rephrase
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
parent
0fd0d02e03
commit
465a1a8be4
1 changed files with 18 additions and 14 deletions
|
@ -2,15 +2,12 @@
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
As the [[!ungleich]]
|
As [[!ungleich]] focusses on educated customers,
|
||||||
focusses on educated customers, we meet pretty cool
|
we meet pretty cool infrastructures from time to time.
|
||||||
infrastructures from time to time.
|
|
||||||
|
|
||||||
In some sense I count [[!localch]]
|
In some sense I count [[!localch]]
|
||||||
as a customer: they supported me with one day off
|
as a customer: they supported me with one day off
|
||||||
per week so I was able to found the ungleich GmbH
|
per week so I was able to found [[!ungleich]]
|
||||||
and acquire first customers.
|
and acquire first customers.
|
||||||
|
|
||||||
This article is dedicated to local.ch and describes
|
This article is dedicated to local.ch and describes
|
||||||
a very elegant solution for Ruby on Rails hosting.
|
a very elegant solution for Ruby on Rails hosting.
|
||||||
|
|
||||||
|
@ -28,7 +25,8 @@ together in an elegant way:
|
||||||
## Nginx
|
## Nginx
|
||||||
|
|
||||||
The great trick of the setup is that nginx is used to forward requests
|
The great trick of the setup is that nginx is used to forward requests
|
||||||
to a unix socket that depends on the **hostname**. The following
|
to a unix socket that depends on the **hostname**, which is
|
||||||
|
exposed as **$host** by nginx. The following
|
||||||
configuration snippet contains the important parts:
|
configuration snippet contains the important parts:
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
@ -43,6 +41,10 @@ configuration snippet contains the important parts:
|
||||||
root /var/nginx/$host/current/public;
|
root /var/nginx/$host/current/public;
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
|
location ~ ^/assets/ {
|
||||||
|
root /var/nginx/$host/current/public;
|
||||||
|
[...]
|
||||||
|
|
||||||
root /var/nginx/$host/current/public;
|
root /var/nginx/$host/current/public;
|
||||||
location @unicorn {
|
location @unicorn {
|
||||||
proxy_pass http://unix:/var/nginx/$host/unicorn.sock;
|
proxy_pass http://unix:/var/nginx/$host/unicorn.sock;
|
||||||
|
@ -66,11 +68,11 @@ as setup by nginx.
|
||||||
## Application Deployment
|
## Application Deployment
|
||||||
|
|
||||||
Applications are deployed under their project name below
|
Applications are deployed under their project name below
|
||||||
**/var/nginx** (like ws-locomotive.dev-deploy or ws-locomotive.master).
|
**/var/nginx**
|
||||||
|
(like **ws-locomotive.dev-deploy** or **ws-locomotive.master**).
|
||||||
As you can see from the naming, developers can deploy one application
|
As you can see from the naming, developers can deploy one application
|
||||||
from different branches easily (dev-deploy and master branches is this
|
from different branches easily (dev-deploy and master branches is this
|
||||||
case).
|
case).
|
||||||
|
|
||||||
Developers can use [[!capistrano]] to deploy their applications
|
Developers can use [[!capistrano]] to deploy their applications
|
||||||
and don't need to interact (reload/restart) with nginx, as it is
|
and don't need to interact (reload/restart) with nginx, as it is
|
||||||
already configured to accept any hostname.
|
already configured to accept any hostname.
|
||||||
|
@ -78,8 +80,9 @@ already configured to accept any hostname.
|
||||||
## Name Server Configuration
|
## Name Server Configuration
|
||||||
|
|
||||||
As you can imagine, it would be quite cumbersome for developers to
|
As you can imagine, it would be quite cumbersome for developers to
|
||||||
reach a host named **ws-locomotive.dev-deploy**, a wildcard domain
|
reach a host named **ws-locomotive.dev-deploy**.
|
||||||
is configured that points to the box running nginx:
|
That is why a wildcard domain is configured to point
|
||||||
|
to the host running nginx:
|
||||||
|
|
||||||
*.play.intra.local.ch. CNAME rails-dev-vm-snr01.intra.local.ch.
|
*.play.intra.local.ch. CNAME rails-dev-vm-snr01.intra.local.ch.
|
||||||
|
|
||||||
|
@ -104,12 +107,13 @@ with:
|
||||||
The setup is pretty elegant, because it allows developers to
|
The setup is pretty elegant, because it allows developers to
|
||||||
create new development environments without interacting with any
|
create new development environments without interacting with any
|
||||||
sysadmin to configure nginx, bind or whatsoever.
|
sysadmin to configure nginx, bind or whatsoever.
|
||||||
|
|
||||||
There is a security drawback though:
|
There is a security drawback though:
|
||||||
An attacker could try to use hostnames like
|
An attacker could try to use hostnames like
|
||||||
**../../../../etc/** and request the file **passwd**.
|
**../../../../etc/** and request the file **passwd**.
|
||||||
|
That is the reasion why this service is not exposed
|
||||||
And that is the reasion why service is not exposed to the outside world...
|
to the outside world directly, but all external requests
|
||||||
|
are filtered (whitelisting) by a load balancer in front
|
||||||
|
of the rails hosts.
|
||||||
|
|
||||||
|
|
||||||
[[!tag net unix foss ungleich localch]]
|
[[!tag net unix foss ungleich localch]]
|
||||||
|
|
Loading…
Reference in a new issue