-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstallation.txt
137 lines (100 loc) · 3.58 KB
/
installation.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# installation using nginx and uwsgi
# install required packages (as root)
yum install nginx python36-virtualenv
# configure nginx
vim /etc/nginx/nginx.conf ### comment location / { }
cat <<EOF > /etc/nginx/default.d/climatedata-api.conf
listen 443 default_server ssl;
server_name data.climatedata.ca;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_certificate /etc/nginx/data.climatedata.ca.pem;
ssl_certificate_key /etc/nginx/data.climatedata.ca.pem;
location /robots.txt {
root /home/uwsgi/climatedata-api/static;
}
location / {
include uwsgi_params;
gzip on;
gzip_types text/html application/json;
uwsgi_pass unix:/home/uwsgi/run/uwsgi.sock;
add_header 'Access-Control-Allow-Origin' '*';
}
location /geoserver/ {
proxy_pass http://127.0.0.1:8080/geoserver/;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
EOF
cat /etc/letsencrypt/live/data.climatedata.ca/{cert,chain,privkey}.pem > /etc/nginx/data.climatedata.ca.pem
# check nginx config
nginx -t
# create uwsgi user
useradd uwsgi -m -G nginx
chmod 0755 /home/uwsgi
# as uwsgi user (sudo -u uwsgi -i)
# clone this project in ~/
cd ~
mkdir /home/uwsgi/run
git clone https://www.crim.ca/stash/scm/ccsc/climatedata-api.git
# create virtualenv
virtualenv-3.6 ~/venv-climatedata-api
source ~/venv-climatedata-api/bin/activate
pip install -r ~/climatedata-api/requirements.txt
pip install uwsgi
# configure local settings
cat <<EOF > ~/climatedata-api/local_settings.py
DEBUG = False
NETCDF_ROOT_FOLDER = "/mnt/8tbsata/netcdfs/"
SENTRY_DSN = "<fill this in>"
EOF
# test application
cd ~/climatedata-api
CLIMATEDATA_FLASK_SETTINGS=local_settings.py uwsgi --socket 0.0.0.0:5000 --protocol=http -w wsgi:app
curl "http://localhost:5000/get_location_values_allyears.php?lat=46.3333334&lon=-72.5166667"
### switch back to root ###
# selinux fixes
semanage fcontext -a -t httpd_sys_content_t '/home/uwsgi/climatedata-api(/.*)?'
semanage fcontext -a -t httpd_exec_t '/home/uwsgi/venv-climatedata-api/bin/uwsgi'
semanage fcontext -a -t httpd_var_run_t '/home/uwsgi/run(/.*)?'
semanage fcontext -a -t lib_t '/home/uwsgi/venv-climatedata-api(/.*)?'
restorecon /home/uwsgi -R
cd /tmp
cat <<EOF > httpd_proc_read.te
module httpd_proc_read 1.0;
require {
type httpd_t;
type sysctl_net_t;
class file { open read };
}
#============= httpd_t ==============
allow httpd_t sysctl_net_t:file { open read };
EOF
checkmodule -M -m -o httpd_proc_read.mod httpd_proc_read.te
semodule_package -o httpd_proc_read.pp -m httpd_proc_read.mod
semodule -i httpd_proc_read.pp
# as root, install the service
cat <<EOF > /etc/systemd/system/climatedata-api.service
[Unit]
Description=uWSGI instance to serve climatedata-api
After=network.target
[Service]
User=uwsgi
Group=nginx
WorkingDirectory=/home/uwsgi/climatedata-api
Environment="PATH=/home/uwsgi/venv-climatedata-api/bin"
ExecStart=/home/uwsgi/venv-climatedata-api/bin/uwsgi --ini uwsgi.ini
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable climatedata-api
systemctl start climatedata-api
# check logs and daemon status
systemctl status climatedata-api
# stop and disable apache
systemctl stop httpd; systemctl start nginx
systemctl disable httpd
systemctl enable nginx
systemctl stop php-fpm
systemctl disable php-fpm