sandys · February 5, 2016 07:20
diff --git a/api_gunicorn.conf b/api_gunicorn.conf
 import multiprocessing

 ## Server Socket
 bind    = 'unix:/opt/user1/run/api.sock'
 backlog = 2048

 ## Worker Processes
 workers            = multiprocessing.cpu_count() * 2 + 1
 worker_class       = 'sync'
 worker_connections = 1000
 max_requests       = 0
 timeout            = 30
 keepalive          = 2
 debug              = False
 spew               = False

 ## Server Mechanics
 #preload_app    = True
 #daemon         = False
 #pidfile        = 'run/app.pid'
 #user           = 'username'
 #group          = 'username'
 #umask          = 0002
 #tmp_upload_dir = None

 ## Logging
 logfile   = 'log/app.log'
 loglevel  = 'debug'
 logconfig = None

 ## Process Name
 proc_name = 'helloworld'
diff --git a/etc_init.d_supervisord b/etc_init.d_supervisord
 #! /bin/sh
 ### BEGIN INIT INFO
 # Provides:          supervisord
 # Required-Start:    $local_fs $remote_fs $networking
 # Required-Stop:     $local_fs $remote_fs $networking
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Starts supervisord - see http://supervisord.org
 # Description:       Starts and stops supervisord as needed - see http://supervisord.org
 ### END INIT INFO    

 # Author: Leonard Norrgard <[email protected]>
 # Version 1.0-alpha  
 # Based on the /etc/init.d/skeleton script in Debian.

 # Please note: This script is not yet well tested. What little testing
 # that actually was done was only on supervisor 2.2b1.

 # Do NOT "set -e"

 # PATH should only include /usr/* if it runs after the mountnfs.sh script
 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
 DESC="Run a set of applications as daemons."
 NAME=supervisord
 DAEMON=/usr/local/bin/$NAME   # Supervisord is installed in /usr/bin by default, but /usr/sbin would make more sense.
 CONFIG_FILE=/etc/supervisord.conf
 SUPERVISORCTL=/usr/local/bin/supervisorctl
 PIDFILE=/var/run/$NAME.pid
 DAEMON_ARGS="--pidfile ${PIDFILE} --configuration ${CONFIG_FILE}"
 SCRIPTNAME=/etc/init.d/$NAME

 # Exit if the package is not installed
 [ -x "$DAEMON" ] || exit 0

 # Read configuration variable file if it is present
 [ -r /etc/default/$NAME ] && . /etc/default/$NAME

 # Load the VERBOSE setting and other rcS variables
 . /lib/init/vars.sh 
 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
 . /lib/lsb/init-functions

 #
 # Function that starts the daemon/service
 #
 do_start()
 {
  # Return
  #   0 if daemon has been started
  #   1 if daemon was already running
  #   2 if daemon could not be started
        [ -e $PIDFILE ] && return 1

  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
    $DAEMON_ARGS \
    || return 2
  # Add code here, if necessary, that waits for the process to be ready
  # to handle requests from services started subsequently which depend
  # on this one.  As a last resort, sleep for some time.
 }

 #
 # Function that stops the daemon/service
 #
 do_stop()
 {
  # Return
  #   0 if daemon has been stopped
  #   1 if daemon was already stopped
  #   2 if daemon could not be stopped
  #   other if a failure occurred
        [ -e $PIDFILE ] || return 1

  # Stop all processes under supervisord control.
 $SUPERVISORCTL stop all

  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
  RETVAL="$?"
  [ "$RETVAL" = 2 ] && return 2
  # Wait for children to finish too if this is a daemon that forks
  # and if the daemon is only ever run from this initscript.
  # If the above conditions are not satisfied then add some other code
  # that waits for the process to drop all resources that could be
  # needed by services started subsequently.  A last resort is to
  # sleep for some time.
  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
  [ "$?" = 2 ] && return 2
  # Many daemons don't delete their pidfiles when they exit.
  rm -f $PIDFILE
  return "$RETVAL"
 }

 #
 # Function that sends a SIGHUP to the daemon/service
 #
 do_reload() {
  #
  # If the daemon can reload its configuration without
  # restarting (for example, when it is sent a SIGHUP),
  # then implement that here.
  #
  start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
  return 0
 }

 case "$1" in
  start)
  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
  do_start
  case "$?" in
    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  stop)
  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
  do_stop
  case "$?" in
    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  #reload|force-reload)
  #
  # If do_reload() is not implemented then leave this commented out
  # and leave 'force-reload' as an alias for 'restart'.
  #
  #log_daemon_msg "Reloading $DESC" "$NAME"
  #do_reload
  #log_end_msg $?
  #;;
  restart|force-reload)
  #
  # If the "reload" option is implemented then remove the
  # 'force-reload' alias
  #
  log_daemon_msg "Restarting $DESC" "$NAME"
  do_stop
  case "$?" in
    0|1)
    do_start
    case "$?" in
      0) log_end_msg 0 ;;
      1) log_end_msg 1 ;; # Old process is still running
      *) log_end_msg 1 ;; # Failed to start
    esac
    ;;
    *)
 *)
      # Failed to stop
    log_end_msg 1
    ;;
  esac
  ;;
  *)
  #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
  echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
  exit 3
  ;;
 esac

 :
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 4;
 pid /var/run/nginx.pid;
 # Maximum open file descriptors per process;
 # should be > worker_connections.
 worker_rlimit_nofile 8192;

 events {
  worker_connections 8000;
  # multi_accept on;
 }

 http {

  ##
  # Basic Settings
  ##
  variables_hash_max_size 1024;
  variables_hash_bucket_size 128;

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
   server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # Logging Settings
  ##
  # Update charset_types due to updated mime.types
  charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

  # Format to use in log files
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";
    gzip_http_version 1.0;
    gzip_comp_level 7;
    gzip_min_length 512;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
      # text/html is always compressed by HttpGzipModule
      text/css
      text/plain
      text/x-component
      application/javascript
      application/json
      application/xml
      application/xhtml+xml
      application/x-font-ttf
      application/x-font-opentype
      application/vnd.ms-fontobject
      image/svg+xml
      image/x-icon;

    # This should be turned on if you are going to have pre-compressed copies (.gz) of
    # static files available. If not it should be left off as it will cause extra I/O
    # for the check. It would be better to enable this in a location {} block for
    # a specific directory:
    # gzip_static on;
   gzip_disable "msie6";
    gzip_vary on;




  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
 }


diff --git a/nginx_cherry.conf b/nginx_cherry.conf
 upstream my_app {
  server unix:///opt/user1/run/app.sock;
 }

 upstream api{
  server unix:///opt/user1/run/api.sock;
 }



 server {
    server_name www.cherry.redcarpetup.com;
    rewrite ^(.*) $scheme://cherry.redcarpetup.com$1 permanent;
 }

 server {
  listen 80;
  server_name cherry.redcarpetup.com; # change to match your URL
  rewrite ^ https://$host$request_uri permanent;

 }


 server {
    server_name www.redc.pt;
    rewrite ^(.*) $scheme://redc.pt$1 permanent;
 }

 server {
  server_name .redc.pt; # change to match your URL
  return 301  https://cherry.redcarpetup.com$request_uri ;

 }



 server {
 listen 443 ssl default deferred;
 server_name redcarpetup.com;
  
  
  ssl_certificate /etc/nginx/ssl/redcarpetup_redc.pem;
  ssl_certificate_key /etc/nginx/ssl/namecheap-862404.redcarpetup.com.nopass;

  #ssl_certificate /etc/nginx/ssl/startssl.cherry.unified.crt;
  #ssl_certificate_key /etc/nginx/ssl/startssl.cherry.decrypted.key;
   
   # enable session resumption to improve https performance
   # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 10m;
    
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    #ssl_session_timeout 5m;
     
     # enables server-side protection from BEAST attacks
     # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
     ssl_prefer_server_ciphers on;
     # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     # ciphers chosen for forward secrecy and compatibility
     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
     #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
     ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
      
      # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
      # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
      #resolver 8.8.8.8;
      #ssl_stapling on;
      #ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;
       
       # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
       # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
       add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

       # Prevent mobile network providers from modifying your site
       add_header "Cache-Control" "no-transform";
       # Force the latest IE version
       # Use ChromeFrame if it's installed for a better experience for the poor IE folk
       add_header "X-UA-Compatible" "IE=Edge";

        
        #... the rest of your configuration
  # config to don't allow the browser to render the page inside an frame or iframe
  # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
  # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
  # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  add_header X-Frame-Options SAMEORIGIN;

  # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
  # to disable content-type sniffing on some browsers.
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
  # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
  # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
  add_header X-Content-Type-Options nosniff;

   #This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
   # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
   # this particular website if it was disabled by the user.
   # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
   add_header X-XSS-Protection "1; mode=block";

   # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
   # you can tell the browser that it can only download content from the domains you explicitly allow
   # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
   # https://www.owasp.org/index.php/Content_Security_Policy
   # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
   # directives for css and js(if you have inline css or js, you will need to keep it too).
   # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
   add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
 

  location / {
    proxy_pass http://my_app; # match the name of upstream directive which is defined above
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  location ^~ /api {
    rewrite           ^/api/(.*) /$1 break;
    proxy_pass http://api; # match the name of upstream directive which is defined above
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  # Cross domain webfont access
 location ~* \.(?:ttf|ttc|otf|eot|woff)$ {
    add_header "Access-Control-Allow-Origin" "*";

    # Also, set cache rules for webfonts.
    #
    # See http://wiki.nginx.org/HttpCoreModule#location
    # And https://github.com/h5bp/server-configs/issues/85
    # And https://github.com/h5bp/server-configs/issues/86
    expires 1M;
    access_log off;
    add_header Cache-Control "public";
 }

 # Prevent clients from accessing hidden files (starting with a dot)
 # This is particularly important if you store .htpasswd files in the site hierarchy
 location ~* (?:^|/)\. {
    deny all;
 }

 # Prevent clients from accessing to backup/config/source files
 location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
 }

 ## System Maintenance (Service Unavailable) 
 #location  / { try_files system_maintenance.html =503; }

 ## All other errors get the generic error page
      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
                 500 501 502 503 504 505 506 507 /error_page.html;
      location  /error_page.html { internal; }



 # Media: images, icons, video, audio, HTC
 #location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
 #  expires 1M;
 #  access_log off;
 #  add_header Cache-Control "public";
 #}

 # CSS and Javascript
 #location ~* \.(?:css|js)$ {
 #  expires 1y;
 #  access_log off;
 #  add_header Cache-Control "public";
 #}

 #  location ~* ^/assets/ {
 #    # Per RFC2616 - 1 year maximum expiry
 #    expires 1y;
 #    add_header Cache-Control public;

    # Some browsers still send conditional-GET requests if there's a
    # Last-Modified header or an ETag header even if they haven't
    # reached the expiry date sent in the Expires header.
 #    add_header Last-Modified "";
 #    add_header ETag "";
 #    break;
 #  }

 }
diff --git a/openresty_build.sh b/openresty_build.sh
 # Install dependencies
 #
 # * checkinstall: package the .deb
 # * libpcre3, libpcre3-dev: required for HTTP rewrite module
 # * zlib1g zlib1g-dbg zlib1g-dev: required for HTTP gzip module
 aptitude install zip checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg zlib1g-dev libgeoip-dev build-essential libpcre3-dev libssl-dev libpq-dev && \

 mkdir -p ~/sources/ && \

 # Compile against OpenSSL to enable NPN
 cd ~/sources && \
 wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz && \
 tar -xzvf openssl-1.0.1g.tar.gz && \

 # Download the Cache Purge module
 cd ~/sources/ && \
 git clone https://github.com/FRiCKLE/ngx_cache_purge.git && \
 cd ~/sources && \

 # Download PageSpeed
 cd ~/sources && \
 wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.7.30.4-beta.zip && \
 unzip v1.7.30.4-beta.zip && \
 cd ngx_pagespeed-1.7.30.4-beta && \
 wget https://dl.google.com/dl/page-speed/psol/1.7.30.4.tar.gz && \
 tar -xzvf 1.7.30.4.tar.gz && \

 # Get the Nginx source.
 #
 # Best to get the latest mainline release. Of course, your mileage may
 # vary depending on future changes
 cd ~/sources/ && \
 #wget http://nginx.org/download/nginx-1.5.12.tar.gz && \
 wget http://openresty.org/download/ngx_openresty-1.5.12.1.tar.gz && \
 #tar zxf nginx-1.5.12.tar.gz && \
 tar zxf ngx_openresty-1.5.12.1.tar.gz && \
 #cd nginx-1.5.12 && \
 cd ngx_openresty-1.5.12.1 && \

 # Configure nginx.
 #
 # This is based on the default package in Debian. Additional flags have
 # been added:
 #
 # * --with-debug: adds helpful logs for debugging
 # * --with-openssl=$HOME/sources/openssl-1.0.1e: compile against newer version
 #   of openssl
 # * --with-http_spdy_module: include the SPDY module
 ./configure \
 --sbin-path=/usr/sbin/nginx \
 --conf-path=/etc/nginx/nginx.conf \
 --error-log-path=/var/log/nginx/error.log \
 --http-client-body-temp-path=/var/lib/nginx/body \
 --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
 --http-log-path=/var/log/nginx/access.log \
 --http-proxy-temp-path=/var/lib/nginx/proxy \
 --http-scgi-temp-path=/var/lib/nginx/scgi \
 --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
 --lock-path=/var/lock/nginx.lock \
 --pid-path=/var/run/nginx.pid \
 --with-luajit \
 --with-http_dav_module \
 --with-http_flv_module \
 --with-http_geoip_module \
 --with-http_random_index_module \
 --with-http_mp4_module \
 --with-http_gzip_static_module \
 --with-http_gunzip_module \
 --with-http_realip_module \
 --with-http_addition_module \
 --with-http_ssl_module \
 --with-http_sub_module \
 --with-http_spdy_module \
 --with-debug \
 --with-ipv6 \
 --with-file-aio \
 --with-sha1=/usr/include/openssl \
 --with-md5=/usr/include/openssl \
 --with-http_stub_status_module \
 --with-http_secure_link_module \
 --with-http_sub_module \
 --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
 --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
 --with-openssl=$HOME/sources/openssl-1.0.1g \
 --add-module=$HOME/sources/ngx_pagespeed-1.7.30.4-beta \
 --add-module=$HOME/sources/ngx_cache_purge \
 --with-http_postgres_module && \

 # Make the package.
 make && \

 # Create a .deb package.
 #
 # Instead of running `make install`, create a .deb and install from there. This
 # allows you to easily uninstall the package if there are issues.
 #checkinstall --install=no -y

 # Install the package.
 #dpkg -i nginx_1.5.12-1_amd64.deb
diff --git a/pgbouncer.ini b/pgbouncer.ini
 ####   sudo -u postgres /usr/sbin/pgbouncer /etc/pgbouncer/pgbouncer.ini
 #### set START=1 in /etc/default/pgbouncer
 #### before "service pgbouncer start"

 [databases]

 ; foodb over unix socket
 ;foodb =

 ; redirect bardb to bazdb on localhost
 ;bardb = host=localhost dbname=bazdb
 ;redcarpetweb= host=localhost dbname=redcarpetweb port=5432 user=$USERNAME
 * = host=localhost port=5432 user=redcarpetweb password=12345

 ;;;
 ;;; Administrative settings
 ;;;

 #logfile = pgbouncer.log
 logfile = /var/log/postgresql/pgbouncer.log
 #pidfile = pgbouncer.pid
 pidfile = /var/run/postgresql/pgbouncer.pid

 ;;;
 ;;; Where to wait for clients
 ;;;

 ; ip address or * which means all ip-s
 listen_addr = 127.0.0.1
 listen_port = 6432

 ; unix socket is also used for -R.
 ; On debian it should be /var/run/postgresql
 ;unix_socket_dir = /tmp
 ;unix_socket_mode = 0777
 ;unix_socket_group =
 unix_socket_dir = /var/run/postgresql

 ;;;
 ;;; Authentication settings
 ;;;

 ; any, trust, plain, crypt, md5
 auth_type = any
 ;auth_file = /8.0/main/global/pg_auth
 auth_file = /etc/pgbouncer/userlist.txt


diff --git a/rackspace-provision.sh b/rackspace-provision.sh
 # http://www.rackspace.com/knowledge_center/article/prepare-your-cloud-block-storage-volume
 #http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/CloudBlockStorage_Benchmark.pdf

 aptitude install xfsprogs

 aptitude install build-essential libreadline-dev libssl-dev zlib1g-dev libxml2-dev libxslt-dev git libpq-dev libmysqlclient-dev libpq-dev nodejs libcurl4-openssl-dev libffi-dev imagemagick libjpeg-progs pngcrush sudo
 
 dpkg-reconfigure locales
 dpkg-reconfigure tzdata

 #check for disk using fdisk -l
 
 #just run fdisk /dev/xvdc and then w to just write and create the partition table
 mkfs -t xfs /dev/xvdb1 or #mkfs.xfs -f /dev/xdb1

 #in /etc/fstab
 /dev/sdb1 /srv/node/sdb1 xfs noatime,nodiratime,nobarrier,logbufs=8 0 0
 /dev/xvdb1 /opt xfs  noatime,nodiratime,nobarrier,logbufs=8 0 0

 #for http://stackoverflow.com/questions/6329887/compiling-problems-cannot-find-crt1-o
 aptitude install gcc-multilib
 aptitude install libssl-dev

 #install ruby from https://gist.github.com/sandys/5939306

 #for postgres-9.3
 deb http://apt.postgresql.org/pub/repos/apt/ wheezy-pgdg main
 aptitude update
 aptitude install postgresql-9.3 libpq-dev

 aptitude install nginx
 rm /etc/nginx/sites-enabled/default

 aptitude install monit curl


 #varnish

 curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add -
 echo "deb http://repo.varnish-cache.org/debian/ squeeze varnish-3.0" >> /etc/apt/sources.list
 apt-get update

 #install rbenv-sudo
 bundle install --path /home/user1/shared/bundle --deployment

 rbenv sudo bundle exec foreman export --app app --user user1 supervisord /etc/supervisord.d/

 sudo aptitude install python-pip python-virtualenv
 sudo pip install --upgrade virtualenv
 sudo pip install --upgrade pip pip-tools
 sudo pip-review --auto


 download Python 2.7.6
 ./configure --prefix=/opt/Python
 install https://pypi.python.org/pypi/distribute/0.7.3 by python setup.py install
 /opt/Python/bin/easy_install pip 
 /opt/Python/bin/easy_install virtualenv 
 /opt/Python/bin/pip install pip-tools
 /opt/Python/bin/pip-review --auto
diff --git a/softlayer_interfaces b/softlayer_interfaces
 #/etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).

 auto lo
 # The loopback network interface
 iface lo inet loopback

 # eth0
 auto eth0
 allow-hotplug eth0
 iface eth0 inet static
        address 10.64.30.2
        netmask 255.255.255.192
        post-up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.64.30.1

 # eth1
 auto eth1
 allow-hotplug eth1
 iface eth1 inet static
        address 119.81.85.150
        netmask 255.255.255.248
        gateway 119.81.85.145

 auto eth0:1
 iface eth0:1 inet static
        address 108.168.254.134
        netmask 255.255.255.248
        gateway 119.81.85.145
diff --git a/softlayer_setup.sh b/softlayer_setup.sh
 1. add two SAN disks - the root disk will definitely get destroyed on OS restart, but no guarantee about other ones.
 2. buy a global IP (20$) and route it to your server
 3. then go to  /etc/network/interfaces and add your new ip address


 iscsi

 aptitude install iscsitarget iscsitarget-dkms

 use /sbin/iscsi-iname  to regenerate a name

 edit /etc/iscsi/iscsid.conf # get this data from softlayer -> storage -> iscsi panel
 and add node.session.auth.username = S
 node.session.auth.password = Ddhg
 discovery.sendtargets.auth.username = S
 discovery.sendtargets.auth.password = Ddhg

 MAKE SURE THERE ARE NO TRAILING SPACES IN USERNAME OR PASSWORD

 run iscsiadm -m discovery -t sendtargets -p 10.2.37.21
 you'll get output as 
 10.2.37.21:3260,1 iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1

 iscsiadm --mode node --targetname iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1 --portal 10.2.37.21 --login
 #for automatic startup
 iscsiadm -m node -T iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1 -p 10.2.37.21 --op update -n node.startup -v automatic

 dmesg to see new /dev/sdb
 then proceed to create xfs, etc

 parted -s -- /dev/sdb mklabel gpt
 parted -s -- /dev/sdb mkpart primary xfs 1 -1
 mkfs.xfs -f /dev/sdb
 at this point, the blkid is available
 blkid /dev/sdb
 /dev/sdb: UUID="26dce1d4-fcb5-476c-9109-b085192892f7" TYPE="xfs" 

 UUID="26dce1d4-fcb5-476c-9109-b085192892f7" /data xfs  _netdev,noatime,nodiratime,nobarrier,logbufs=8 0 0 #note the _netdev



 http://doduck.com/docker-install-on-debian-7/
diff --git a/supervisord b/supervisord
 sudo aptitude install python-pip
 sudo pip install sup/opt/Python/lib/python2.7/site-packageservisor
 sudo mkdir /etc/supervisord.d/ 

 sudo vim /etc/supervisord.conf
 #copy the file below

 sudo vim /etc/init.d/supervisor
diff --git a/supervisord.conf b/supervisord.conf
 ; Sample supervisor config file.
 ;
 ; For more information on the config file, please see:
 ; http://supervisord.org/configuration.html
 ;
 ; Note: shell expansion ("~" or "$HOME") is not supported.  Environment
 ; variables can be expanded using this syntax: "%(ENV_HOME)s".

 [unix_http_server]
 file=/tmp/supervisor.sock   ; (the path to the socket file)
 ;chmod=0700                 ; socket file mode (default 0700)
 ;chown=nobody:nogroup       ; socket file uid:gid owner
 ;username=user              ; (default is no username (open server))
 ;password=123               ; (default is no password (open server))

 ;[inet_http_server]         ; inet (TCP) server disabled by default
 ;port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)
 ;username=user              ; (default is no username (open server))
 ;password=123               ; (default is no password (open server))

 [supervisord]
 logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
 logfile_maxbytes=50MB        ; (max main logfile bytes b4 rotation;default 50MB)
 logfile_backups=10           ; (num of main logfile rotation backups;default 10)
 loglevel=info                ; (log level;default info; others: debug,warn,trace)
 pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
 nodaemon=false               ; (start in foreground if true;default false)
 minfds=1024                  ; (min. avail startup file descriptors;default 1024)
 minprocs=200                 ; (min. avail process descriptors;default 200)
 ;umask=022                   ; (process file creation umask;default 022)
 ;user=chrism                 ; (default is current user, required if root)
 ;identifier=supervisor       ; (supervisord identifier, default is 'supervisor')
 ;directory=/tmp              ; (default is not to cd during start)
 ;nocleanup=true              ; (don't clean up tempfiles at start;default false)
 ;childlogdir=/tmp            ; ('AUTO' child log dir, default $TEMP)
 ;environment=KEY="value"     ; (key value pairs to add to environment)
 ;strip_ansi=false            ; (strip ansi escape codes in logs; def. false)

 ; the below section must remain in the config file for RPC
 ; the below section must remain in the config file for RPC
 ; (supervisorctl/web interface) to work, additional interfaces may be
 ; added by defining them in separate rpcinterface: sections
 [rpcinterface:supervisor]
 supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

 [supervisorctl]
 serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
 ;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
 ;username=chris              ; should be same as http_username if set
 ;password=123                ; should be same as http_password if set
 ;prompt=mysupervisor         ; cmd line prompt (default "supervisor")
 ;history_file=~/.sc_history  ; use readline history if available

 ; The below sample program section shows all possible program subsection values,
 ; create one or more 'real' program: sections to be able to control them under
 ; supervisor.

 ;[program:theprogramname]
 ;command=/bin/cat              ; the program (relative uses PATH, can take args)
 ;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
 ;numprocs=1                    ; number of processes copies to start (def 1)
 ;directory=/tmp                ; directory to cwd to before exec (def no cwd)
 ;umask=022                     ; umask for process (default None)
 ;priority=999                  ; the relative start priority (default 999)
 ;autostart=true                ; start at supervisord start (default: true)
 ;autorestart=unexpected        ; whether/when to restart (default: unexpected)
 ;startsecs=1                   ; number of secs prog must stay running (def. 1)
 ;startretries=3                ; max # of serial start failures (default 3)
 ;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
 ;stopsignal=QUIT               ; signal used to kill process (default TERM)
 ;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
 ;stopasgroup=false             ; send stop signal to the UNIX process group (default false)
 ;killasgroup=false             ; SIGKILL the UNIX process group (def false)
 ;user=chrism                   ; setuid to this UNIX account to run the program
 ;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
 ;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
 ;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)

 ;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
 ;stdout_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
 ;stdout_events_enabled=false   ; emit events on stdout writes (default false)
 ;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
 ;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
 ;stderr_logfile_backups=10     ; # of stderr logfile backups (default 10)
 ;stderr_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
 ;stderr_events_enabled=false   ; emit events on stderr writes (default false)
 ;environment=A="1",B="2"       ; process environment additions (def no adds)
 ;serverurl=AUTO                ; override serverurl computation (childutils)

 ; The below sample eventlistener section shows all possible
 ; eventlistener subsection values, create one or more 'real'
 ; eventlistener: sections to be able to handle event notifications
 ; sent by supervisor.

 ;[eventlistener:theeventlistenername]
 ;command=/bin/eventlistener    ; the program (relative uses PATH, can take args)
 ;process_name=%(program_name)s ; process_name expr (default %(program_name)s)
 ;numprocs=1                    ; number of processes copies to start (def 1)
 ;events=EVENT                  ; event notif. types to subscribe to (req'd)
 ;buffer_size=10                ; event buffer queue size (default 10)
 ;directory=/tmp                ; directory to cwd to before exec (def no cwd)
 ;umask=022                     ; umask for process (default None)
 ;priority=-1                   ; the relative start priority (default -1)
 ;autostart=true                ; start at supervisord start (default: true)
 ;autorestart=unexpected        ; whether/when to restart (default: unexpected)
 ;startsecs=1                   ; number of secs prog must stay running (def. 1)
 ;startretries=3                ; max # of serial start failures (default 3)
 ;exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
 ;stopsignal=QUIT               ; signal used to kill process (default TERM)
 ;stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
 ;stopasgroup=false             ; send stop signal to the UNIX process group (default false)
 ;killasgroup=false             ; SIGKILL the UNIX process group (def false)
 ;user=chrism                   ; setuid to this UNIX account to run the program
 ;redirect_stderr=true          ; redirect proc stderr to stdout (default false)
 ;stdout_logfile=/a/path        ; stdout log path, NONE for none; default AUTO
 ;stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
 ;stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
 ;stdout_events_enabled=false   ; emit events on stdout writes (default false)
 ;stderr_logfile=/a/path        ; stderr log path, NONE for none; default AUTO
 ;stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
 ;stderr_logfile_backups        ; # of stderr logfile backups (default 10)
 ;stderr_events_enabled=false   ; emit events on stderr writes (default false)
 ;environment=A="1",B="2"       ; process environment additions
 ;serverurl=AUTO                ; override serverurl computation (childutils)

 ; The below sample group section shows all possible group values,
 ; create one or more 'real' group: sections to create "heterogeneous"
 ; process groups.

 ;[group:thegroupname]
 ;programs=progname1,progname2  ; each refers to 'x' in [program:x] definitions
 ;priority=999                  ; the relative start priority (default 999)

 ; The [include] section can just contain the "files" setting.  This
 ; setting can list multiple files (separated by whitespace or
 ; newlines).  It can also contain wildcards.  The filenames are
 ; interpreted as relative to this file.  Included files *cannot*
 ; include files themselves.

 [include]
 files = supervisord.d/*.conf
diff --git a/supervisord_api.conf b/supervisord_api.conf
 [program:api-api-1]
 command=/opt/user1/api/desktop-flask/flask-distro/bin/gunicorn  -c /opt/user1/api/desktop-flask/g.conf sync_db:app

 autostart=true
 autorestart=true
 stopsignal=QUIT
 stdout_logfile=/var/log/app/api-1.log
 stderr_logfile=/var/log/app/api-1.error.log
 user=user1
 directory=/opt/user1/api/desktop-flask/
 environment=PORT=5000,PATH=/home/user1/.gem/bin:/home/user1/.rbenv/shims:/home/user1/.rbenv/bin:%(ENV_PATH)s

 [group:api]
 programs=api-api-1
diff --git a/supervisord_app.conf b/supervisord_app.conf
 [program:app-app-1]
 ;command=/bin/zsh -i -l -c "eval \"$(rbenv init -)\" && bundle exec foreman start"

 command=/bin/zsh -i -l -c "eval \"$(rbenv init -)\" && bundle exec puma -e development -p 8619 --workers 3 -b unix:///opt/user1/run/app.sock --pidfile /opt/user1/run/app.pid --control unix:///opt/user1/run/app_pumactl.sock -t 0:16 -w 3"

 autostart=true
 autorestart=true
 stopsignal=QUIT
 stdout_logfile=/var/log/app/app-1.log
 stderr_logfile=/var/log/app/app-1.error.log
 user=user1
 directory=/opt/user1/public2
 environment=PORT=5000,PATH=/home/user1/.gem/bin:/home/user1/.rbenv/shims:/home/user1/.rbenv/bin:%(ENV_PATH)s

 [group:app]
 programs=app-app-1



 ;Procfile
 ;app: puma -e development -p 8619 --workers 3 -b unix:///opt/user1/run/app.sock --pidfile /opt/user1/run/app.pid --control unix:///opt/user1/run/app_pumactl.sock -t 0:16 -w 3
 ;config.ru
 ;require ::File.expand_path('../config/environment',  __FILE__)
 ;run NewTest2::Application
	import multiprocessing

	## Server Socket
	bind = 'unix:/opt/user1/run/api.sock'
	backlog = 2048

	## Worker Processes
	workers = multiprocessing.cpu_count() * 2 + 1
	worker_class = 'sync'
	worker_connections = 1000
	max_requests = 0
	timeout = 30
	keepalive = 2
	debug = False
	spew = False

	## Server Mechanics
	#preload_app = True
	#daemon = False
	#pidfile = 'run/app.pid'
	#user = 'username'
	#group = 'username'
	#umask = 0002
	#tmp_upload_dir = None

	## Logging
	logfile = 'log/app.log'
	loglevel = 'debug'
	logconfig = None

	## Process Name
	proc_name = 'helloworld'
	#! /bin/sh
	### BEGIN INIT INFO
	# Provides: supervisord
	# Required-Start: $local_fs $remote_fs $networking
	# Required-Stop: $local_fs $remote_fs $networking
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: Starts supervisord - see http://supervisord.org
	# Description: Starts and stops supervisord as needed - see http://supervisord.org
	### END INIT INFO

	# Author: Leonard Norrgard <[email protected]>
	# Version 1.0-alpha
	# Based on the /etc/init.d/skeleton script in Debian.

	# Please note: This script is not yet well tested. What little testing
	# that actually was done was only on supervisor 2.2b1.

	# Do NOT "set -e"

	# PATH should only include /usr/* if it runs after the mountnfs.sh script
	PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
	DESC="Run a set of applications as daemons."
	NAME=supervisord
	DAEMON=/usr/local/bin/$NAME # Supervisord is installed in /usr/bin by default, but /usr/sbin would make more sense.
	CONFIG_FILE=/etc/supervisord.conf
	SUPERVISORCTL=/usr/local/bin/supervisorctl
	PIDFILE=/var/run/$NAME.pid
	DAEMON_ARGS="--pidfile ${PIDFILE} --configuration ${CONFIG_FILE}"
	SCRIPTNAME=/etc/init.d/$NAME

	# Exit if the package is not installed
	[ -x "$DAEMON" ] \|\| exit 0

	# Read configuration variable file if it is present
	[ -r /etc/default/$NAME ] && . /etc/default/$NAME

	# Load the VERBOSE setting and other rcS variables
	. /lib/init/vars.sh
	# Define LSB log_* functions.
	# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
	. /lib/lsb/init-functions

	#
	# Function that starts the daemon/service
	#
	do_start()
	{
	# Return
	# 0 if daemon has been started
	# 1 if daemon was already running
	# 2 if daemon could not be started
	[ -e $PIDFILE ] && return 1

	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
	$DAEMON_ARGS \
	\|\| return 2
	# Add code here, if necessary, that waits for the process to be ready
	# to handle requests from services started subsequently which depend
	# on this one. As a last resort, sleep for some time.
	}

	#
	# Function that stops the daemon/service
	#
	do_stop()
	{
	# Return
	# 0 if daemon has been stopped
	# 1 if daemon was already stopped
	# 2 if daemon could not be stopped
	# other if a failure occurred
	[ -e $PIDFILE ] \|\| return 1

	# Stop all processes under supervisord control.
	$SUPERVISORCTL stop all

	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
	RETVAL="$?"
	[ "$RETVAL" = 2 ] && return 2
	# Wait for children to finish too if this is a daemon that forks
	# and if the daemon is only ever run from this initscript.
	# If the above conditions are not satisfied then add some other code
	# that waits for the process to drop all resources that could be
	# needed by services started subsequently. A last resort is to
	# sleep for some time.
	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
	[ "$?" = 2 ] && return 2
	# Many daemons don't delete their pidfiles when they exit.
	rm -f $PIDFILE
	return "$RETVAL"
	}

	#
	# Function that sends a SIGHUP to the daemon/service
	#
	do_reload() {
	#
	# If the daemon can reload its configuration without
	# restarting (for example, when it is sent a SIGHUP),
	# then implement that here.
	#
	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
	return 0
	}

	case "$1" in
	start)
	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	case "$?" in
	0\|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
	2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
	stop)
	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	case "$?" in
	0\|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
	2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	;;
	#reload\|force-reload)
	#
	# If do_reload() is not implemented then leave this commented out
	# and leave 'force-reload' as an alias for 'restart'.
	#
	#log_daemon_msg "Reloading $DESC" "$NAME"
	#do_reload
	#log_end_msg $?
	#;;
	restart\|force-reload)
	#
	# If the "reload" option is implemented then remove the
	# 'force-reload' alias
	#
	log_daemon_msg "Restarting $DESC" "$NAME"
	do_stop
	case "$?" in
	0\|1)
	do_start
	case "$?" in
	0) log_end_msg 0 ;;
	1) log_end_msg 1 ;; # Old process is still running
	*) log_end_msg 1 ;; # Failed to start
	esac
	;;
	*)
	*)
	# Failed to stop
	log_end_msg 1
	;;
	esac
	;;
	*)
	#echo "Usage: $SCRIPTNAME {start\|stop\|restart\|reload\|force-reload}" >&2
	echo "Usage: $SCRIPTNAME {start\|stop\|restart\|force-reload}" >&2
	exit 3
	;;
	esac

	:
	user www-data;
	worker_processes 4;
	pid /var/run/nginx.pid;
	# Maximum open file descriptors per process;
	# should be > worker_connections.
	worker_rlimit_nofile 8192;

	events {
	worker_connections 8000;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##
	variables_hash_max_size 1024;
	variables_hash_bucket_size 128;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##
	# Update charset_types due to updated mime.types
	charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

	# Format to use in log files
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";
	gzip_http_version 1.0;
	gzip_comp_level 7;
	gzip_min_length 512;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	# text/html is always compressed by HttpGzipModule
	text/css
	text/plain
	text/x-component
	application/javascript
	application/json
	application/xml
	application/xhtml+xml
	application/x-font-ttf
	application/x-font-opentype
	application/vnd.ms-fontobject
	image/svg+xml
	image/x-icon;

	# This should be turned on if you are going to have pre-compressed copies (.gz) of
	# static files available. If not it should be left off as it will cause extra I/O
	# for the check. It would be better to enable this in a location {} block for
	# a specific directory:
	# gzip_static on;
	gzip_disable "msie6";
	gzip_vary on;




	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	upstream my_app {
	server unix:///opt/user1/run/app.sock;
	}

	upstream api{
	server unix:///opt/user1/run/api.sock;
	}



	server {
	server_name www.cherry.redcarpetup.com;
	rewrite ^(.*) $scheme://cherry.redcarpetup.com$1 permanent;
	}

	server {
	listen 80;
	server_name cherry.redcarpetup.com; # change to match your URL
	rewrite ^ https://$host$request_uri permanent;

	}


	server {
	server_name www.redc.pt;
	rewrite ^(.*) $scheme://redc.pt$1 permanent;
	}

	server {
	server_name .redc.pt; # change to match your URL
	return 301 https://cherry.redcarpetup.com$request_uri ;

	}



	server {
	listen 443 ssl default deferred;
	server_name redcarpetup.com;


	ssl_certificate /etc/nginx/ssl/redcarpetup_redc.pem;
	ssl_certificate_key /etc/nginx/ssl/namecheap-862404.redcarpetup.com.nopass;

	#ssl_certificate /etc/nginx/ssl/startssl.cherry.unified.crt;
	#ssl_certificate_key /etc/nginx/ssl/startssl.cherry.decrypted.key;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 10m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	#ssl_session_timeout 5m;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
	ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	#resolver 8.8.8.8;
	#ssl_stapling on;
	#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	# Prevent mobile network providers from modifying your site
	add_header "Cache-Control" "no-transform";
	# Force the latest IE version
	# Use ChromeFrame if it's installed for a better experience for the poor IE folk
	add_header "X-UA-Compatible" "IE=Edge";


	#... the rest of your configuration
	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	#This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";


	location / {
	proxy_pass http://my_app; # match the name of upstream directive which is defined above
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location ^~ /api {
	rewrite ^/api/(.*) /$1 break;
	proxy_pass http://api; # match the name of upstream directive which is defined above
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	# Cross domain webfont access
	location ~* \.(?:ttf\|ttc\|otf\|eot\|woff)$ {
	add_header "Access-Control-Allow-Origin" "*";

	# Also, set cache rules for webfonts.
	#
	# See http://wiki.nginx.org/HttpCoreModule#location
	# And https://github.com/h5bp/server-configs/issues/85
	# And https://github.com/h5bp/server-configs/issues/86
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# Prevent clients from accessing hidden files (starting with a dot)
	# This is particularly important if you store .htpasswd files in the site hierarchy
	location ~* (?:^\|/)\. {
	deny all;
	}

	# Prevent clients from accessing to backup/config/source files
	location ~* (?:\.(?:bak\|config\|sql\|fla\|psd\|ini\|log\|sh\|inc\|swp\|dist)\|~)$ {
	deny all;
	}

	## System Maintenance (Service Unavailable)
	#location / { try_files system_maintenance.html =503; }

	## All other errors get the generic error page
	error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
	500 501 502 503 504 505 506 507 /error_page.html;
	location /error_page.html { internal; }



	# Media: images, icons, video, audio, HTC
	#location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	# expires 1M;
	# access_log off;
	# add_header Cache-Control "public";
	#}

	# CSS and Javascript
	#location ~* \.(?:css\|js)$ {
	# expires 1y;
	# access_log off;
	# add_header Cache-Control "public";
	#}

	# location ~* ^/assets/ {
	# # Per RFC2616 - 1 year maximum expiry
	# expires 1y;
	# add_header Cache-Control public;

	# Some browsers still send conditional-GET requests if there's a
	# Last-Modified header or an ETag header even if they haven't
	# reached the expiry date sent in the Expires header.
	# add_header Last-Modified "";
	# add_header ETag "";
	# break;
	# }

	}
	# Install dependencies
	#
	# * checkinstall: package the .deb
	# * libpcre3, libpcre3-dev: required for HTTP rewrite module
	# * zlib1g zlib1g-dbg zlib1g-dev: required for HTTP gzip module
	aptitude install zip checkinstall libpcre3 libpcre3-dev zlib1g zlib1g-dbg zlib1g-dev libgeoip-dev build-essential libpcre3-dev libssl-dev libpq-dev && \

	mkdir -p ~/sources/ && \

	# Compile against OpenSSL to enable NPN
	cd ~/sources && \
	wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz && \
	tar -xzvf openssl-1.0.1g.tar.gz && \

	# Download the Cache Purge module
	cd ~/sources/ && \
	git clone https://github.com/FRiCKLE/ngx_cache_purge.git && \
	cd ~/sources && \

	# Download PageSpeed
	cd ~/sources && \
	wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.7.30.4-beta.zip && \
	unzip v1.7.30.4-beta.zip && \
	cd ngx_pagespeed-1.7.30.4-beta && \
	wget https://dl.google.com/dl/page-speed/psol/1.7.30.4.tar.gz && \
	tar -xzvf 1.7.30.4.tar.gz && \

	# Get the Nginx source.
	#
	# Best to get the latest mainline release. Of course, your mileage may
	# vary depending on future changes
	cd ~/sources/ && \
	#wget http://nginx.org/download/nginx-1.5.12.tar.gz && \
	wget http://openresty.org/download/ngx_openresty-1.5.12.1.tar.gz && \
	#tar zxf nginx-1.5.12.tar.gz && \
	tar zxf ngx_openresty-1.5.12.1.tar.gz && \
	#cd nginx-1.5.12 && \
	cd ngx_openresty-1.5.12.1 && \

	# Configure nginx.
	#
	# This is based on the default package in Debian. Additional flags have
	# been added:
	#
	# * --with-debug: adds helpful logs for debugging
	# * --with-openssl=$HOME/sources/openssl-1.0.1e: compile against newer version
	# of openssl
	# * --with-http_spdy_module: include the SPDY module
	./configure \
	--sbin-path=/usr/sbin/nginx \
	--conf-path=/etc/nginx/nginx.conf \
	--error-log-path=/var/log/nginx/error.log \
	--http-client-body-temp-path=/var/lib/nginx/body \
	--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
	--http-log-path=/var/log/nginx/access.log \
	--http-proxy-temp-path=/var/lib/nginx/proxy \
	--http-scgi-temp-path=/var/lib/nginx/scgi \
	--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
	--lock-path=/var/lock/nginx.lock \
	--pid-path=/var/run/nginx.pid \
	--with-luajit \
	--with-http_dav_module \
	--with-http_flv_module \
	--with-http_geoip_module \
	--with-http_random_index_module \
	--with-http_mp4_module \
	--with-http_gzip_static_module \
	--with-http_gunzip_module \
	--with-http_realip_module \
	--with-http_addition_module \
	--with-http_ssl_module \
	--with-http_sub_module \
	--with-http_spdy_module \
	--with-debug \
	--with-ipv6 \
	--with-file-aio \
	--with-sha1=/usr/include/openssl \
	--with-md5=/usr/include/openssl \
	--with-http_stub_status_module \
	--with-http_secure_link_module \
	--with-http_sub_module \
	--with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \
	--with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \
	--with-openssl=$HOME/sources/openssl-1.0.1g \
	--add-module=$HOME/sources/ngx_pagespeed-1.7.30.4-beta \
	--add-module=$HOME/sources/ngx_cache_purge \
	--with-http_postgres_module && \

	# Make the package.
	make && \

	# Create a .deb package.
	#
	# Instead of running `make install`, create a .deb and install from there. This
	# allows you to easily uninstall the package if there are issues.
	#checkinstall --install=no -y

	# Install the package.
	#dpkg -i nginx_1.5.12-1_amd64.deb
	#### sudo -u postgres /usr/sbin/pgbouncer /etc/pgbouncer/pgbouncer.ini
	#### set START=1 in /etc/default/pgbouncer
	#### before "service pgbouncer start"

	[databases]

	; foodb over unix socket
	;foodb =

	; redirect bardb to bazdb on localhost
	;bardb = host=localhost dbname=bazdb
	;redcarpetweb= host=localhost dbname=redcarpetweb port=5432 user=$USERNAME
	* = host=localhost port=5432 user=redcarpetweb password=12345

	;;;
	;;; Administrative settings
	;;;

	#logfile = pgbouncer.log
	logfile = /var/log/postgresql/pgbouncer.log
	#pidfile = pgbouncer.pid
	pidfile = /var/run/postgresql/pgbouncer.pid

	;;;
	;;; Where to wait for clients
	;;;

	; ip address or * which means all ip-s
	listen_addr = 127.0.0.1
	listen_port = 6432

	; unix socket is also used for -R.
	; On debian it should be /var/run/postgresql
	;unix_socket_dir = /tmp
	;unix_socket_mode = 0777
	;unix_socket_group =
	unix_socket_dir = /var/run/postgresql

	;;;
	;;; Authentication settings
	;;;

	; any, trust, plain, crypt, md5
	auth_type = any
	;auth_file = /8.0/main/global/pg_auth
	auth_file = /etc/pgbouncer/userlist.txt
	# http://www.rackspace.com/knowledge_center/article/prepare-your-cloud-block-storage-volume
	#http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/CloudBlockStorage_Benchmark.pdf

	aptitude install xfsprogs

	aptitude install build-essential libreadline-dev libssl-dev zlib1g-dev libxml2-dev libxslt-dev git libpq-dev libmysqlclient-dev libpq-dev nodejs libcurl4-openssl-dev libffi-dev imagemagick libjpeg-progs pngcrush sudo

	dpkg-reconfigure locales
	dpkg-reconfigure tzdata

	#check for disk using fdisk -l

	#just run fdisk /dev/xvdc and then w to just write and create the partition table
	mkfs -t xfs /dev/xvdb1 or #mkfs.xfs -f /dev/xdb1

	#in /etc/fstab
	/dev/sdb1 /srv/node/sdb1 xfs noatime,nodiratime,nobarrier,logbufs=8 0 0
	/dev/xvdb1 /opt xfs noatime,nodiratime,nobarrier,logbufs=8 0 0

	#for http://stackoverflow.com/questions/6329887/compiling-problems-cannot-find-crt1-o
	aptitude install gcc-multilib
	aptitude install libssl-dev

	#install ruby from https://gist.github.com/sandys/5939306

	#for postgres-9.3
	deb http://apt.postgresql.org/pub/repos/apt/ wheezy-pgdg main
	aptitude update
	aptitude install postgresql-9.3 libpq-dev

	aptitude install nginx
	rm /etc/nginx/sites-enabled/default

	aptitude install monit curl


	#varnish

	curl http://repo.varnish-cache.org/debian/GPG-key.txt \| apt-key add -
	echo "deb http://repo.varnish-cache.org/debian/ squeeze varnish-3.0" >> /etc/apt/sources.list
	apt-get update

	#install rbenv-sudo
	bundle install --path /home/user1/shared/bundle --deployment

	rbenv sudo bundle exec foreman export --app app --user user1 supervisord /etc/supervisord.d/

	sudo aptitude install python-pip python-virtualenv
	sudo pip install --upgrade virtualenv
	sudo pip install --upgrade pip pip-tools
	sudo pip-review --auto


	download Python 2.7.6
	./configure --prefix=/opt/Python
	install https://pypi.python.org/pypi/distribute/0.7.3 by python setup.py install
	/opt/Python/bin/easy_install pip
	/opt/Python/bin/easy_install virtualenv
	/opt/Python/bin/pip install pip-tools
	/opt/Python/bin/pip-review --auto
	#/etc/network/interfaces
	# This file describes the network interfaces available on your system
	# and how to activate them. For more information, see interfaces(5).

	auto lo
	# The loopback network interface
	iface lo inet loopback

	# eth0
	auto eth0
	allow-hotplug eth0
	iface eth0 inet static
	address 10.64.30.2
	netmask 255.255.255.192
	post-up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.64.30.1

	# eth1
	auto eth1
	allow-hotplug eth1
	iface eth1 inet static
	address 119.81.85.150
	netmask 255.255.255.248
	gateway 119.81.85.145

	auto eth0:1
	iface eth0:1 inet static
	address 108.168.254.134
	netmask 255.255.255.248
	gateway 119.81.85.145
	1. add two SAN disks - the root disk will definitely get destroyed on OS restart, but no guarantee about other ones.
	2. buy a global IP (20$) and route it to your server
	3. then go to /etc/network/interfaces and add your new ip address


	iscsi

	aptitude install iscsitarget iscsitarget-dkms

	use /sbin/iscsi-iname to regenerate a name

	edit /etc/iscsi/iscsid.conf # get this data from softlayer -> storage -> iscsi panel
	and add node.session.auth.username = S
	node.session.auth.password = Ddhg
	discovery.sendtargets.auth.username = S
	discovery.sendtargets.auth.password = Ddhg

	MAKE SURE THERE ARE NO TRAILING SPACES IN USERNAME OR PASSWORD

	run iscsiadm -m discovery -t sendtargets -p 10.2.37.21
	you'll get output as
	10.2.37.21:3260,1 iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1

	iscsiadm --mode node --targetname iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1 --portal 10.2.37.21 --login
	#for automatic startup
	iscsiadm -m node -T iqn.2001-05.com.equallogic:0-8aea0b-1560975390c-sli343356-1 -p 10.2.37.21 --op update -n node.startup -v automatic

	dmesg to see new /dev/sdb
	then proceed to create xfs, etc

	parted -s -- /dev/sdb mklabel gpt
	parted -s -- /dev/sdb mkpart primary xfs 1 -1
	mkfs.xfs -f /dev/sdb
	at this point, the blkid is available
	blkid /dev/sdb
	/dev/sdb: UUID="26dce1d4-fcb5-476c-9109-b085192892f7" TYPE="xfs"

	UUID="26dce1d4-fcb5-476c-9109-b085192892f7" /data xfs _netdev,noatime,nodiratime,nobarrier,logbufs=8 0 0 #note the _netdev



	http://doduck.com/docker-install-on-debian-7/
	sudo aptitude install python-pip
	sudo pip install sup/opt/Python/lib/python2.7/site-packageservisor
	sudo mkdir /etc/supervisord.d/

	sudo vim /etc/supervisord.conf
	#copy the file below

	sudo vim /etc/init.d/supervisor