cmthakur · August 29, 2015 14:09
diff --git a/deploy.rb b/deploy.rb
 # Capistrano configuration
 # 
 # require 'new_relic/recipes'         - Newrelic notification about deployment
 # require 'capistrano/ext/multistage' - We use 2 deployment environment: staging and production.
 # set :deploy_via, :remote_cache      - fetch only latest changes during deployment
 # set :normalize_asset_timestamps     - no need to touch (date modification) every assets
 # "deploy:web:disable"                - traditional maintenance page (during DB migrations deployment)
 # task :restart                       - Unicorn with preload_app should be reloaded by USR2+QUIT signals, not HUP


 require 'bundler/capistrano'
 require 'capistrano/ext/multistage'
 require 'new_relic/recipes'

 set :stages,                     %w(staging production)
 set :default_stage,              "staging"

 set :scm,                        :git
 set :repository,                 "..."
 set :deploy_via,                 :remote_cache
 default_run_options[:pty]        = true

 set :application,                "app"
 set :use_sudo,                   false
 set :user,                       "app"
 set :normalize_asset_timestamps, false


 before "deploy",                 "deploy:web:disable"
 before "deploy:stop",            "deploy:web:disable"

 after  "deploy:update_code",     "deploy:symlink_shared"

 after  "deploy:start",           "deploy:web:enable"
 after  "deploy",                 "deploy:web:enable", "deploy:cleanup"


 namespace :deploy do

  %w[start stop].each do |command|
    desc "#{command} unicorn server"
    task command, :roles => :app, :except => { :no_release => true } do
      run "#{current_path}/config/server/#{rails_env}/unicorn_init.sh #{command}"
    end
  end

  desc "restart unicorn server"
  task :restart, :roles => :app, :except => { :no_release => true } do
    run "#{current_path}/config/server/#{rails_env}/unicorn_init.sh upgrade"
  end


  desc "Link in the production database.yml and assets"
  task :symlink_shared do
    run "ln -nfs #{deploy_to}/shared/config/database.yml #{release_path}/config/database.yml"
  end


  namespace :web do
    desc "Maintenance start"
    task :disable, :roles => :web do
      on_rollback { run "rm #{shared_path}/system/maintenance.html" }
      page = File.read("public/503.html")
      put page, "#{shared_path}/system/maintenance.html", :mode => 0644
    end
    
    desc "Maintenance stop"
    task :enable, :roles => :web do
      run "rm #{shared_path}/system/maintenance.html"
    end
  end

 end


 namespace :log do
  desc "A pinch of tail"
  task :tailf, :roles => :app do
    run "tail -n 10000 -f #{shared_path}/log/#{rails_env}.log" do |channel, stream, data|
      puts "#{data}"
      break if stream == :err
    end
  end
 end
diff --git a/nginx.conf b/nginx.conf
 # Nginx main block configuration file.
 # The most important directives here are ssl_protocols and ssl_ciphers
 # Keep nginx configuration in repo, then just include it in /opt/nginx/conf/nginx.conf
 # And DDoS prevent attack with directive limit_req_zone (limit 10 request/sec from 1 IP address)
 # then it enables in the server block by "limit_req zone=one".

 user                          app;
 worker_processes              2;
 worker_priority               -5;

 error_log                     logs/nginx.error.log  crit;

 events {
    use                       epoll;
    worker_connections        2048;
 }


 http {
    client_max_body_size      25m;
    client_body_buffer_size   128k;
    client_body_temp_path     /tmp/client_body_temp;

    include                   mime.types;
    default_type              application/octet-stream;
    server_tokens             off;
    sendfile                  on;
    keepalive_timeout         70;

    gzip                      on;
    gzip_http_version         1.1;
    gzip_disable              "msie6";
    gzip_vary                 on;
    gzip_min_length           1100;
    gzip_buffers              64 8k;
    gzip_comp_level           3;
    gzip_proxied              any;
    gzip_types                text/plain text/css application/x-javascript text/xml application/xml;

    ssl_certificate           /opt/nginx/ssl_certs/server.crt;
    ssl_certificate_key       /opt/nginx/ssl_certs/server.key;
    ssl_session_timeout       15m;
    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;

    add_header                Strict-Transport-Security "max-age=16070400; includeSubdomains";
    add_header                X-Frame-Options DENY;

    limit_req_zone            $binary_remote_addr zone=one:10m rate=10r/s;

    include /home/app/public_html/app_production/current/config/server/nginx_host.conf;
 }
diff --git a/nginx_host.conf b/nginx_host.conf
 # Nginx server block configuration with proxy_pass to Unicorn upstream
 # We use full-SSL site with web-server redirection, no mess with Rails application redirection

 upstream unicorn {
  server              unix:/tmp/unicorn.production.sock fail_timeout=0;
 }


 server {
  listen              80;
  server_name         server.com;
  rewrite             ^(.*) https://$host$1 permanent;

  location ~ \.(php|html)$ {
    deny              all;
  }

  access_log          /dev/null;
  error_log           /dev/null;
 }


 server {
  ssl                 on;
  listen              443 ssl;
  server_name         server.com;

  root                /home/app/public_html/app_production/current;
  try_files           $uri /public/system/maintenance.html @unicorn;

  location @unicorn {
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header  Host $http_host;
    proxy_redirect    off;
    proxy_pass        http://unicorn;

    limit_req         zone=one;

    access_log        /dev/null;
    error_log         logs/unicorn.error.log;
  }


  error_page   500 502 504  /500.html;
  error_page   503 @503;

  location = /50x.html {
      root   html;
  }

  location = /404.html {
      root   html;
  }
  
  location @503 {
    error_page 405 = /system/maintenance.html;
    if (-f $document_root/system/maintenance.html) {
      rewrite ^(.*)$ /system/maintenance.html break;
    }
    rewrite ^(.*)$ /503.html break;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
    return 405;
  }

  if (-f $document_root/system/maintenance.html) {
    return 503;
  }


  location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
    root        /home/app/public_html/app_production/current/public;
    gzip_static on;
    expires     max;
    add_header  Cache-Control public;
    add_header  Last-Modified "";
    add_header  ETag "";
    break;
  }


  location ~ \.(php|html)$ {
    return 405;
  }


  access_log /dev/null;
  error_log /dev/null;
 }
diff --git a/nginx_setup.sh b/nginx_setup.sh
 # Nginx optimal congifuration guide.
 # We use latest stable nginx with fresh **openssl**, **zlib** and **pcre** dependencies.
 # Some extra handy modules to use: --with-http_stub_status_module --with-http_gzip_static_module

 $ cd /usr/src
 $ wget http://nginx.org/download/nginx-1.2.2.tar.gz
 $ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
 $ wget http://zlib.net/zlib127.zip
 $ unzip zlib127.zip && rm -f zlib127.zip
 $ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
 $ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
 $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
 $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz

 $ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_gzip_static_module

 $ make && make install
 $ mkdir /tmp/client_body_temp
diff --git a/unicorn.rb b/unicorn.rb
 # Unicorn configuration file to be running by unicorn_init.sh with capistrano task
 # read an example configuration before: http://unicorn.bogomips.org/examples/unicorn.conf.rb
 # 
 # working_directory, pid, paths - internal Unicorn variables must to setup
 # worker_process 4              - is good enough for serve small production application
 # timeout 30                    - time limit when unresponded workers to restart
 # preload_app true              - the most interesting option that confuse a lot of us,
 #                                 just setup is as true always, it means extra work on 
 #                                 deployment scripts to make it correctly
 # before_fork, after_fork       - reconnect to all dependent services: DB, Redis, Sphinx etc.
 #                                 deal with old_pid only if CPU or RAM are limited enough


 working_directory "/home/app/public_html/app_production/current"
 pid               "/home/app/public_html/app_production/current/tmp/pids/unicorn.pid"
 stderr_path       "/home/app/public_html/app_production/current/log/unicorn.log"
 stdout_path       "/home/app/public_html/app_production/current/log/unicorn.log"

 listen            "/tmp/unicorn.production.sock"
 worker_processes  4
 timeout           30
 preload_app       true


 before_fork do |server, worker|
  if defined?(ActiveRecord::Base)
    ActiveRecord::Base.connection.disconnect!
  end

  old_pid = "#{server.config[:pid]}.oldbin"
  if old_pid != server.pid
    begin
      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
      Process.kill(sig, File.read(old_pid).to_i)
    rescue Errno::ENOENT, Errno::ESRCH
    end
  end

  if defined?(Resque)
    Resque.redis.quit
  end

  sleep 1
 end


 after_fork do |server, worker|
  if defined?(ActiveRecord::Base)
    ActiveRecord::Base.establish_connection
  end
  
  if defined?(Resque)
    Resque.redis           = 'localhost:6379'
  end
 end
diff --git a/unicorn_init.sh b/unicorn_init.sh
 # Unicorn handle shell script
 # 
 # APP_ROOT, PID             - are the same as you setup above
 # CMD                       - use bundle binstubs (bundle install --binstubs) to 
 #                             forget about "bundle exec" stuff, run in demonize mode
 #                             bin/unicorn is for Rack application (config.ru in root dir), but 
 #                             bin/unicorn_rails is to use with Rails 2.3
 #
 # To handle "app_preload true" configuration we should use USR2+QUIT signals, not HUP!
 # So we rewrite capistrano deployment scripts to manage it.


 #!/bin/sh
 set -e
 # Example init script, this can be used with nginx, too,
 # since nginx and unicorn accept the same signals

 TIMEOUT=${TIMEOUT-60}
 APP_ROOT=/home/app/public_html/app_production/current
 PID=$APP_ROOT/tmp/pids/unicorn.pid
 CMD="$APP_ROOT/bin/unicorn -D -c $APP_ROOT/config/server/unicorn.rb -E production"
 action="$1"
 set -u

 old_pid="$PID.oldbin"

 cd $APP_ROOT || exit 1

 sig () {
        test -s "$PID" && kill -$1 `cat $PID`
 }

 oldsig () {
        test -s $old_pid && kill -$1 `cat $old_pid`
 }

 case $action in
 start)
        sig 0 && echo >&2 "Already running" && exit 0
        $CMD
        ;;
 stop)
        sig QUIT && exit 0
        echo >&2 "Not running"
        ;;
 force-stop)
        sig TERM && exit 0
        echo >&2 "Not running"
        ;;
 restart|reload)
        sig HUP && echo reloaded OK && exit 0
        echo >&2 "Couldn't reload, starting '$CMD' instead"
        $CMD
        ;;
 upgrade)
        if sig USR2 && sleep 2 && sig 0 && oldsig QUIT
        then
                n=$TIMEOUT
                while test -s $old_pid && test $n -ge 0
                do
                        printf '.' && sleep 1 && n=$(( $n - 1 ))
                done
                echo

                if test $n -lt 0 && test -s $old_pid
                then
                        echo >&2 "$old_pid still exists after $TIMEOUT seconds"
                        exit 1
                fi
                exit 0
        fi
        echo >&2 "Couldn't upgrade, starting '$CMD' instead"
        $CMD
        ;;
 reopen-logs)
        sig USR1
        ;;
 *)
        echo >&2 "Usage: $0 <start|stop|restart|upgrade|force-stop|reopen-logs>"
        exit 1
        ;;
 esac
	# Capistrano configuration
	#
	# require 'new_relic/recipes' - Newrelic notification about deployment
	# require 'capistrano/ext/multistage' - We use 2 deployment environment: staging and production.
	# set :deploy_via, :remote_cache - fetch only latest changes during deployment
	# set :normalize_asset_timestamps - no need to touch (date modification) every assets
	# "deploy:web:disable" - traditional maintenance page (during DB migrations deployment)
	# task :restart - Unicorn with preload_app should be reloaded by USR2+QUIT signals, not HUP


	require 'bundler/capistrano'
	require 'capistrano/ext/multistage'
	require 'new_relic/recipes'

	set :stages, %w(staging production)
	set :default_stage, "staging"

	set :scm, :git
	set :repository, "..."
	set :deploy_via, :remote_cache
	default_run_options[:pty] = true

	set :application, "app"
	set :use_sudo, false
	set :user, "app"
	set :normalize_asset_timestamps, false


	before "deploy", "deploy:web:disable"
	before "deploy:stop", "deploy:web:disable"

	after "deploy:update_code", "deploy:symlink_shared"

	after "deploy:start", "deploy:web:enable"
	after "deploy", "deploy:web:enable", "deploy:cleanup"


	namespace :deploy do

	%w[start stop].each do \|command\|
	desc "#{command} unicorn server"
	task command, :roles => :app, :except => { :no_release => true } do
	run "#{current_path}/config/server/#{rails_env}/unicorn_init.sh #{command}"
	end
	end

	desc "restart unicorn server"
	task :restart, :roles => :app, :except => { :no_release => true } do
	run "#{current_path}/config/server/#{rails_env}/unicorn_init.sh upgrade"
	end


	desc "Link in the production database.yml and assets"
	task :symlink_shared do
	run "ln -nfs #{deploy_to}/shared/config/database.yml #{release_path}/config/database.yml"
	end


	namespace :web do
	desc "Maintenance start"
	task :disable, :roles => :web do
	on_rollback { run "rm #{shared_path}/system/maintenance.html" }
	page = File.read("public/503.html")
	put page, "#{shared_path}/system/maintenance.html", :mode => 0644
	end

	desc "Maintenance stop"
	task :enable, :roles => :web do
	run "rm #{shared_path}/system/maintenance.html"
	end
	end

	end


	namespace :log do
	desc "A pinch of tail"
	task :tailf, :roles => :app do
	run "tail -n 10000 -f #{shared_path}/log/#{rails_env}.log" do \|channel, stream, data\|
	puts "#{data}"
	break if stream == :err
	end
	end
	end
	# Nginx main block configuration file.
	# The most important directives here are ssl_protocols and ssl_ciphers
	# Keep nginx configuration in repo, then just include it in /opt/nginx/conf/nginx.conf
	# And DDoS prevent attack with directive limit_req_zone (limit 10 request/sec from 1 IP address)
	# then it enables in the server block by "limit_req zone=one".

	user app;
	worker_processes 2;
	worker_priority -5;

	error_log logs/nginx.error.log crit;

	events {
	use epoll;
	worker_connections 2048;
	}


	http {
	client_max_body_size 25m;
	client_body_buffer_size 128k;
	client_body_temp_path /tmp/client_body_temp;

	include mime.types;
	default_type application/octet-stream;
	server_tokens off;
	sendfile on;
	keepalive_timeout 70;

	gzip on;
	gzip_http_version 1.1;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_min_length 1100;
	gzip_buffers 64 8k;
	gzip_comp_level 3;
	gzip_proxied any;
	gzip_types text/plain text/css application/x-javascript text/xml application/xml;

	ssl_certificate /opt/nginx/ssl_certs/server.crt;
	ssl_certificate_key /opt/nginx/ssl_certs/server.key;
	ssl_session_timeout 15m;
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers RC4:HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

	add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
	add_header X-Frame-Options DENY;

	limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

	include /home/app/public_html/app_production/current/config/server/nginx_host.conf;
	}
	# Nginx server block configuration with proxy_pass to Unicorn upstream
	# We use full-SSL site with web-server redirection, no mess with Rails application redirection

	upstream unicorn {
	server unix:/tmp/unicorn.production.sock fail_timeout=0;
	}


	server {
	listen 80;
	server_name server.com;
	rewrite ^(.*) https://$host$1 permanent;

	location ~ \.(php\|html)$ {
	deny all;
	}

	access_log /dev/null;
	error_log /dev/null;
	}


	server {
	ssl on;
	listen 443 ssl;
	server_name server.com;

	root /home/app/public_html/app_production/current;
	try_files $uri /public/system/maintenance.html @unicorn;

	location @unicorn {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_pass http://unicorn;

	limit_req zone=one;

	access_log /dev/null;
	error_log logs/unicorn.error.log;
	}


	error_page 500 502 504 /500.html;
	error_page 503 @503;

	location = /50x.html {
	root html;
	}

	location = /404.html {
	root html;
	}

	location @503 {
	error_page 405 = /system/maintenance.html;
	if (-f $document_root/system/maintenance.html) {
	rewrite ^(.*)$ /system/maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}

	if ($request_method !~ ^(GET\|HEAD\|PUT\|POST\|DELETE\|OPTIONS)$ ){
	return 405;
	}

	if (-f $document_root/system/maintenance.html) {
	return 503;
	}


	location ~ ^/(assets\|images\|javascripts\|stylesheets\|swfs\|system)/ {
	root /home/app/public_html/app_production/current/public;
	gzip_static on;
	expires max;
	add_header Cache-Control public;
	add_header Last-Modified "";
	add_header ETag "";
	break;
	}


	location ~ \.(php\|html)$ {
	return 405;
	}


	access_log /dev/null;
	error_log /dev/null;
	}
	# Nginx optimal congifuration guide.
	# We use latest stable nginx with fresh openssl, zlib and pcre dependencies.
	# Some extra handy modules to use: --with-http_stub_status_module --with-http_gzip_static_module

	$ cd /usr/src
	$ wget http://nginx.org/download/nginx-1.2.2.tar.gz
	$ tar xzvf ./nginx-1.2.2.tar.gz && rm -f ./nginx-1.2.2.tar.gz
	$ wget http://zlib.net/zlib127.zip
	$ unzip zlib127.zip && rm -f zlib127.zip
	$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
	$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
	$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
	$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz

	$ cd nginx-1.2.2 && ./configure --prefix=/opt/nginx --with-pcre=/usr/src/pcre-8.30 --with-zlib=/usr/src/zlib-1.2.7 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --with-http_stub_status_module --with-http_gzip_static_module

	$ make && make install
	$ mkdir /tmp/client_body_temp
	# Unicorn configuration file to be running by unicorn_init.sh with capistrano task
	# read an example configuration before: http://unicorn.bogomips.org/examples/unicorn.conf.rb
	#
	# working_directory, pid, paths - internal Unicorn variables must to setup
	# worker_process 4 - is good enough for serve small production application
	# timeout 30 - time limit when unresponded workers to restart
	# preload_app true - the most interesting option that confuse a lot of us,
	# just setup is as true always, it means extra work on
	# deployment scripts to make it correctly
	# before_fork, after_fork - reconnect to all dependent services: DB, Redis, Sphinx etc.
	# deal with old_pid only if CPU or RAM are limited enough


	working_directory "/home/app/public_html/app_production/current"
	pid "/home/app/public_html/app_production/current/tmp/pids/unicorn.pid"
	stderr_path "/home/app/public_html/app_production/current/log/unicorn.log"
	stdout_path "/home/app/public_html/app_production/current/log/unicorn.log"

	listen "/tmp/unicorn.production.sock"
	worker_processes 4
	timeout 30
	preload_app true


	before_fork do \|server, worker\|
	if defined?(ActiveRecord::Base)
	ActiveRecord::Base.connection.disconnect!
	end

	old_pid = "#{server.config[:pid]}.oldbin"
	if old_pid != server.pid
	begin
	sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
	Process.kill(sig, File.read(old_pid).to_i)
	rescue Errno::ENOENT, Errno::ESRCH
	end
	end

	if defined?(Resque)
	Resque.redis.quit
	end

	sleep 1
	end


	after_fork do \|server, worker\|
	if defined?(ActiveRecord::Base)
	ActiveRecord::Base.establish_connection
	end

	if defined?(Resque)
	Resque.redis = 'localhost:6379'
	end
	end
	# Unicorn handle shell script
	#
	# APP_ROOT, PID - are the same as you setup above
	# CMD - use bundle binstubs (bundle install --binstubs) to
	# forget about "bundle exec" stuff, run in demonize mode
	# bin/unicorn is for Rack application (config.ru in root dir), but
	# bin/unicorn_rails is to use with Rails 2.3
	#
	# To handle "app_preload true" configuration we should use USR2+QUIT signals, not HUP!
	# So we rewrite capistrano deployment scripts to manage it.


	#!/bin/sh
	set -e
	# Example init script, this can be used with nginx, too,
	# since nginx and unicorn accept the same signals

	TIMEOUT=${TIMEOUT-60}
	APP_ROOT=/home/app/public_html/app_production/current
	PID=$APP_ROOT/tmp/pids/unicorn.pid
	CMD="$APP_ROOT/bin/unicorn -D -c $APP_ROOT/config/server/unicorn.rb -E production"
	action="$1"
	set -u

	old_pid="$PID.oldbin"

	cd $APP_ROOT \|\| exit 1

	sig () {
	test -s "$PID" && kill -$1 `cat $PID`
	}

	oldsig () {
	test -s $old_pid && kill -$1 `cat $old_pid`
	}

	case $action in
	start)
	sig 0 && echo >&2 "Already running" && exit 0
	$CMD
	;;
	stop)
	sig QUIT && exit 0
	echo >&2 "Not running"
	;;
	force-stop)
	sig TERM && exit 0
	echo >&2 "Not running"
	;;
	restart\|reload)
	sig HUP && echo reloaded OK && exit 0
	echo >&2 "Couldn't reload, starting '$CMD' instead"
	$CMD
	;;
	upgrade)
	if sig USR2 && sleep 2 && sig 0 && oldsig QUIT
	then
	n=$TIMEOUT
	while test -s $old_pid && test $n -ge 0
	do
	printf '.' && sleep 1 && n=$(( $n - 1 ))
	done
	echo

	if test $n -lt 0 && test -s $old_pid
	then
	echo >&2 "$old_pid still exists after $TIMEOUT seconds"
	exit 1
	fi
	exit 0
	fi
	echo >&2 "Couldn't upgrade, starting '$CMD' instead"
	$CMD
	;;
	reopen-logs)
	sig USR1
	;;
	*)
	echo >&2 "Usage: $0 <start\|stop\|restart\|upgrade\|force-stop\|reopen-logs>"
	exit 1
	;;
	esac