriately set:
# Settings files ls -l nephwork/settings total 20 -rw-r--r--. 1 nephwork nephwork 3975 Nov 25 16:32 base.py -rw-r--r--. 1 nephwork nephwork 29 Nov 25 16:32 __init__.py -rw-r--r--. 1 nephwork nephwork 429 Nov 25 16:32 local.py -rw-r--r--. 1 nephwork nephwork 1213 Nov 25 16:32 production.py # Configure productions settings export DJANGO_SETTINGS_MODULE=nephwork.settings.production
Note the environment needs setting before running the start script to ensure the correct settings file is picked up
export DJANGO_SETTINGS_MODULE=nephwork.settings.production;/home/nephwork/bin/nephwork start
To export DJANGO_SETTINGS_MODULE value permanently in every nephwork user session, add the line export DJANGO_SETTINGS_MODULE=nephwork.settings.production in ~/.bash_profile. To load the new variable in the current session run: $ source ~/.bash_profile
The site is managed using a script in /home/nephwork/bin/nephwork which takes commands start, stop, force-reload/restart
#! /bin/bash
### BEGIN INIT INFO
# Provides: nephwork
# Required-Start: nginx/apache
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: The main django process
# Description: The gunicorn process that receives HTTP requests
# from nginx/apache
#
### END INIT INFO
#
# Author: Tim Whitlock <tim.whitlock@renalregistry.nhs.uk>
#
# Replace this with absolute path to project directory if used as init.d script
#PROJDIR="$(dirname `dirname "${BASH_SOURCE[0]}"`)";
PROJDIR="/home/nephwork/nephwork.renalreg.org";
APPNAME=nephwork
USER=nephwork
PATH=/bin:/usr/bin:/sbin:/usr/sbin
ACTIVATE=$PROJDIR/venv/bin/activate
APPMODULE=nephwork.wsgi
DAEMON=gunicorn
BIND=127.0.0.1:9887
# Put under /var/run and /var/log to make more consistent with other init.d scripts
# Subdriectories in /var/run and /var/log need to be owned by this user for logging and pid to be saved.
#PIDFILE=$PROJDIR/$DAEMON-nephwork.pid
PIDFILE=/var/run/nephwork/$DAEMON-nephwork.pid
#LOGFILE=$PROJDIR/logs/$DAEMON-nephwork.log
LOGFILE=/var/log/nephwork/$DAEMON-nephwork.log
WORKERS=2
#if [ ! -d "$PROJDIR/logs" ]; then
# mkdir -p "$PROJDIR/logs";
#fi
if [ ! -d "/var/log/nephwork" ]; then
mkdir -p "/var/log/nephwork";
fi
. /lib/lsb/init-functions
if [ -e "/etc/default/$APPNAME" ]
then
. /etc/default/$APPNAME
fi
case "$1" in
start)
# log_daemon_msg "Starting deferred execution scheduler" "$APPNAME"
source $ACTIVATE
$DAEMON --daemon --bind=$BIND --pid=$PIDFILE --workers=$WORKERS --user=$USER --log-file=$LOGFILE $APPMODULE
RETVAL=$?
if [ $RETVAL = 0 ]; then
log_success_msg "$APPNAME has started";
else
log_failure_msg "Failed to start $APPNAME";
fi
;;
stop)
# log_daemon_msg "Stopping deferred execution scheduler" "$APPNAME"
killproc -p $PIDFILE $DAEMON
RETVAL=$?
if [ $RETVAL = 0 ]; then
log_success_msg "$APPNAME has stopped";
else
log_failure_msg "Failed to stop $APPNAME";
fi
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ./bin/$APPNAME {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
The log files can be found in /var/log/httpd24 for proxy issues and /var/log/nephwork for django site related issues.