Homelab<\/h2>\n
We have two CentOS 7 servers installed which we want to configure as follows:<\/p>\n
web1.hl.local (10.11.1.21) \u2013 Apache server with WordPress and NFS mount
web2.hl.local (10.11.1.22) \u2013 Apache server with WordPress and NFS mount<\/p>\n
SELinux set to enforcing mode.<\/p>\n
See the image below to identify the homelab part this article applies to. <\/p>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-diagram_apache.png\")
<\/p>\n
WordPress from a Custom Tarball<\/h2>\n
We won\u2019t be downloading WordPress from the Internet, but will be using our own custom build (tarball) instead. Each build is source controlled and tested locally prior releasing to the environment. <\/p>\n
The name of the tarball is wordpress-latest.tar.gz, and it\u2019s currently stored on the Katello server under \/var\/www\/html\/pub\/. This allows us to pull the archive from https:\/\/katello.hl.local\/pub\/wordpress-latest.tar.gz.<\/p>\n
Note that the file wp-config.php is never stored inside the tarball, but gets generated by Puppet.<\/p>\n
Redundand Apache\/MySQL Architecture<\/h2>\n
To increase redundancy, each Apache server will be configured to use a different MySQL database server.<\/p>\n
Since our MySQL nodes are configured to use a Master\/Master replication, there should, in theory, be no difference in terms of data that\u2019s stored on each VM.<\/p>\n
We\u2019ll plug web1.hl.local in to db1.hl.local, and web2.hl.local in to db2.hl.local.<\/p>\n
NFS Mount for Uploads<\/h2>\n
Both Apache servers will need an NFS client configured to mount shared storage.<\/p>\n
While users can use either of the Apache servers to upload files, we need to ensure that regardless of the VM they end up on, files across WordPress instances are the same. We could use rsync to solve the problem, but I\u2019m not sure on how well that would scale. Perhaps something to look at in the future.<\/p>\n
Configuration with Puppet<\/h2>\n
Puppet master runs on the Katello<\/a> server.<\/p>\n We use the following Puppet modules:<\/p>\n Please see each module\u2019s documentation for features supported and configuration options available.<\/p>\n Configure both Apache servers to allow HTTPS traffic:<\/p>\n firewall { ‘007 allow HTTPS’:
There may be an insignificant performance penalty incurred while using encryption between HAProxy and Apache compared to plaintext HTTP, but we want to ensure that traffic is secured. HAProxy can be re-configured to offload TLS if this becomes a problem.<\/p>\n Configure SELinux on both Apache servers. These are required in order to allow Apache to use NFS and connect to a remote MySQL instance. We also want to allow Apache (WordPress) to send email notifications.<\/p>\n selinux::boolean { ‘httpd_use_nfs’:
This needs to be applied for both Apache servers.<\/p>\n class { ‘::nfs’:
The virtual IP (which NFS cluster runs on) is 10.11.1.31, and the DNS name is nfsvip.hl.local. The cluster is configured to export \/nfsshare. See here<\/a> for more info.<\/p>\n This needs to be applied for both Apache servers.<\/p>\n We deploy one Apache virtualhost, and configure log forwarding to Graylog (see the custom_fragment section). I wrote a separate post for how to send Apache logs to Graylog, take a look here<\/a> if you need more info.<\/p>\n TLS certificates are taken care of by the main Puppet manifest for the environment. See here<\/a> for more info.<\/p>\n package { ‘php-mysql’:
We want to use our existing<\/a> MySQL configuration, meaning that we don\u2019t want WordPress creating any databases nor users. The details below are the ones we used when setting up MySQL servers.<\/p>\n The only thing that\u2019s going to different here is the db_host parameter \u2013 one Apache server uses db1.hl.local, another one uses db2.hl.local.<\/p>\n class { ‘wordpress’:
Note how we set the owner to apache. This is something we may want to harden further depending on security requirements.<\/p>\n If all goes well, we should end up with both servers using the NFS share:<\/p>\n [[email protected]<\/a> ~]# df -h|egrep “File|uploads”
We should also be able to create Graylog dashboard widgets by using Apache data, e.g.:<\/p>\n We\u2019ll look into putting a pair of HAProxy servers in front of Apache to perform load balancing.<\/p>\nPuppet Modules<\/h3>\n
\n
Firewall Configuration<\/h3>\n
\n dport => ‘443’,
\n source => ‘10.11.1.0\/24’,
\n proto => tcp,
\n action => accept,
\n}<\/p>\nSELinux Booleans<\/h3>\n
\n persistent => true, ensure => ‘on’
\n}->
\nselinux::boolean { ‘httpd_can_network_connect_db’:
\n persistent => true, ensure => ‘on’
\n}->
\nselinux::boolean { ‘httpd_can_sendmail’:
\n persistent => true, ensure => ‘on’
\n}<\/p>\nConfigure NFS Client<\/h3>\n
\n server_enabled => false,
\n client_enabled => true,
\n}->
\nnfs::client::mount { ‘\/var\/www\/html\/wp-content\/uploads’:
\n server => ‘nfsvip.hl.local’,
\n share => ‘\/nfsshare\/uploads’,
\n}<\/p>\nInstall Apache<\/h3>\n
\n ensure => ‘installed’
\n}->
\nclass { ‘apache’:
\n default_vhost => false,
\n default_ssl_vhost => false,
\n default_mods => false,
\n mpm_module => ‘prefork’,
\n server_signature => ‘Off’,
\n server_tokens => ‘Prod’,
\n trace_enable => ‘Off’,
\n log_formats => { graylog_access => ‘{ “version”: “1.1”, “host”: “%V”, “short_message”: “%r”, “timestamp”: %{%s}t, “level”: 6, “_user_agent”: “%i”, “_source_ip”: “%h”, “_duration_usec”: %D, “_duration_sec”: %T, “_request_size_byte”: %O, “_http_status_orig”: %s, “_http_status”: %>s, “_http_request_path”: “%U”, “_http_request”: “%U%q”, “_http_method”: “%m”, “_http_referer”: “%i”, “_from_apache”: “true” }’ },
\n}
\ninclude apache::mod::alias
\ninclude apache::mod::headers
\ninclude apache::mod::php
\ninclude apache::mod::rewrite
\ninclude apache::mod::ssl
\n::apache::mod { ‘logio’: }
\n
\n## Configure VirtualHosts
\napache::vhost { ‘blog_https’:
\n port => 443,
\n servername => ‘blog.hl.local’,
\n docroot => ‘\/var\/www\/html’,
\n manage_docroot => false,
\n options => [‘FollowSymLinks’,’MultiViews’],
\n override => ‘All’,
\n suphp_engine => ‘off’,
\n ssl => true,
\n ssl_cert => ‘\/etc\/pki\/tls\/certs\/hl.crt’,
\n ssl_key => ‘\/etc\/pki\/tls\/private\/hl.key’,
\n ssl_protocol => [‘all’, ‘-SSLv2’, ‘-SSLv3’],
\n ssl_cipher => ‘HIGH:!aNULL!MD5:!RC4’,
\n ssl_honorcipherorder => ‘On’,
\n redirectmatch_status => [‘301’],
\n redirectmatch_regexp => [‘(.*).gz’],
\n redirectmatch_dest => [‘\/’],
\n custom_fragment => ‘CustomLog “|\/usr\/bin\/nc -u syslog.hl.local 12201” graylog_access’,
\n}<\/p>\nInstall WordPress from Our Custom Tarball<\/h3>\n
\n db_user => ‘dbuser1’,
\n db_password => ‘PleaseChangeMe’,
\n db_name => ‘blog’,
\n db_host => ‘db1.hl.local’,
\n create_db => false,
\n create_db_user => false,
\n install_dir => ‘\/var\/www\/html’,
\n install_url => ‘http:\/\/katello.hl.local\/pub’,
\n version => ‘latest’,
\n wp_owner => ‘apache’,
\n wp_group => ‘root’,
\n}<\/p>\n
\nFilesystem Size Used Avail Use% Mounted on
\nnfsvip.hl.local:\/nfsshare\/uploads 2.0G 53M 1.9G 3% \/var\/www\/html\/wp-content\/uploads
\n[[email protected]<\/a> ~]# df -h|egrep “File|uploads”
\nFilesystem Size Used Avail Use% Mounted on
\nnfsvip.hl.local:\/nfsshare\/uploads 2.0G 53M 1.9G 3% \/var\/www\/html\/wp-content\/uploads<\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/05\/lisenet-homelab-graylog-widget.png\")
<\/p>\nWhat\u2019s Next?<\/h2>\n