Wednesday, January 19, 2011

Nginx / HAProxy / Varnish

I've spent a bit of time trying to come up with a clean stack of Nginx, HAProxy and Varnish based on this Server Fault question..

Here's what I've come up with... Comments?

Note: 'FOO's have been added to obfuscate.


#--------------------------------------------------------------------------------
# Nginx Config - SSL Termination
# TODO: Consider patched stunnel
# /etc/nginx/sites-enabled/default

# HTTPS server used to passthough to HAProxy
server {
listen 443;

ssl on;
ssl_certificate /etc/ssl/FOO.crt;
ssl_certificate_key /etc/ssl/FOO.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

# HAProxy pass through
location / {
proxy_pass http://127.0.0.1/;
proxy_redirect http://127.0.0.1/ http://$host:$server_port/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

# Health Check gif
location = /1x1.gif {
empty_gif;
}
}




#--------------------------------------------------------------------------------
# HAProxy Config - Load Balancing
# /etc/haproxy/haproxy.cfg

global
daemon
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
spread-checks 50

defaults
balance roundrobin
log global
mode http
option httplog
option forwardfor
timeout client 5000
option http-server-close
retries 3
contimeout 5000
clitimeout 50000
srvtimeout 50000
stats enable
stats refresh 300s
stats uri /STATSFOOURL
stats auth USERNAMEFOO:PASSWORDFOO

frontend Incoming
bind :80
default_backend live_pool

########################################
# Map to alternate backends

# QA Matching on server name
acl qa hdr_dom(host) -i qa
use_backend qa_pool if qa

# Staging Matching on server name
acl staging hdr_dom(host) -i staging
use_backend staging_pool if staging

# Static Content Matching on URL path
acl static path_beg /FOOversionFOO/
use_backend varnish_cache if static


backend live_pool
server live-app-01:8080 live-app-01:8080 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server live-app-01:8081 live-app-01:8081 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE

backend qa_pool
server qa-app:9090 qa-app:9090 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server qa-app:9091 qa-app:9091 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE

backend staging_pool
server staging-app:9090 staging-app:9090 cookie a0 check inter 3000 rise 2 fall 3 maxconn 255
server staging-app:9091 staging-app:9091 cookie a1 check inter 3000 rise 2 fall 3 maxconn 255
# Healthcheck URL
option httpchk GET /areyoureadyeddie
# Haproxy status page
stats admin if TRUE

# Local varnish cache
backend thoughts_varnish_cache
server localhost localhost:6081 check inter 3s
option httpchk GET /FOO/cached/test.png




#--------------------------------------------------------------------------------
# Varnish Config - Caching (set your expires headers correctly and use versioned URLs)
# /etc/varnish/default.vcl

# Backend server
# TODO: get a director pool working
backend default {
.host = "live-app-01";
.port = "8080";
}

# Unset any cookies and autorization data for static links and icons, and fetch from cache
sub vcl_recv {
if (req.request == "GET" && req.url ~ "^/FOOversionFOO/") {
unset req.http.cookie;
unset req.http.Authorization;
return(lookup);
}
}

# Add some header hints to show varnish performance
sub vcl_deliver {
set resp.http.X-Served-By = server.hostname;
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
set resp.http.X-Cache-Hits = obj.hits;
} else {
set resp.http.X-Cache = "MISS";
}
return(deliver);
}
Posted by at No comments:

Wednesday, January 12, 2011

Fixing Apple Push Notification Service - Entrust Cert - Ubuntu Servers

If your iPhone app's push notifications are broken you were probably hit by the expiring Entrust certificate file.

You shouldn't need to generate a new pem file, all you need to do is make sure your system has an updated crt file.

On most Ubuntu systems the file that needs to be updated is in the /usr/share/ca-certificates/mozilla directory.

/etc/ssl/certs is full of symlinks -- most of them pointing to that directory.

So archive your old 2048-bit certificate.



mv /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt  /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt.expired


And pull down the updated file.


wget -O /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
https://www.entrust.net/downloads/binary/entrust_2048_ca.cer
--no-check-certificate


That should get your notifications flowing again.
Posted by at No comments:
Subscribe to: Posts (Atom)