This document describes how to deploy the CDCS using uWSGi and Nginx. Currently you can deploy the Material Data Configuration System (MDCS) and the Materials Registry and Repository (MRR). Both are deployed using uWSGI, which is a fast, self-healing and developer/sysadmin-friendly application container server coded in pure C. It is served thru Nginx proxies. This document will how to serve via NGINX.
Upload project to desired directory (with http access), in this example we called it mdcs. If you are deploying this, this directory must be in the Server Root.
$ git clone https://github.com/usnistgov/mdcs mdcs --branch master$ cd mdcs
Install required packages for the project. This includes Python modules or required software such as databases.
Run installation scripts for project provided with the project download.
Install NGINX to serve MDCS and MMR over the web.
It is recommended you use a virtual environment that can be built separate from the system binaries, to make sure the apache user can access all needed binaries. Again, the Environment MUST BE in the Server Root path, in this example we have created the environment in /var/www/html/env,with a Server Root of /var/www/html and are using Anaconda, but any environment creator will work.
$ wget https://repo.anaconda.com/archive/Anaconda2-5.1.0-Linux-x86_64.sh$ bash Anaconda2-5.2.0-Linux-x86_64.sh
$ conda update -n base conda
$ conda create -y -p /var/www/html/env python=2.7
$ source activate /var/www/html/env
$ yum install mongodb-server$ yum install mongodb
$ mongod --config /var/www/html/mdcs/mongo/conf/mongodb.conf --fork
$ mongouse admindb.createUser
$ mongouse mgidb.createUserexit
$ git clone https://github.com/MongoEngine/django-mongoengine.git$ cd django-mongoengine$ python setup.py install$ apt-get install libpcre3$ apt-get install libpcre3-de$ apt-get install uwsgi-plugin-python$ apt-get install libapache2-mod-wsgi
Celery, Redis and Git may already be installed on your system, if they are, you can use what is installed, otherwise install:
$ yum install git
$ pip install Celery
$ celery worker -E --app=mdcs -l info -B --purge --logfile=/home/www/html/mdcs/logs/celery.log --workdir=/home/www/html/mdcs --detachNote: mdcs is the project name
$ yum install redis
$ redis-server --daemonize yes
The following is the config file for uWSGi distributed with CDCS (mdcs/mdcs.ini). Again, it is installed in /var/www/html/mdcs/ which MUST be in the Server Root path.
In this example: ServerRoot /var/www/html and it runs as user/group www-data/www-data
mdcs.ini:
[uwsgi]protocol=httpbuffer-size=32768master = trueprocesses = 5socket=XXX.XXX.XXX.XXX(this is your IP address):8000 (this is the port)chmod-socket = 664vacuum = truedie-on-term = truepidfile=/var/run/mdcs.pidchdir=/var/www/html/mdcspythonpath=/var/www/html/env/lib/python2.7/site-packageswsgi-file=/var/www/html/mdcs/mdcs/mdcs.wsgiuid=www-datagid=www-datacheck-static=/var/www/html/mdcsthunder-lock=trueenable-threads=truevirtualenv=/var/www/html/envstatic-map=/static=/var/www/html/mdcs/static.prodstatic-check=/var/www/html/mdcs/static.prodstatic-check=/var/www/html/mdcsdaemonize=/var/www/html/mdcs/logs/uwsgi.log
$ pip install uwsgi
$ uwsgi --ini /var/www/html/mdcs/mdcs/mdcs.ini
Make the following edits to settings.py.
SECRET_KEY = <secret_key>
ALLOWED_HOSTS = ['HOSTNAME.SITE.COM']
os.environ['HTTPS'] = 'on'
CSRF_COOKIE_SECURE = TrueCSRF_COOKIE_AGE = NoneSESSION_COOKIE_SECURE = TrueSESSION_EXPIRE_AT_BROWSER_CLOSE = TrueSESSION_COOKIE_AGE = 604800
X_FRAME_OPTIONS = 'SAMEORIGIN'
** PostGRES (Can be MYSQL also)**DATABASES = {'default': {'ENGINE': 'django.db.backends.postgresql_psycopg2','USER':"mgiUser",'PASSWORD': "pass4mgiUser123",'NAME': 'mgi',}}Or Use the Default SqliteDATABASES = {'default': {'ENGINE': 'django.db.backends.sqlite3','NAME': os.path.join(BASE_DIR, 'db.sqlite3'),}}
Install Nginx on host.
Create or upload certificate, key and certificate chain for HTTPS configuration.
NOTE: Chmod 600 [account] the certificate, key and certificate chain.
$ yum install nginx$ yum install bzip2
user www-data;worker_processes auto;pid /run/nginx.pid;events {worker_connections 768;}http {add_header Strict-Transport-Security "max-age=15768000" always;add_header X-Content-Type-Options "nosniff" always;#add_header X-Frame-Options "SAMEORIGIN" always; **Uncomment if not done in settings.py**add_header X-XSS-Protection "1; mode=block";add_header X-Whome "l-cbz02";server_names_hash_bucket_size 64;uwsgi_cache_path /var/cache/nginx levels=1:2 keys_zone=my_app:10m inactive=5m;client_body_buffer_size 1K;client_max_body_size 256M;client_header_buffer_size 2k;large_client_header_buffers 4 4k;map_hash_bucket_size 2048;map $sent_http_content_type $expires {default off;application/json 42d;}expires $expires;include /etc/nginx/mime.types;default_type application/octet-stream;### Basic Settings##sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 65;types_hash_max_size 2048;include /etc/nginx/mime.types;default_type application/octet-stream;### SSL Settings##ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLEssl_prefer_server_ciphers on;### Logging Settings##log_format compression '$remote_addr - $remote_user [$time_local] ''"$request" $status $body_bytes_sent ''"$http_referer" "$http_user_agent" "$gzip_ratio"';### Gzip Settings##gzip on;gzip_disable "msie6";### Virtual Host Configs##include /etc/nginx/conf.d/*.conf;include /etc/nginx/default.d/mdcs_nginx.conf;}
Note: For Nginx if there is an intermediate certificate, it must be after the host certificate in the same file, in this case we used mdcs.chained.crt which contained both certs.
root /var/www/html;index index.html index.htm;server {charset utf-8;listen 443 ssl;server_name mdcs.nist.gov;ssl_protocols TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers HIGH:!aNULL:!MD5;ssl_certificate /home/www/html/mdcs/certs/mdcs.chained.crt;ssl_certificate_key /home/www/html/mdcs/certs/mdcs.key;ssl_session_cache shared:mySSL:10m;ssl_session_timeout 10m;ssl_session_tickets off;# OCSP Stapling# fetch OCSP records from URL in ssl_certificate and cache themssl_stapling on;ssl_stapling_verify on;## Improves TTFB by using a smaller SSL buffer than the nginx defaultssl_buffer_size 8k;access_log /home/www/html/mdcs/logs/access_mdcs.log main;error_log /home/www/html/mdcs/logs/error_mdcs.log warn;location / {limit_except GET POST { deny all; }include /etc/nginx/uwsgi_params;proxy_pass http://mdcs.nist.gov:8000;}}server {listen 80 default_server;server_name mdcs.nist.gov;return 301 https://$host$request_uri;}
$ firewall-cmd --add-port=80/tcp$ firewall-cmd --add-port=443/tcp
$ service nginx start