Deploy pyramid app with uwsgi and apache - apache

I have a pyramid app in a virtualenv, and I want to deploy it using apache+uwsgi, but I don't figure how to connect apache, uwsgi and pyramid. Can anyone provide an apache.conf and production.ini example?
In many examples you should create an init script to manage the uWSGI process, but can apache start the uwsgi process?

I can't help with the Apache side of things, but here's my uwsgi config.ini that would work in your case. Apache does not support the native uwsgi protocol, so you will need to configure uwsgi to speak http as below. Then, Apache will need to be configured to proxy requests to a backend http server.
http = 127.0.0.1:33932 ;also could use unix file socket
master = 1
workers = 5 ;number of cpus + 1
harakiri = 30 ;seconds = request timeout length
buffer-size = 32768 ; found experimentally. Your app may work well with less or more.
chdir = /path/to/your/uwsgi_webapp
module = your_module
callable = your_wsgi_app
virtualenv = /path/to/your/uwsgi_webapp/env
daemonize = /path/to/your/uwsgi_webapp/log/uwsgi.log
pidfile = /path/to/your/uwsgi_webapp/uwsgi_fuzzy.pid
Note that using Apache as a front-end webserver is not a recommended configuration. Starting up a complete Apache process just to proxy to another http server will result in fairly poor performance. For that reason, a lightweight server like nginx or a http proxy like Varnish is preferred.

Related

Varnish 6.0lts won't handle secure websockets on a remote proxy?

I'm having a hard time with this setup. I have a node.js box serving HTTP on 3000, websockets on 3001, and secure websockets on 3002. Out in front of that I have a remote Hitch/Varnish caching proxy on its own server that's listening on 443/80 and connecting the first server as its default backend via 3000. A user who visits the site URL https://foo.tld hits the varnish proxy and sees the site, where some javascript on the site tells their browser to connect to wss://foo.tld:3002 for secure websockets.
My problem is getting websockets to pass transparently through to the backend. In the VCL I have the standard
if (req.http.upgrade ~ "(?i)websocket") {
return (pipe);
}
and
sub vcl_pipe {
#Declare pipe handler for websockets
if (req.http.upgrade) {
set bereq.http.upgrade = req.http.upgrade;
set bereq.http.connection = req.http.connection;
}
}
Which doesn't work in this case. To list what I have tried so far with no success:
1: Creating a second backend in VCL named "websockets" that is the same backend IP but on either port 3001 or 3002 and adding "set req.backend_hint = websockets;" before the pipe summon in the first snippet above.
2: Turning off HTTPS and trying to connect it over pure HTTP.
3: Modifying varnish.service to try and make varnish listen on ports other than, or in addition to, -a :80 and -a :8443,proxy, in which cases Varnish simply refuses to start. One attempt was to simply use HTTP only and attempt to run varnish on 3001 to get ws:// working without SSL but varnish refuses to start.
4: Most recently I attempted the following in VCL to try and pick up client connections coming in on 3001:
if (std.port(server.ip) == 3001) {
set req.backend_hint = websockets;
}
My goal is for the Varnish box to pick up secure websocket traffic (wss://) on 3002 (via hitch at 443 using the normal secure websocket connection protocol) and have that passed transparently to the backend websocket server, whether SSL encrypted across that leg of the connection or not. I have set up other, smaller servers like this before and getting websockets working is trivial if Varnish and the backend service are either on the same machine or behind a regulating CDN like Cloudflare, so it has been extra frustrating trying to figure out just what this remote proxy setup needs. I feel like part of the solution is having Varnish or Hitch (not sure) listening on 3002 to accept the connections at which point the normal req.http.upgrade and pipe functions would come into play, but the software refuses to cooperate.
--------Update--
I have broken down the problem into the simplest form I can. The main server (backend) is now serving plain HTTP on 8080 and WS:// on 6081. I have removed hitch and TLS from the equation entirely, but even in this simplified form it is impossible to connect to websockets through Varnish. I can verify that the Websocket server is working correctly on the backend. Connecting to the backend IP address with a browser shows websockets functioning perfectly there. It's Varnish that's the problem.
My current hitch.conf (not relevant here but provided per request):
frontend = "[*]:443"
frontend = "[*]:3001"
backend = "[127.0.0.1]:8443" # 6086 is the default Varnish PROXY port.
workers = 4 # number of CPU cores
daemon = on
# We strongly recommend you create a separate non-privileged hitch
# user and group
user = "redacted"
group = "redacted"
# Enable to let clients negotiate HTTP/2 with ALPN. (default off)
# alpn-protos = "h2, http/1.1"
# run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY ..
write-proxy-v2 = on # Write PROXY header
syslog = on
log-level = 1
# Add pem files to this directory
# pem-dir = "/etc/pki/tls/private"
pem-file = "/redacted/hitch-bundle.pem"
Current default.vcl (stripped down to almost nothing just for testing this. The backend is NOT running on the same machine, it is remote):
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "remote.server.ip";
.port = "8080";
}
backend websockets {
.host = "remote.server.ip";
.port = "6081";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
#Allow websockets to pass through the cache (summons pipe handler below)
if (req.http.Upgrade ~ "(?i)websocket") {
set req.backend_hint = websockets;
return (pipe);
} else {
set req.backend_hint = default;
}
}
sub vcl_pipe {
if (req.http.upgrade) {
set bereq.http.upgrade = req.http.upgrade;
set bereq.http.connection = req.http.connection;
}
return (pipe);
}
Varnish's systemd exec parameters:
ExecStart=/usr/sbin/varnishd \
-a http=:80 \
-a proxy=localhost:8443,PROXY \
-a ws=:6081 \
-p feature=+http2 \
-f /etc/varnish/default.vcl \
-s malloc,256m \
-p pipe_timeout=1800
Working in plain HTTP and insecure websockets like this, it should be very simple to get a working model. I don't understand what could possibly be going wrong.
Varnish Cache, the open source version of Varnish, doesn't support backend connections over TLS.
While you can offload TLS using Hitch, the connection to your websocket server will not be encrypted.
Basic VCL example
Here's a very basic VCL example where web & websocket requests are split and sent to separate backends:
vcl 4.1;
backend web {
.port = "3000";
}
backend ws {
.port = "3001";
}
sub vcl_recv {
if (req.http.Upgrade ~ "(?i)websocket") {
set req.backend_hint = ws;
return (pipe);
} else {
set req.backend_hint = web;
}
}
sub vcl_pipe {
if (req.http.upgrade) {
set bereq.http.upgrade = req.http.upgrade;
}
return (pipe);
}
Need more input
However, I'm probably missing a lot of context. I also didn't specify a .host parameter in the backends, so the assumption is that all services are hosted locally.
Please add your full VCL, your Hitch config and the varnishd runtime parameters to your question. This will add context and allows me to come up with a better solution.
What about Hitch?
If you terminate TLS in Hitch, both HTTPS & secure websockets will be handled by Hitch where the plain-text HTTP & websockets will still be directly handeled by Varnish.
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch for a Hitch tutorial that also explains how Varnish should be configured.
I'm a big advocate of using the PROXY protocol in Varnish. The hitch tutorial has a specific section about this: https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/#enable-the-proxy-protocol-in-varnish
Custom ports
The standard ports to access the service are 80 for HTTP and insecure websockets and 443 for HTTPS and secure websockets.
If you want to use custom ports for the websockets, it is possible to configure them in Hitch and Varnish.
Let's say you want to main ports 3001 and 3002 for your websockets. This means you need 2 frontends in Hitch:
One for HTTPs on 443
One for secure WS on 3002
See https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/#listening-address for more information about the frontend config.
Varnish on the other hand needs to have 3 listening addresses:
One for HTTP on port 80 (-a http=:80)
One for offloaded HTTPS & secure WS with PROXY support on port 8443 (-a proxy=:8443,PROXY)
One for insecure WS on port 3001 (-a ws=:3001)
Next steps
Please use the information and see if this helps to find a solution. If not, please share your VCL file, your Hitch config and varnishd runtime.
Update
Now that you provided more input, the picture starts to become more clear. The fact that you eliminated the TLS part for now will make it a lot easier to debug.
Assuming the names of your listening interfaces for varnishd are http and ws (as mentioned in your systemd unit file), we can use the following varnishlog commands to debug:
varnishlog -g request -q "ReqStart[3] eq 'http'"
This command will show logs for all log transactions where the http listening interface is used.
If you want to make it more granular, you can also add the request URL as a filtering criterium. This will narrow down the number of transactions:
varnishlog -g request -q "ReqStart[3] eq 'http' and ReqUrl eq '/'"
Please add a complete log transaction for one of the failed requests. This will help us understand why requests are failing.
You can do the same for requests on the ws listening interface by using the commands below:
varnishlog -g request -q "ReqStart[3] eq 'ws'"
varnishlog -g request -q "ReqStart[3] eq 'ws' and ReqUrl eq '/'"
I'm assuming you're successful at starting the varnishd program but unsuccessful at getting decent output out of Varnish. The varnishlog program will provide the insight we need. Please add the logging output to your question so I can look into it.

Problem serving Flask based applications with uWSGI and Nginx and Tensorflow on CentOS 7

I'm serving an application with Tensorflow. Now I need to serve this flask based application with Ngnix. I used this document on Digitalocean.
Direct serving application with uWSGI is okay but as soon as the service is transferred to Nginx , I get an internal service error (500).
service works fine without Tensorflow and Keras library so I'm pretty sure server config is fine.
myproject.ini:
[uwsgi]
module = wsgi
master = true
processes = 5
socket = myproject.sock
chmod-socket = 660
vacuum = true
die-on-term = true
/etc/systemd/system/myproject.service:
[Unit]
Description=uWSGI instance to serve myproject
After=network.target
[Service]
User=user
Group=nginx
WorkingDirectory=/home/user/myproject
Environment="PATH=/home/user/myproject/myprojectenv/bin"
ExecStart=/home/user/myproject/myprojectenv/bin/uwsgi --ini myproject.ini
[Install]
WantedBy=multi-user.target
Thank a lot. Also sorry about my English.
Ok I was tried to change .ini file but that was not work for me. Somethings like to add cheaper = 0 or change processes = 1 and master = false. but somebody told me use gunicorn instead of uWSGI and that's work.
And that was so easy to switch from uWSGI to Gunicorn. Based on this document on Digitalocean you just need to change
(/etc/systemd/system/myproject.service) this file on line 10 (ExecStart part)
(/etc/nginx/nginx.conf) this file in location part
** If you have not configured the server yet, just use this paper
Hope to be useful. Also sorry about my English.

TURN server under proxy pass with Apache web server

I am trying to my own coturn (TURN) server. I want it to run on port 443. I have Apache already running on that port. Can i use Apache proxy pass to run TURN on port 3479, 53499 but still listening to port 443?
I am not sure how to go about this problem. Is my approach wrong?. If yes, whats the better approach
listening-port=3478
alt-listening-port=3479
tls-listening-port=5349
alt-tls-listening-port=5350
#stening-port=80
#tls-listening-port=443
listening-ip=127.0.0.1
relay-ip=127.0.0.1
external-ip=*****
realm=explain.bookmane.in
server-name=explain.bookmane.in
lt-cred-mech
userdb=/etc/turnuserdb.conf
Apparently, the latest version of COTURN, COTURN 4.5.2r3, recently released this year, and still marked as unstable, has just incorporated support for reverse proxy. I infer this from description I found in its config file: /etc/turnserver.conf
https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
This is what it says:
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555"

HAproxy with standalone mod_security routed to multiple web servers

I want to have one server with HAproxy and a standalone mod_security installed which routes every packets to mod_security first and check by its rules.
Then if there wasn't anything suspicious in packets (SQL Injection, DOS Attacks, ...) pass them back from mod_security to haproxy and haproxy routes them to multiple servers with different webservers.
Therefore I don't need to install and config mod_security on all my webservers.
This is technically possible, possibly with running 2 instances of HAProxy. However, you will need a webserver to run underneath ModSec, typically Apache or nginx, and this kind of negates the advantage of not having to install ModSec on all your webservers.
The standard setup is: haproxy -> reverse-proxies with ModSec -> application-servers
Just to answer this old, but still valid, question:
The solution should be to use HAProxies Stream Processing Offload Engine (SPOE) through the Stream Processing Offload Protocol (SPOP) to talk a Stream Processing Offload Agent (SPOA) which is a standalone modsecurity daemon.
HAProxy example config from their github repo
frontend my-front
...
filter spoe engine modsecurity config spoe-modsecurity.conf
...
enter code here
backend spoe-modsecurity
mode tcp
balance roundrobin
timeout connect 5s
timeout server 3m
server modsec1 127.0.0.1:12345
# Block potential malicious requests with returncode < 0
http-request deny if { var(txn.modsec.code) -m int gt 0 }
There's also a Github project where the daemon has been made available as Docker container
Offical HAProxy blog post

SailsJS on production - Error: listen EADDRINUSE

I have a VPS server with CentOS and Apache server.
But I want to run my node.js applications too. I am using sails.js
This sails application is trying to listen to port 80 of specified host.
Here is error (after sails lift running):
debug: Starting server in /var/www/user/data/nodeprojects/projectname...
info - socket.io started
debug: Restricting access to host: projectname.com
warn - error raised: Error: listen EADDRINUSE
warn:
warn: Server doesn't seem to be starting.
warn: Perhaps something else is already running on port 80 with hostname projectname.com?
What is the problem? Can I run both apache and nodejs servers on one server with one port (80)?
No, you cannot.
When a server process opens a TCP port to answer requests, it has exclusive use of that port. So, you cannot run both SailsJS and Apache servers on the same port.
Having said that, you can do lots of interesting things with Apache, such as proxying specific requests to other servers running on different ports.
A typical setup would have Apache on port 80 and SailsJS on port 8000 (or some other available port) where Apache would forward requests to certain URLs to SailsJS and then forward the reply from SailsJS back to the browser.
See either configuring Apache on Mountain Lion proxying to Node.js or http://thatextramile.be/blog/2012/01/hosting-a-node-js-site-through-apache for example implementations of this approach.
you cannot use same port for different application. NodeJS can use any open port. What you need todo is port forwarding for your app. :)