Verified Commit 84caa1e6 authored by Andri Steiner's avatar Andri Steiner
Browse files

opensource/puppet-modules#739 update content

parent 7c4b0559
......@@ -16,5 +16,5 @@ place them within ``/usr/local/share/ca-certificates``.
You can access this directory by login with the devop user (see :ref:`access_devop`).
.. hint:: After adding a certificate, update the trust store by executing ``update-ca-certificates``.
.. tip:: After adding a certificate, update the trust store by executing ``update-ca-certificates``.
......@@ -11,7 +11,7 @@ For other, seldom used settings we used so called `Custom JSON` fields.
There are two differente `Custom JSON` fields available depending on the layer of your desired configuration.
.. hint::
.. tip::
Please make sure that you use the provided configurations on the appropriate level which we indicate in each example.
.. index::
......
......@@ -36,9 +36,9 @@ Configure the ``ftp::users`` hash within the `Custom JSON` :ref:`customjson_serv
}
}
.. hint:: The password has to be encrypted. Use the following command to encrypt your desired password: ``mkpasswd -m sha-512``
.. tip:: The password has to be encrypted. Use the following command to encrypt your desired password: ``mkpasswd -m sha-512``
.. hint:: Use the "id" command to determine the appropriate uid/gid
.. tip:: Use the "id" command to determine the appropriate uid/gid
Directories
-----------
......@@ -121,5 +121,5 @@ strings within the `Custom JSON` :ref:`customjson_server`:
"ftp::wrapper::proftpd::tls_key_file": "/etc/nginx/ssl/<websitename>.key"
}
.. hint:: With this option, you can also use certificates issued through nginx by Let's Encrypt.
.. tip:: With this option, you can also use certificates issued through nginx by Let's Encrypt.
......@@ -8,7 +8,7 @@ Git Repository Deployment
The `globalrepo` service is used to checkout and refresh a Git repository.
.. hint::
.. tip::
You can still clone repositories manually by SSH or through a CI job, which will
be better in most use cases. If in doubt, contact us and we will help to select the best approach.
......@@ -42,7 +42,7 @@ provider
* provider used to fetch repository, see `module description of the vcsrepo Puppet module <https://github.com/puppetlabs/puppetlabs-vcsrepo#module-description>`__
* default: `git`
.. hint:: git is the only vcs provider officially supported by Puppet
.. tip:: git is the only vcs provider officially supported by Puppet
remote
~~~~~~
......@@ -62,7 +62,7 @@ ssh_private_key
* SSH private key used to fetch a private repository
* default: empty
.. hint:: use `cat /tmp/private_key | sed -e ':a;N;$!ba;s/\n/\\n/g` to convert key into a single line with escaped linebreaks
.. tip:: use `cat /tmp/private_key | sed -e ':a;N;$!ba;s/\n/\\n/g` to convert key into a single line with escaped linebreaks
exec_after
~~~~~~~~~~
......
......@@ -91,7 +91,7 @@ With ``vcl_include``, you can define a full path to a additional
configuration file. This file gets included into the Varnish default
configuration.
.. hint:: keep in mind to issue a ``puppet-agent`` run after changing the local Varnish configuration. Puppet will copy your local configuration file to a global location and ensure that Varnish is able to read it
.. tip:: keep in mind to issue a ``puppet-agent`` run after changing the local Varnish configuration. Puppet will copy your local configuration file to a global location and ensure that Varnish is able to read it
Memory Ratio
~~~~~~~~~~~~
......@@ -163,7 +163,7 @@ Usage
By default, Redis is bound to localhost on its default port 6379 (``127.0.0.1:6379``).
.. hint:: most applications will connect automatically with this default settings
.. tip:: most applications will connect automatically with this default settings
PHP
~~~
......@@ -177,7 +177,7 @@ To load *phpredis* in your environment, specify the extenion in ``~/cnf/php.ini`
extension = redis.so
.. hint:: For details, see :ref:`custom PHP configuration <website-advanced-php>`.
.. tip:: For details, see :ref:`custom PHP configuration <website-advanced-php>`.
Debugging
~~~~~~~~~
......@@ -193,4 +193,4 @@ For debugging purposes, use *redis-cli* to connect to the Redis server:
$ redis-cli get key1
"test"
.. hint:: for details, see the `redis-cli documentation <https://redis.io/topics/rediscli>`__
.. tip:: for details, see the `redis-cli documentation <https://redis.io/topics/rediscli>`__
......@@ -8,11 +8,11 @@ Means to Access Your Server
SSH
---
Your server is accessible trough SSH by default.
Your server is accessible trough SSH by default.
To ensure uniformity between SSH and web actions, there are no personal
SSH login users created. Log in with the desired websites user instead.
SSH login users created. Log in with the desired websites user name instead.
.. hint:: for security reasons, we allow key based logins only
.. tip:: For security reasons, we allow key based logins only.
Every aspect of the configuration is controlled through our configuration
management software. There is no root access possible neither for the
......@@ -56,5 +56,5 @@ over SFTP. We recommend to use one of the following clients:
- `Filezilla <https://filezilla-project.org>`__
- `Cyperduck <https://cyberduck.io>`__
.. Hint:: To store your key in the memory and not having to enter the password for every connection - use pageant (Windows) or ssh-add it (Linux)
.. tip:: To store your key in the memory and not having to enter the password for every connection - use pageant (Windows) or ssh-add it (Linux)
......@@ -2,9 +2,12 @@
Maintenance Window
==================
If not specified otherwise, we conduct maintenance work starting **every Monday at 23:00**.
If not specified otherwise, we conduct maintenance work starting
**every Monday at 23:00 local Zurich (Switzerland) time**.
We announce maintanence work in advance through our `status site <http://opsstatus.ch/>`__.
.. tip::
We announce maintanence work in advance through our `status site <http://opsstatus.ch/>`__.
Service Restarts
================
......@@ -16,5 +19,7 @@ Server Reboots
If required to load a new kernel version, servers are restarted every Tuesday between 00:00 and 01:00.
.. hint:: Make sure there is no manual interaction required to start all required services.
.. tip::
Make sure there is no manual interaction required to start all required services.
......@@ -27,7 +27,7 @@ Monit, nginx and PHP FPM (if installed) status pages are available at ``http://l
* ``http://localhost:2813/nginx/``: nginx `stub status <http://nginx.org/en/docs/http/ngx_http_stub_status_module.html>`__ output
* ``http://localhost:2813/fpm-<poolname>/``: PHP FPM per pool status page
.. hint:: this status vhost is running on localhost only. Expose port 2813 through SSH to access locally: ``ssh <hostname> -L 2813:localhost:2813``
.. tip:: this status vhost is running on localhost only. Expose port 2813 through SSH to access locally: ``ssh <hostname> -L 2813:localhost:2813``
Reboot
------
......@@ -37,7 +37,7 @@ A automatic reboot is initiated to solve certain high usage scenarios:
* 5 minute average load higher than CPU count * 10 for 5 minutes
* memory usage higher than 95% for 5 minutes
.. hint:: always make sure that any required services will be up and running automatically
.. tip:: always make sure that any required services will be up and running automatically
Utilization
-----------
......
......@@ -8,7 +8,7 @@ Deploy Application
Follow this guide to deploy your application to our servers.
.. hint::
.. tip::
We'd love to support you with automatic deployment processes.
Feel free to contact us!
......@@ -22,7 +22,7 @@ Copy Files by Git
We recommend you to use Git to deploy your application.
Git and the required dependencies are already installed and configured by default.
.. hint::
.. tip::
Contact us if you don't use Git yet, or don't have access to a trustworthy Git server.
Among others, we run GitLab as a service and also offer corresponding trainings.
......@@ -49,7 +49,7 @@ A example rsync command to copy your application does look as follows:
As the different website users are encapsulated from each other,
this approach is also used to copy files between different sites on the same server.
.. hint::
.. tip::
Use SSH agent forwarding to loop your local SSH key into remote systems.
......@@ -68,7 +68,7 @@ A example mysql command does look as follows:
mysqldump --single-transaction example | ssh website@server.example.net mysql
.. hint::
.. tip::
To skip certain tables which are not reqwuired, add the ``--ignore-table`` parameter to the ``mysqldump`` command.
......@@ -93,7 +93,7 @@ For a go live without any troubles and outages, please make sure that:
- the appropriate TLS certificate is installed and fully tested
- the server has the correct size to handle the expected traffic
.. hint::
.. tip::
If in doubt, contact us. We'd love to assist you with planning, testing and executing such migrations.
If you plan the go live for a bigger project, we're glad if you let us know the desired date so we can plan accordingly.
......@@ -109,7 +109,7 @@ You can lookup your servers records in Cockpit, or by executing the following co
ipaddress => 192.168.0.99
ipaddress6 => 2001:db8::99
.. hint::
.. tip::
Please make sure to note both IPv4 (A) and IPv6 (AAAA) adresses and add both records.
......
......@@ -38,7 +38,7 @@ Due to security reasons, we allow key based logins only.
2. Add your SSH Public Key in the Cockpit: Either for the whole server or within the website.
3. Now you can log in via SSH. Username is your chosen website name, not your own Username.
.. hint:: Wondering why your existing SSH key is not working? Maybe it does not meet our `minimum requirements <../server/ssh-keys.html>`_
.. tip:: Wondering why your existing SSH key is not working? Maybe it does not meet our `minimum requirements <../server/ssh-keys.html>`_
Run a Docker Image
------------------
......@@ -50,4 +50,4 @@ Run a Docker Image
You can use any free port. In this example we expose our docker container at 127.0.0.1.8080.
.. hint:: For the container to be accessible from the outside via reverse proxy, the selected port must match the one in the cockpit.
.. tip:: For the container to be accessible from the outside via reverse proxy, the selected port must match the one in the cockpit.
......@@ -6,7 +6,7 @@
Context Based E-Mail Handling
=============================
.. hint:: This info applies to PHP based installations who do not alter the `sendmail_path` setting only.
.. tip:: This info applies to PHP based installations who do not alter the `sendmail_path` setting only.
Depending on the selected context, e-mails get either sent to their designated recipient, or get saved into the users ``~/tmp/``
directory. This prevents you from accidental deliveries within non-PROD contexts.
......
......@@ -26,7 +26,7 @@ destination (e.g. PhpStorm) is on another machine, you have to reverse
forward this debug port to your desired destination, e.g.
``ssh -R 13377:localhost:13377 <username>@<hostname>``.
.. hint:: Use ``php -r 'echo ini_get("xdebug.remote_port");'`` to get the debugging port.
.. tip:: Use ``php -r 'echo ini_get("xdebug.remote_port");'`` to get the debugging port.
Custom Xdebug Port/Host
~~~~~~~~~~~~~~~~~~~~~~~
......
......@@ -104,7 +104,7 @@ An SSH agent caches your decrypted keys and provides them to SSH client
programs. Thus the passphrase must only provided once, when adding your
private key to the agent's cache.
.. hint::
.. tip::
Usually you would start your agent upon login, and let it run
until you logout. There are many diffrent agents, and they are typically
......
......@@ -27,7 +27,7 @@ Every Website is type and environment based, which means you have to select a pa
3. Go to websites, and create a new one
4. `Select website type <../services/website.html#wordpress>`__ wordpress and fill in all settings
.. hint:: You don't need to remember your DB credentials. We always provide them as `environment variables <../services/website.html#default-environment-variables>`__.
.. tip:: You don't need to remember your DB credentials. We always provide them as `environment variables <../services/website.html#default-environment-variables>`__.
According to those settings, our automation will setup the server/vhost as required.
......@@ -41,7 +41,7 @@ Due to security reasons, we allow key based logins only.
2. Add your SSH Public Key in the Cockpit: Either for the whole server or within the website.
3. Now you can log in via SSH. Username is your chosen website name, not your own Username.
.. hint:: Wondering why your existing SSH key is not working? Maybe it does not meet our `minimum requirements <../server/ssh-keys.html>`__.
.. tip:: Wondering why your existing SSH key is not working? Maybe it does not meet our `minimum requirements <../server/ssh-keys.html>`__.
Install WordPress
-----------------
......@@ -66,7 +66,7 @@ This allows you to install WordPress with just four commands.
You are now ready to use your installation of WordPress.
.. hint:: Do you encounter some inexplicable errors like 403, maybe you just got acquainted with `our web application firewall <../services/website.html#web-application-firewall>`__.
.. tip:: Do you encounter some inexplicable errors like 403, maybe you just got acquainted with `our web application firewall <../services/website.html#web-application-firewall>`__.
Still got some questions?
-----------------
......
......@@ -49,7 +49,7 @@ port
By default, Solr will listen on port 8983. If you have multiple instances, or want to use a different
port for other reasons, use the ``port`` parameter to specify the corresponding TCP port.
.. hint:: Solr will listen on the localhost interface only. If you need to expose Solr for external access, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth
.. tip:: Solr will listen on the localhost interface only. If you need to expose Solr for external access, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth
memory_ratio
""""""""""""
......@@ -87,7 +87,7 @@ Solr Admin
The Solr admin interface is reachable on `http://localhost:port`. To access Solr externally, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth. If the webapplication using Solr is installed on the same server, best practice is to let Solr run on localhost only and access Solr admin for management purposes by forwarding the corresponding port through SSH.
.. hint:: Example ssh command for port forwarding: ``ssh -N -L 8983:localhost:8983 user@server``. The command assumes that solr runs its web interface on port 8983 (as it is shown in the configuration example above). ``user`` is an existing ssh user on the ``server`` where the solr instance is installed. After running the command in terminal, point your browser to ``http://localhost:8983/solr/`` to access the solr web interface.
.. tip:: Example ssh command for port forwarding: ``ssh -N -L 8983:localhost:8983 user@server``. The command assumes that solr runs its web interface on port 8983 (as it is shown in the configuration example above). ``user`` is an existing ssh user on the ``server`` where the solr instance is installed. After running the command in terminal, point your browser to ``http://localhost:8983/solr/`` to access the solr web interface.
Add core
""""""""
......@@ -137,7 +137,7 @@ port
By default, Solr will listen on port 8983. If you have multiple instances, or want to use a different
port for other reasons, use the ``port`` parameter to specify the corresponding TCP port.
.. hint:: Solr will listen on the localhost interface only. If you need to expose Solr for external access, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth
.. tip:: Solr will listen on the localhost interface only. If you need to expose Solr for external access, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth
memory_ratio
""""""""""""
......@@ -175,7 +175,7 @@ Solr Admin
The Solr admin interface is reachable on `http://localhost:port`. To access Solr externally, please use a website service (proxy type), and make sure access is allowed only by basic or ip address auth. If the webapplication using Solr is installed on the same server, best practice is to let Solr run on localhost only and access Solr admin for management purposes by forwarding the corresponding port throgh SSH.
.. hint:: Example ssh command for port forwarding: ``ssh -N -L 8983:localhost:8983 user@server``. The command assumes that solr runs its web interface on port 8983 (as it is shown in the configuration example above). ``user`` is an existing ssh user on the ``server`` where the solr instance is installed. After running the command in terminal, point your browser to ``http://localhost:8983/solr/`` to access the solr web interface.
.. tip:: Example ssh command for port forwarding: ``ssh -N -L 8983:localhost:8983 user@server``. The command assumes that solr runs its web interface on port 8983 (as it is shown in the configuration example above). ``user`` is an existing ssh user on the ``server`` where the solr instance is installed. After running the command in terminal, point your browser to ``http://localhost:8983/solr/`` to access the solr web interface.
Add core
""""""""
......
......@@ -36,7 +36,7 @@ by setting the ``preview_username`` string within the
}
Globally
-------
--------
To change the default username for all websites on a given server,
you can override the value ``website::preview_username`` within the
......
......@@ -166,7 +166,7 @@ within the `Custom JSON` :ref:`customjson_website`:
"header_hsts": "max-age=3600; includeSubDomains; preload"
}
.. hint:: See the OWASP `HTTP Strict Transport Security Cheat Sheet <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>`__ for details.
.. tip:: See the OWASP `HTTP Strict Transport Security Cheat Sheet <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>`__ for details.
Test
====
......
......@@ -81,7 +81,7 @@ Python
* uWSGI Daemon (Symlink your appropriate wsgi configuration to ``~/wsgi.py``)
* Python virtualenv ``venv-<sitename>`` configured within uWSGI and the user login shell
.. hint:: To control the uwsgi daemon, use the ``uwsgi-reload`` and ``uwsgi-restart`` shortcuts.
.. tip:: To control the uwsgi daemon, use the ``uwsgi-reload`` and ``uwsgi-restart`` shortcuts.
.. index::
triple: Website; Type; Proxy
......@@ -118,7 +118,7 @@ To use your own redirect code, add the ``target_code`` string within the
"target_code": "301"
}
.. hint:: You can use any nginx variable as target (for example ``$scheme://www.example.com$request_uri``), see the `nginx Documentation <http://nginx.org/en/docs/varindex.html>`__ for available variables.
.. tip:: You can use any nginx variable as target (for example ``$scheme://www.example.com$request_uri``), see the `nginx Documentation <http://nginx.org/en/docs/varindex.html>`__ for available variables.
.. index::
triple: Website; Type; Ruby
......
......@@ -33,7 +33,7 @@ For each blocked reqeust, there are detailed informations available in the error
YYYY/MM/DD HH:MM:SS [error] 171896#0: *29428 [client 2a04:500::1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "2a04:500::1"] [uri "/"] [unique_id "154850909196.529239"] [ref ""], client: 2a04:500::1, server: example.net, request: "GET /?union%20select=%22waf%20demo HTTP/2.0", host: "example.net"
.. hint:: For details, see the `ModSecurity documentation <https://github.com/SpiderLabs/ModSecurity/wiki>`__.
.. tip:: For details, see the `ModSecurity documentation <https://github.com/SpiderLabs/ModSecurity/wiki>`__.
ModSecurity Audit Log
---------------------
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment