From 49f5357da18bd8061d8ecff68b2d1648d0515dd4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= Date: Sun, 13 Sep 2015 19:17:31 +0200 Subject: [PATCH] Passenger deployment. --- doc/pocci-ssl.conf | 40 ++++++++++++++++++++++++++++++++++++++++ doc/pocci.conf | 16 ++++++++++++++++ doc/selinux.txt | 30 ++++++++++++++++++++++++++++++ passenger_wsgi.py | 1 + 4 files changed, 87 insertions(+) create mode 100644 doc/pocci-ssl.conf create mode 100644 doc/pocci.conf create mode 100644 doc/selinux.txt create mode 100644 passenger_wsgi.py diff --git a/doc/pocci-ssl.conf b/doc/pocci-ssl.conf new file mode 100644 index 0000000..62e870d --- /dev/null +++ b/doc/pocci-ssl.conf @@ -0,0 +1,40 @@ + + # enable SSL + SSLEngine on + + # for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported + SSLProtocol all + + # this should point to your server host certificate + SSLCertificateFile /etc/grid-security/hostcert.pem + + # this should point to your server host key + SSLCertificateKeyFile /etc/grid-security/hostkey.pem + + # directory containing the Root CA certificates and their hashes + SSLCACertificatePath /etc/grid-security/certificates + + # set to optional, this tells Apache to attempt to verify SSL certificates i +f provided + # for X.509 access with GridSite/VOMS, however, set to 'require' + SSLVerifyClient optional + #SSLVerifyClient require + + # if you have multiple CAs in the file above, you may need to increase the verify depth + SSLVerifyDepth 10 + + ServerName localhost + DocumentRoot /var/www/html/pOCCI-flask + + Options -MultiViews + #Allow from all + # Uncomment this if you're on Apache >= 2.4: + Require all granted + + + Alias /pocci /var/www/html/pOCCI-flask + + PassengerBaseURI /pocci + PassengerAppRoot /var/www/html/pOCCI-flask + + diff --git a/doc/pocci.conf b/doc/pocci.conf new file mode 100644 index 0000000..892e4ae --- /dev/null +++ b/doc/pocci.conf @@ -0,0 +1,16 @@ + + ServerName localhost + DocumentRoot /var/www/html/pOCCI-flask + + Options -MultiViews + #Allow from all + # Uncomment this if you're on Apache >= 2.4: + Require all granted + + + Alias /pocci /var/www/html/pOCCI-flask + + PassengerBaseURI /pocci + PassengerAppRoot /var/www/html/pOCCI-flask + + diff --git a/doc/selinux.txt b/doc/selinux.txt new file mode 100644 index 0000000..c6be078 --- /dev/null +++ b/doc/selinux.txt @@ -0,0 +1,30 @@ +# required +setsebool -P httpd_run_stickshift 1 +setsebool -P httpd_can_network_connect 1 + +# not critical (better to allow read for particular files) +#setsebool -P httpd_read_user_content 1 + +exit 0 + +Read (pycurl): +Source Context system_u:system_r:httpd_t:s0 +Target Context unconfined_u:object_r:home_cert_t:s0 +Target Objects pkcs11.txt [ file ] + +Read, write (pycurl): +Source Context system_u:system_r:httpd_t:s0 +Target Context unconfined_u:object_r:home_cert_t:s0 +Target Objects cert9.db [ file ] + +Read (pOCCI): +Source Context system_u:system_r:httpd_t:s0 +Target Context unconfined_u:object_r:user_home_t:s0 +Target Objects .pOCCI.cfg [ file ] + +Read (mod_passenger???): +Source Context system_u:system_r:httpd_t:s0 +Target Context system_u:object_r:hwdata_t:s0 +Target Objects /usr/share/hwdata/pci.ids [ file ] +Source lspci +Source Path /usr/sbin/lspci diff --git a/passenger_wsgi.py b/passenger_wsgi.py new file mode 100644 index 0000000..e13c02e --- /dev/null +++ b/passenger_wsgi.py @@ -0,0 +1 @@ +from app import app as application -- 1.8.2.3