Ubuntu 簽章 << Previous Next >> xrdp

配置 uwsgi

在 Ubuntu 環境中可透過 uwsgi 執行 Flask 網際程式. 並且利用 Nginx 配置 Let's Encrypt 數位簽章.

安裝 Nginx WWW 伺服器:

在 Ubuntu 安裝 nginx 伺服器:

sudo apt install nginx

其中必須注意的是, apt 將使用 /etc/apt.conf 中所設定的 proxy 進行網路連線.

apt.conf 設定格式為:

Acquire::http::Proxy "http://[2001:288:6004:17::proxy_ip]:3128";

Acquire::https::Proxy "http://[2001:288:6004:17::proxy_ip]:3128";

/etc/nginx/sites-available/default 參考檔案:

server {
    listen 80;
    listen [::]:80;
    root /home/wcm2021/newcms;
    index index.html;
  
    location /static {
        alias /home/wcm2021/newcms/cmsimde/static/;
    }
  
    location /downloads {
        alias /home/wcm2021/newcms/downloads/;
    }
  
    location /images {
        alias /home/wcm2021/newcms/images/;
    }
  
    location / {
            try_files $uri $uri/ =404;
    } 
      
    location /blog {
        alias /home/wcm2021/cmsimfly/blog/;
    }
  
    location /reveal {
        alias /home/wcm2021/cmsimfly/reveal/;
    }
}
  
server {
    listen 443 ssl;
    #listen [::]:443 ssl ipv6only=on;
   
    location /static {
        alias /home/wcm2021/cmsimfly/static/;
    }
   
    location / {
        include uwsgi_params;
        uwsgi_pass  127.0.0.1:8080;
    }
   
    #server_name ipv4_ip; 
    #ssl on;
    ssl_certificate /etc/stunnel/localhost.crt;
    ssl_certificate_key /etc/stunnel/localhost.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;
    try_files $uri $uri/ =404;
}
   
server {
    #listen 89 default_server;
    #listen [::]:89 default_server ipv6only=on;
   
    listen 8943 ssl;
    #listen [::]:8943 ssl ipv6only=on;
   
    location /static {
        alias /home/wcm2021/cmsimfly2/static/;
    }
   
    location / {
        include uwsgi_params;
        uwsgi_pass  127.0.0.1:8082;
    }
   
    #server_name ipv4_ip;
    #ssl on;
    ssl_certificate /etc/stunnel/localhost.crt;
    ssl_certificate_key /etc/stunnel/localhost.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;
    try_files $uri $uri/ =404;
}
  
server {
    #listen 88 default_server;
    #listen [::]:88 default_server ipv6only=on;
   
    listen 8843 ssl;
    #listen [::]:8843 ssl ipv6only=on;
   
    location /static {
        alias /home/wcm2021/newcms/cmsimde/static/;
    }
   
    location / {
        include uwsgi_params;
        uwsgi_pass  127.0.0.1:8081;
    }
   
    #server_name ipv4_ip;
    #ssl on;
    ssl_certificate /etc/stunnel/localhost.crt;
    ssl_certificate_key /etc/stunnel/localhost.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;
    try_files $uri $uri/ =404;
}

uwsgi 環境準備:

sudo apt install uwsgi uwsgi-plugin-python3

sudo pip3 install uwsgi

編輯的設定檔案為 uwsgi_ini 目錄中的各個 .ini 設定檔案.

uwsgi.ini 參考檔案:

[uwsgi]
socket = 127.0.0.1:8080
uid = kmol2019
gid = kmol2019
plugins-dir = /usr/lib/uwsgi/plugins/
plugin = python3
master = true
logto = /var/log/uwsgi/emperor.log
logfile-chown = kmol2019:kmol2019
processes = 4
threads = 2
chdir = /home/kmol2019/cmsimfly
wsgi-file = /home/kmol2019/cmsimfly/wsgi.py

python3 環境準備:

安裝 pip3:

sudo apt install python3-pip

安裝 CMSiMDE 所需模組:

sudo pip3 install flask bs4 lxml flask_cors pelican markdown leo pyopenssl

CMSiMDE 的設定:

init.py 中必須將 uwsgi = False 改為 True, 因為準備採用 uwsgi 模式啟動 CMSiMDE

apt proxy 設定檔案:

啟動 uwsgi 指令, 將會逐一啟動 wsgi_ini 目錄中個別 .ini 檔案:

sudo /usr/bin/uwsgi --emperor /home/kmol2019/wsgi_ini

最後則設定 Ubuntu 系統服務, 用來啟動 uwsgi:

/etc/systemd/system 的 cmsimde.service 服務啟動檔案內容:

[Unit]
Description=uWSGI to serve CMSiMDE
After=network.target
  
[Service]
User=kmol2019
Group=kmol2019
WorkingDirectory=/home/kmol2019/uwsgi_ini
ExecStart=/usr/local/bin/uwsgi --emperor /home/kmol2019/uwsgi_ini
  
[Install]
WantedBy=multi-user.target

接著將 cmsimde 服務設為隨系統開機啟動:

sudo systemctl enable cmsimde

若要取消 cmsimde 服務隨系統開機啟動:

sudo systemctl disable cmsimde

手動啟動 cmsimde.service 服務

sudo systemctl start cmsimde

手動停止 cmsimde.service 服務

sudo systemctl stop cmsimde

最後, 在 Ubuntu 虛擬主機中設定 Fossil SCM:

安裝 fossil:

sudo apt install fossil

查 fossil 版本:

fossil version

接下來為了要在 https 的模式下使用 Fossil SCM 伺服器, 因此必須安裝配置 stunnel:

sudo apt install stunnel

修改 /etc/environment, 加入:

HTTPS=on

修改 /etc/default/stunnel4, 修改 ENABLED=1

假如此時 /etc/stunnel 目錄下尚無 localhost.crt 與 localhost.key, 可以利用下列指令建立:

建立 localhost.key 與 localhost.crt:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt

接著設定 /etc/stunnel/stunnel.conf 如下:

[https]
accept = kmol2019:5443
# 只先啟用 ipv4
#accept = :::443
cert = /etc/stunnel/localhost.crt
key = /etc/stunnel/localhost.key
exec = /usr/bin/fossil
execargs = /usr/bin/fossil http /home/kmol2019/repository/ --https --nojail --notfound kmol2019

表示利用 stunnel 執行 fossil 指令, 並且透過 http 協定啟動位於 /home/kmol2019/repository 目錄下的倉儲壓縮檔案, 且附加採用 https 與 nojail 模式啟動.

其中 --nojail 目的在 drop the root privilege but do not enter the chroot jail, 其後的 --notfound 表示若沒有特別在 URL 中列出所要擷取的 .fossil 檔案 (指位於 /home/kmol2019/repository/ 目錄下), 則採用 kmol2019.fossil

重新啟用 stunnel:

sudo /etc/init.d/stunnel4 restart

Ubuntu 簽章 << Previous Next >> xrdp