From f1ad520673d16854d3d3b81723bf07bd68a5160f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 24 Sep 2012 15:48:25 +0200 Subject: Switched to nginx --- fripost-docs.org | 148 ++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 91 insertions(+), 57 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 7f7c390..f89f344 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -165,6 +165,8 @@ sudo aptitude install logcheck syslog-summary # | Postfix reload ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version +# | slapo-constraint ignores slapd's logging configuration +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: constraint_update\(\)$ ** Configuring aptitude and friends @@ -2123,7 +2125,7 @@ Finally, we need a new set of rules for logcheck: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=]+>?( \(added by [^[:space:]]+\))?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$ - ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via (mailman|schleuder) service\)$ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder|mklist-mailman|mklist-schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \2 service\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/local\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[[:digit:].]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced) \(.+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: message-id=(?)?( \(added by [^[:space:]]+\))?$ @@ -2233,30 +2235,46 @@ And the archives: sudo rm -rf /var/lib/mailman/archives/{public,private}/domain/listname -**** Web server configuration - - sudo apt-get install apache2 libapache2-mod-python - ln -s ../mods-available/python.load /etc/apache2/mods-enabled/ +**** Web server configuration (nginx + fcgiwrap) -A template can be found in '/etc/mailman/apache.conf'. + sudo apt-get install nginx fcgiwrap In our case the archives under /pipermail/ do not have the right forwat, a quick & dirty fix is to use a RewriteRule: - :: /etc/apache2/site-enabled/000-default - ... - - RewriteEngine On - RewriteBase / - RewriteRule ^([^@/]+)@([^/]+)/ /pipermail/$2/$1/ [R,L] - ... - - ... - -TODO: Forbid access to '/create': it is not a proper way to create lists in our setting, -since one needs to update the LDAP directory first. + :: /etc/nginx/sites-enabled/lists + # Default list manager + location = / { + rewrite ^ /mailman/listinfo permanent; + } + + # Mailman + location ^~ /mailman/ { + location ^~ /mailman/create { return 403; } + rewrite ^/mailman/?$ /mailman/listinfo permanent; + root /usr/lib/cgi-bin; + gzip off; + include fastcgi/params; +# include fastcgi/ssl; #TODO + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + location ^~ /images/mailman/ { + alias /var/lib/mailman/icons/; + } + location ^~ /pipermail/ { + rewrite ^/pipermail/([^@/]+)@([^@/]+)/?(.*)$ /pipermail/$2/$1/$3 last; + index index.html; + alias /var/lib/mailman/archives/public/; + } + +For the web interface to be available, one needs to start *both* fcgiwrap and nginx: + sudo /etc/init.d/fcgiwrap start + sudo /etc/init.d/nginx start -TODO: Use SSL. Switch to Nginx+FastCGI. +Note: We forbid access to '/create' as it is not a proper way to create lists in our +setting (one has to update the LDAP directory first). +We have a rewrite rule for '/pipermail/' as internally, archives are stored hierarchically +under the list's domain. Note: when creating a new list with '-u lists.example.org', it is not visible under "http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under @@ -2355,57 +2373,73 @@ If you want the list to be available from the web interface, you have to create a file called 'web.conf' in the list's config directory, containing the bcrypt-ed password for the web interface. It can be done by hand, or using - sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org xxxxxxxxxxxxxxxx + echo xxxxxxxxxxxx | sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org A test server (for testing/debugging/development purposes only) can be started with sudo -u schleuder camping webschleuder/webschleuder.rb -***** Using mod_passenger: - - sudo apt-get install libapache2-mod-passenger - -Passenger setuid to the owner of 'config.ru'. In our case, webschleuder *must* -be run by schleuder as it has to read list configuration and the public keyring. +***** Configuring nginx + thin - sudo chown 'schleuder:schleuder' /opt/webschleuder/config.ru - sudo mkdir -m 0700 -p /var/tmp/webschleuder/{data,upload}/ - sudo chown 'schleuder:schleuder' /var/tmp/webschleuder/data/ - sudo chown 'www-data:www-data' /var/tmp/webschleuder/upload/ + sudo apt-get install nginx thin + sudo mkdir /var/run/webschleuder/ + sudo chown 'schleuder:schleuder' /var/run/webschleuder/ - sudo ln -s ../mods-available/passenger.load ../mods-available/passenger.conf /etc/apache2/mods-enabled/ + :: /etc/thin/webschleuder.yml + --- + rackup: config.ru + pid: /var/run/webschleuder/pid + timeout: 30 + log: /var/log/schleuder/webschleuder.log + max_conns: 1024 + require: [] + + max_persistent_conns: 512 + environment: production + user: schleuder + group: schleuder + servers: 1 + daemonize: true + chdir: /opt/webschleuder + socket: /var/run/webschleuder/socket + + :: /etc/nginx/sites-enabled/lists + # Webschleuder + location ^~ /schleuder/ { + gzip off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_pass http://unix:/var/run/webschleuder/socket.0; + } + location ^~ /static/ { + alias /opt/webschleuder/static/; + } - :: /etc/apache2/site-enabled/000-default - - ... - PassengerTempDir /var/tmp/webschleuder/data/ - PassengerUploadBufferDir /var/tmp/webschleuder/upload/ - DocumentRoot /opt/webschleuder/static/ - Alias /static/ /opt/webschleuder/static/ - - AllowOverride None - Order allow,deny - Allow from all - - ... - +For the web interface to be available, one needs to start *both* thin and nginx: + sudo /etc/init.d/thin start + sudo /etc/init.d/nginx start -TODO: Use SSL. Switch to Nginx+FastCGI/Passenger. +*** Creating new lists -*** Tools +The task is somewhat more tricky than for domains / aliases / mailbox creation as +the list manager has to be asked to create the list *on disk*. -We need two small scripts to create new lists (one for GNU Mailman, the other -for Schleuder). Postfix will pipe email into them as 'list' and 'schleuder' user -respectively, hence the two distinct files transport_mailman and transport_schleuder. +The solution we chose is to create a special address 'mklist@fripost.org', for which each +email will be piped by Postfix into a list creation script run with the right user +(list or schleuder, depending on the extension: mklist+mailman@fripost.org or +mklist+schleuder@fripost.org.) -These scripts should: -- Ensure that the email is signed with the Admin WebPanel GPG key, -- Create a new list, given for instance in the subject, -- Append the new commands to transport_mailman or transport_schleuder, -- Hash the transport file. +Of course, we don't want to give everyone the permission to create lists, hence the script: + 1/ ensures the email is signed with a known *and authorized* GPG key, + 2/ ensures the list that is to be created is in the "pending" state, + 3/ asks the list manager to create the list (for schleuder, also create the web.conf), + 4/ updates and hashes the lookup tables, and + 5/ adds the list commands to the LDAP directory, and removes the "pending" state. -In the case of Schleuder we also create the web.conf file with the provided -password. +The script can be found in the "fripost-panel" repository. See INSTALL and README for +further insformations. ** Logging *** Overview -- cgit v1.2.3