You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

This page is to document the migration of IIS to nginx

Existing Servers

Web ServerIISTomcatComments
glast-ground.slac.stanford.eduglast-win01,glast-win02multiple 
web08.slac.stanford.eduweb08  
aida.freehep.orgweb08scalnx-v03 
aidatld.freehep.orgweb08scalnx-v03Up
exo-data.slac.stanford.eduweb08exolnx-v01 
forum.freehep.orgweb08N/A fudform applicationPage is up, but forum may be down, returns a blank page (was fhforum.slac.stanford.edu)
heprep.freehep.orgweb08scalnx-v03Up
jas.freehep.orgweb08scalnx-v03 
java.freehep.orgweb08scalnx-v03 

lcsim.org, www.lcsim.org

lcsim.freehep.org

web08scalnx-v03lcsim.freehep.org exists as a host name, but the application appears to actually be www.lcsim.org
lelaps.freehep.orgweb08scalnx-v03Up
lp99.freehep.orgweb08 Down, no DNS record- but IIS is still aware of the Application (checked via telnet web08 80: GET / HTTP/1.1\nHost: lp99.freehep.org\n\n)
lsst-camera.slac.stanford.eduweb08

lsstlnx-v01

Up
pingerlod.slac.stanford.eduweb08

scalnx-v06

Up

portal.lsst-desc.org

portal.lsstdesc.org

web08 Up
sid.slac.stanford.eduweb08 Points to exo portal?
srs.slac.stanford.eduweb08 Up
wired1.freehep.orgweb08N/A (on web08)Up
www.freehep.orgweb08N/A (on web08)Up

www-sld.slac.stanford.edu

www-bes.slac.stanford.edu

www-midas.slac.stanford.edu

web08N/A (on web08)Up. Also has www-bes and www-midas, but they all serve the same page.
www-sldnt.slac.stanford.eduweb08scalnx-v03/Also on web08?scalnx-v03, just a blank page
xrdmon.slac.stanford.eduweb08 Worker defined to be xrootd-mon, Not sure if this is on web08 or some other server?

wired4.freehep.org

wired.freehep.org

web08scalnx-v03 
wired2.freehep.orgweb08 Points to web08. No record in IIS. Not sure how this one works? There is a directory on scalnx-v03

 

NGINX configuration

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/
user  nginx;
worker_processes  1;
error_log  /var/log/nginx16/error.log;
#error_log  /opt/rh/nginx16/root/var/log/nginx/error.log  notice;
#error_log  /opt/rh/nginx16/root/var/log/nginx/error.log  info;
pid        /opt/rh/nginx16/root/var/run/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /opt/rh/nginx16/root/etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx16/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
    #image cache
    proxy_cache_path /tmp/nginx levels=1:2 keys_zone=imgcache:10m inactive=60m;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    
    # glast-ground.conf, srs.conf, lsst-camera.conf, etc...
    include /opt/rh/nginx16/root/etc/nginx/conf.d/*.conf;

    server {
        listen       8180;
        server_name  localhost;
        location / {
            proxy_pass              http://scalnx-v01.slac.stanford.edu:8180;
            proxy_cache             imgcache;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
        }
    }
}

 

SSL Configuration

http://nginx.com/resources/admin-guide/nginx-ssl-termination/

Tomcat configuration

To take full advantage of nginx+ssl, I believe we need to setup Tomcat to use the RemoteIpValve:

https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

An example is here:

http://kdl.nobugware.com/post/2010/02/12/nginx-ssl-tomcat-confluence

nginx page on configuring individual applications

http://wiki.nginx.org/JavaServers



PHP Applications

[List of PHP Applications here]

Two potential solutions

  1. PHP applications on nginx reverse proxies
  2. PHP applications on another server (configured the same as Tomcat servers)

The second option potentially makes session handling easier.

Taylor has php54 option. I believe Taylor has a drupal option as well, but it may not suit our needs.

Necessary installs for PHP:

sudo yum install php54 php54-php-fpm php54-php-mysqlnd

 

Github's use of nginx and map files

http://githubengineering.com/rearchitecting-github-pages/

 

VMs

Hostnames and IPs

sca-nginx01 is deployed on > scalnx12-vmm with 12GB memory and 6 cores

sca-nginx02 is deployed on > scalnx13-vmm with 12GB memory and 6 cores

Both will share the sca-www hostname through the virtual IP address 134.79.129.86.

Management of the Virtual IP address will be handled with keepalived.


Keepalived

keepalived is to be configured on both machines.

keepalived seems to support HTTP status checks.

The following is roughly the configuration for sca-nginx01. The configuration for sca-nginx02, which will be the failover machine, will be nearly identical, but the priority on the vrrp_instance MUST BE LOWER than the priority on the master. The password will be different.

The configuration is located in /etc/keepalived/keepalived.conf

global_defs {
   notification_email {
     bvan@slac.stanford.edu
   }
   notification_email_from bvan@slac.stanford.edu
   smtp_server smtp.slac.stanford.edu  # Not sure if this works
   smtp_connect_timeout 30
   router_id SCA_WWW  # Not sure if this is used
}
 
# This is a health check script. Right now it just checks to see
# if nginx is up.
#
# Note on the weight: If the weight isn't enough to break a tie between
# the priority difference between sca-nginx01 and sca-nginx02, and
# nginx is down but sca-nginx01 is up, then requests
# may still go to sca-nginx01.
vrrp_script chk_nginx {
      script "killall -0 nginx"
      interval 2 # seconds
      weight 2 # points
}
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 85 # Random ID. We shouldn't have the same router id on the same subnet
    priority 100  # See note on weight above
    advert_int 1 # Advertisement interval (i.e. heartbeat seconds)
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        134.79.129.86
    }
    track_script {
         chk_nginx
    }
   unicast_src_ip 134.79.129.92   # Unicast specific option, this is the IP of the interface keepalived listens on
   unicast_peer {                 # Unicast specific option, this is the IP of the peer instance 
     134.79.129.91
   }
}

 


  • No labels