Opff reinstall fixes

.gitignore

@@ -4,6 +4,29 @@ lib/ProductOpener/Config2.pm
 lib/ProductOpener/SiteLang.pm
 taxonomies/nutrient_levels.txt
 
+# local files
+build-cache
+debug
+deleted.images
+dist
+html/countries.html
+html/data
+html/data.old/
+html/images/misc/android-apk-40x135.svg
+html/images/products
+html/products_countries.html
+html/products_countries.js
+lib/ProductOpener/SiteQuality.pm
+log.conf
+logs
+new_images
+products
+scripts/lib
+tmp
+users
+index/categories_nutriments_per_country.world.sto
+
+
 # Local files
 .DS_Store?
 ._*
@@ -23,6 +46,9 @@ data/mongodb
 Lang.open*
 users_emails.sto
 html/data/*
+lang/*/texts/products_stats_*.html
+index/*.sto
+
 
 # Libraries
 node_modules

conf/apache-2.4/opff-mpm_prefork.conf

@@ -0,0 +1,16 @@
+# prefork MPM
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxRequestWorkers: maximum number of server processes allowed to start
+# MaxConnectionsPerChild: maximum number of requests a server process serves
+
+<IfModule mpm_prefork_module>
+	StartServers			 5
+	MinSpareServers		  5
+	MaxSpareServers		 10
+	MaxRequestWorkers	  150
+	MaxConnectionsPerChild   0
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

conf/apache-2.4/opff-ports.conf

@@ -0,0 +1,8 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default.conf
+
+Listen 8001
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

conf/apache-2.4/sites-available/opff.conf

@@ -2,10 +2,10 @@
 
 ServerAdmin [email protected]
 
-PerlSwitches -I/home/opff/lib
+PerlSwitches -I/srv/opff/lib
 
 PerlWarn On
-PerlRequire /home/opff/lib/startup_apache2.pl
+PerlRequire /srv/opff/lib/startup_apache2.pl
 
 # log the X-Forwarded-For IP address (the client ip) in access_log
 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
@@ -20,14 +20,14 @@ Require all granted
 
 
 <VirtualHost *>
-DocumentRoot /home/opff/html
+DocumentRoot /srv/opff/html
 ServerName openpetfoodfacts.org
-ErrorLog /home/opff/logs/error_log
-CustomLog /home/opff/logs/access_log combined
+ErrorLog /var/log/apache2/opff_error.log
+CustomLog /var/log/apache2/opff_access.log proxy
 LogLevel warn
-ScriptAlias /cgi/ "/home/opff/cgi/"
+ScriptAlias /cgi/ "/srv/opff/cgi/"
 
-<Directory /home/opff/html>
+<Directory /srv/opff/html>
 Require all granted
 </Directory>
 

conf/logrotate/apache2

@@ -0,0 +1,25 @@
+# we want to rotate apache2 files as well as perl logs, 
+# we define all possible patterns, as we have missingok, so we don't have to worry
+/var/log/apache2/*log /var/log/off/*log /var/log/opff/*log /var/log/obf/*log /var/log/opf/*log {
+    daily
+    missingok
+    rotate -1
+    # remove after two years
+    maxage 730
+    compress
+    delaycompress
+    notifempty
+    create 640 root adm
+    # restart apache only once
+    sharedscripts
+    prerotate
+	if [ -d /etc/logrotate.d/httpd-prerotate ]; then
+	    run-parts /etc/logrotate.d/httpd-prerotate
+	fi
+    endscript
+    postrotate
+	if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
+	    invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate
+	fi
+    endscript
+}

conf/nginx/conf.d/log_format_realip.conf

@@ -0,0 +1,5 @@
+# a log format for behing a proxy
+log_format proxied_requests
+  '$http_x_forwarded_for - $remote_user [$time_local] '
+  '"$request" $status $body_bytes_sent '
+  '"$http_referer" "$http_user_agent"';

conf/nginx/sites-available/opff

@@ -13,106 +13,31 @@
 
 # Default server configuration
 #
-
-
-
-
 server {
-        listen 80 ;
-        listen [::]:80 ;
-
-        listen 443 ssl;
-        listen [::]:443 ssl;
-
-        include snippets/ssl.openpetfoodfacts.org;
-        include snippets/ssl-params-opff.conf;
-
+		listen 80 ;
+		listen [::]:80 ;
 
-        server_name openpetfoodfacts.org;
-        return 301 https://world.openpetfoodfacts.org$request_uri;
+		server_name openpetfoodfacts.org openpetfoodfacts.eu *.openpetfoodfacts.eu;
+		return 301 https://world.openpetfoodfacts.org$request_uri;
 }
 
 server {
-	#listen 80 default_server;
-	#listen [::]:80 default_server;
 	listen 80;
 	listen [::]:80;
 
-	listen 443 ssl;
-	listen [::]:443 ssl;
-
-	server_name *.openpetfoodfacts.org openpetfoodfacts.eu *.openpetfoodfacts.eu;
-
-	# SSL configuration
-	#
-	# listen 443 ssl default_server;
-	# listen [::]:443 ssl default_server;
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
-        #listen [::]:443 ssl default_server;
-        #listen [::]:443 ssl;
-        include snippets/ssl.openpetfoodfacts.org;
-        include snippets/ssl-params-opff.conf;
-
+	server_name *.openpetfoodfacts.org;
 
 	root /srv/opff/html;
 
-	access_log /srv/opff/logs/nginx.access2.log;
-	error_log /srv/opff/logs/nginx.error2.log;
-
-        # Redirect GET requests to https. POST requests will be transformed
-        # to GET by most browsers when redirected, and it breaks apps that
-        # use the API through http.
-
-        if ($scheme = http) {
-                set $test "A";
-        }
-        if ($request_uri !~ "/api/") {
-                set $test "${test}B";
-        }
-        if ($request_method = GET) {
-                set $test "${test}C";
-        }
-        if ($test = ABC) {
-                return 301 https://$host$request_uri;
-        }
+	access_log /var/log/nginx/opff-access.log proxied_requests;
+	error_log /var/log/nginx/opff-error.log;
 
 	location /data/ {
-     if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        #
-        # Custom headers and headers various browsers *should* be OK with but aren't
-        #
-        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-        #
-        # Tell client that this pre-flight info is valid for 20 days
-        #
-        add_header 'Access-Control-Max-Age' 1728000;
-        add_header 'Content-Type' 'text/plain; charset=utf-8';
-        add_header 'Content-Length' 0;
-        return 204;
-     }
-     if ($request_method = 'POST') {
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-     }
-     if ($request_method = 'GET') {
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
-        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-     }
-	include snippets/ssl-headers.conf;
+		include snippets/off.cors-headers.include;
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
-}
+	}
 
 
 	gzip on;
@@ -122,12 +47,16 @@ server {
 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;
 
-	location ~* \.(json|csv)$ {
-		add_header Access-Control-Allow-Origin *;
+	location ~* \.(eot|ttf|woff|woff2)$ {
+		include snippets/off.cors-headers.include;
 	}
 
 	location ~ ^/images/products/ {
 		add_header Link "<http://creativecommons.org/licenses/by-sa/3.0/>; rel='license'; title='CC-BY-SA 3.0'";
+		include snippets/off.cors-headers.include;
+		# optimize gzip compressed content (like OCR .json stored next to .jpg files)
+		gzip_static always;
+		gunzip on;
 	}
 
 	location ~ ^/(favicon.ico) {
@@ -137,7 +66,8 @@ server {
 	}
 
 
-	location ~ ^/(.well-known|images|css|js|rss|files|resources|foundation|bower_components)/ {
+	location ~ ^/(.well-known|images|fonts|css|js|rss|files|resources|foundation|bower_components)/ {
+		include snippets/off.cors-headers.include;
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
@@ -149,25 +79,19 @@ server {
 
 	location / {
 		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-        	proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;
-
-		proxy_pass http://127.0.0.1:8004/cgi/display.pl?;
+                # recursive hosts as we are proxying behind a proxy
+                set_real_ip_from 10.0.0.0/8;
+                real_ip_recursive on;
+		proxy_pass http://127.0.0.1:8001/cgi/display.pl?;
 	}
 
 	location /cgi/ {
 		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:8004;
+                # recursive hosts as we are proxying behind a proxy
+                set_real_ip_from 10.0.0.0/8;
+                real_ip_recursive on;
+		proxy_pass http://127.0.0.1:8001;
 	}
 
-	# deny access to .htaccess files, if Apache's document root
-	# concurs with nginx's one
-	#
-	#location ~ /\.ht {
-	#       deny all;
-	#}
-
-	include /etc/nginx/expires-no-json-xml.conf;
+	include /etc/nginx/snippets/expires-no-json-xml.conf;
 }