TurnKey Linux Virtual Appliance Library

Appliance created : LEMP (Lucid)

Basil Kurian's picture

http://wiki.nginx.org/Main

According to Netcraft’s May 2010 Web Server Survey, nginx was found to be the third most widely used Web server across all domains (6.55% of surveyed sites) and the fourth most widely used Web server for all “active” sites (8.77% of surveyed sites).

eNginx is powering famous websites like WordPress, Hulu, Github, Ohloh, SourceForge and TorrentReactor.

-----------------------------------------------------------------------

Patch updated

Base : Turnkey Core Lucid

-----------------------------------------------------------------------

All my testing on LEMP over . I'm marking it as done .

Basil Kurian's picture

2 problems

Initially when we take http://<ip> we normally get a default page . I edited that page but I am having some problems with it.

Also when i logged in to the box via ssh the prompt loks like this:

(tklpatch)root@LEMP:~#

How can I remove this portion  '(tklpatch)', or will that be okay ?


Liraz Siri's picture

Patched problem with tklpatch

1) Regarding the first problem with the default web page you didn't give enough information to help you. I imagine it will be easier after you publish the tklpatch to see what you're doing.

2) You don't need to remove (tklpatch) from the prompt. It's harmless but if it bothers you, you can delete /etc/debian_chroot.

I just fixed this in the latest version of tklpatch, to delete this stray file.

Basil Kurian's picture

Patch file attached

Please check the patch file. I forgot to mention , fast-cgi also is integrated to it .


Basil Kurian's picture

Tried setting up Wordpress with the below script

I successfully installed WordPress on nginx with the following script:

cd /var/www/nginx-default/
wget http://wordpress.org/latest.zip
unzip latest.zip
rm -f latest.zip
mv wordpress/* .
chown -R www-data.www-data *
chmod -R 755 *

Should I include the wordpress contents (or a script to download wordpress or any other CMS ) in  the Appliance?

It could be nice if we provided some helper scripts in the appliance:

install_drupal_contents.sh

install_wordpress_contents.sh 

What do you think?


Liraz Siri's picture

Including helper scripts is a neat idea!

Basil, I wouldn't install WordPress or Drupal into LEMP because that would just make the appliance unnecessarily large and complicated. People who just want the basic LEMP stack would be disappointed.

But, I think including helper scripts to install popular web applications could be a good idea.

Liraz Siri's picture

Attach the TKLPatch to your post and update the wiki

Sorry we missed you on IRC the other day. It's great to have a new contributor join the project. I've played around with nginx myself a bit. It's a neat little high performance web server. In fact, it's running beneath our development wiki!

Regarding your question on how to publish, the easiest way is just to edit the forum post and attach the patch file to it. See the section in the documentation for full details.

Jeremy's picture

Too slow - Liraz beat me!

Too much time between writing my post and posting it so Liraz beat me. Nothing much more to say (as Liraz has said it all) but good work regardless.

Liraz Siri's picture

Comments

I've taken a quick look at the patch. You're off to a good start! A few comments:

  • You didn't say what the base image was but from the contents of the conf file I'm guessing it is TurnKey LAMP. You remove one Apache related package (apache2.2-common), but TurnKey LAMP comes with many other Apache related packages. Perhaps it would be better to start with TurnKey Core instead and build up from that.
  • Your conf file doesn't set the -e flag in the shebang. This makes it silently ignore errors, which is not a good practice.
  • If this is an nginx appliance, it might not be the best idea to install lighttpd just for its fcgi script. It should be possible to setup FastCGI on nginx without having to rely on a lighttpd component...
  • Rather than putting a bunch of files in overlay/tmp/ and then copying them over in your conf script, you should consider just putting the files where you want them to go in the overlay. For example, instead of copying overlay/tmp/file1 to /etc/init.d/php-fastcgi you could just put the file  as overlay/etc/init.d/php-fastcgi. The same for the other tmp files.
  • There are a few unnecessary files in the patch (e.g., conf~). If you don't use a file, it's best to remove it. A clean, minimalistic patch is easier to understand.
Basil Kurian's picture

Thanks a lot for the commets

Thanks a lot for the commets !

 

yes , it is based on Turnkey LAMP

currently i'm possesing problem with phpmyadmin

I 'll try to use -e flag

 

i'll submit a better patch .....


Basil Kurian's picture

New patch added

Old attachment removed and new patch added ........ please try it and please comment . Currently i 'm experiencing one problem with phpmyadmin on <ip>:12322. some problem with SSL exists  frown  Please help !


Basil Kurian's picture

doubt

in the case of HTTPS , where is the cert and key file residing in turnkey linux  ?


Liraz Siri's picture

Location of certificate

Sorry for the late reply Basil! The certificate is in /etc/ssl/certs/cert.pem. This certificate gets regenerated by /usr/lib/inithooks/firstboot.d/15regen-sslcert on first boot to prevent everyone from download an appliance to discover your private key...
Basil Kurian's picture

but where is the key file ?

but where is the key file ?


Liraz Siri's picture

The key file is in the certificate

The private key is encoded into the PEM along with the public certificate. For example:

See where it says "RSA PRIVATE KEY?"

$ cat /etc/ssl/certs/cert.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDNOvWIhashzFx/yP1g+WDlptezgIp37qToSmKugNMDCcUWnUyf
upuEuJD+e1IMFdbU4KLlDHVE2D3lFTKNz+oQsbJPEEGg/cWRwmClmofUfD04iu2i
WrDrF27EYEmDPuqExM9/KcQvgmt8KL6JNE0hEPaI+Zm2zjL/cWo/YH3EAwIDAQAB
AoGAHWYQvhnHxfOsXHHCOh3/D2azB3emXj/FR7FAKZcyowDHRtIJo+frVzvJKWso
+ao3OA9lxkHempoPY72BnGboNHJFlWI3admipgXxc8A4qetUUGfVknR1Ii1Ox4/l
PJi1Km2Opzy1HT97GkOHd7R2VtzAFDea47q5eZFyOF1znQECQQDvHYj/0f2JJ28U
BKxGm+Elq1mAVLHcxf7kTHzzJ10kpVyjc+bhfXpKWOH75wFWm/Fu8OaWuoHzxc5J
H6hAz51jAkEA27jjFW6LwfBHUHWrZv+ig3Ku03XdIVLopIvXHWCiuQkwWIU9cJ/g
1T2js7iS/lvoUojvSwI84XvM1mGqOIzQ4QJBAKSjLWUW7P62jCC4ZvXm9kq9hE58
AksEeNAwagfxnoxQ30wbzWiMwNrYACE1mRJNJRtB+0Lk//0cwUBP78VQLgkCQHOd
rPgZDDdHrO7cjA2NlEEgtneUvIANdVcoMlBGCjndaPAbZEIADrmGTr6B7+8iA3Ry
k5/flJN9pkJkb8KD7mECQHE/qU2dDBpWaUL/Gdh0b6WEY8CCafbCbOiCqDa8SVmk
qdIWqvcTxKlCJ9Qqb52W38VlaL6JkuiPe8foe6P+5sc=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICgzCCAeygAwIBAgIJAMraEW6uLBoVMA0GCSqGSIb3DQEBBQUAMDYxFjAUBgNV
BAoTDVR1cm5LZXkgTGludXgxHDAaBgNVBAsTE1NvZnR3YXJlIGFwcGxpYW5jZXMw
HhcNMTAwODIxMjMzODI2WhcNMjAwODE4MjMzODI2WjA2MRYwFAYDVQQKEw1UdXJu
S2V5IExpbnV4MRwwGgYDVQQLExNTb2Z0d2FyZSBhcHBsaWFuY2VzMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDNOvWIhashzFx/yP1g+WDlptezgIp37qToSmKu
gNMDCcUWnUyfupuEuJD+e1IMFdbU4KLlDHVE2D3lFTKNz+oQsbJPEEGg/cWRwmCl
mofUfD04iu2iWrDrF27EYEmDPuqExM9/KcQvgmt8KL6JNE0hEPaI+Zm2zjL/cWo/
YH3EAwIDAQABo4GYMIGVMB0GA1UdDgQWBBSJQvdyrhFCtdNyML6sDfMuLYfmBDBm
BgNVHSMEXzBdgBSJQvdyrhFCtdNyML6sDfMuLYfmBKE6pDgwNjEWMBQGA1UEChMN
VHVybktleSBMaW51eDEcMBoGA1UECxMTU29mdHdhcmUgYXBwbGlhbmNlc4IJAMra
EW6uLBoVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAY/8t6whMHpZw
gZcLkxYAYz1ux+nU/yGCemDIcQCR3SBrWhAkaDbo+F0mdoToquZbQBtUYyaD6cak
gWpqp516OUfvny7mx/YiGUp1m5c5lCifcgeI9Eby7yAFztytb9mhpx+SLNH49U4A
9llSNa0VYv803dtHksjjdokc4AQ4vp4=
-----END CERTIFICATE-----

You could store the public certificate and the private key in separate files but for convenience you usually just stick them in the same file.

Basil Kurian's picture

I 'm thinking of creating the

I 'm thinking of creating the applaince from turnkey core lucid


great!

this would be very cool for my symfony patch! I tried to install nginx and mysql there to apply my symfony patch there ... but no luck with nginx and phpmyadmin :(

lucid comes with php 5.3, which is better for develpors than old karmic 5.2, I think

Basil Kurian's picture

Patch updated

 

Base : Turnkey Core Hardy


Basil Kurian's picture

Working on lucid

LEMP is now working on Turnkey core Lucid


Liraz Siri's picture

New LEMP patch is a big improvement

In fact I barely recognize it as based on the old TKLPatch. The only major issue I see here is your recreation of the SSL certificate. Better to use the default than generate a new one. We also take care of regenerating on first boot. Otherwise you open a can of worms because it's pretty easy to get the private component of your certificate when everyone is using exactly the same certificate...

Also, very minor but we fixed the problem with TKLPatch so that you don't have to fix it yourself by writing to /etc/debian_chroot.

Are you still having problems with PhpMyAdmin's SSL interface?

Basil Kurian's picture

Changes applied

Now please check. No problem with phpmyadmin


Liraz Siri's picture

Applied a few fixes to the LEMP patch

I took a closer look at your patch and applied a few fixes (attached to the original post):

  • replaced /etc/init.d/init-fastcgi: with a more robust, configurable script at /etc/init.d/php-fastcgi. This script can be configured via /etc/default/php-fastcgi. The defaults are different (2 children instead of 15). I did some benchmarking and many children only improves performance when there are as many Cores. Also, I bind to a unix socket at /var/run/nginx instead of to localhost:9000. The difference is in privilege levels. Any local process can access a localhost port. But a unix socket can be protected with file permissions (e.g., only www-data can access /var/run/nginx)
  • security vulnerability: Your patch logged to /var/www/nginx-default/logs where the webroot is /var/www/nginx-default. This made the logs accessible from the webroot. A very bad idea since logs may contain security sensitive data.
  • refactored nginx logs: I removed a bit of duplication from the configuration files.

Cheers!

FastCGI errors

 

Hey!
 
Just tried the patch on a Core-ISO inside a Core 11.0rc VMware, but could not activate our proxy during the chroot step.
 
Then I tried to apply the patch directly on the Core 11.0rc VMware. That worked, but now PHP pages are not delivered (502 Bad Gateway).
Logs say that there's a problem while connecting upstream (unix:/var/run/nginx/php-fastcgi.sock failed (2: No such file or directory)).
And indeed, there was no such file, so I did: touch php-fastcgi.sock, chmod 664, chgrp www-data. But still no luck. What am I doing wrong?

I bump into this problem as

I bump into this problem as well..

Change the use of unix socket to 127.0.0.1:9000

change it at /etc/nginx/include/php and /etc/default/php-fastcgi.

For some weird unknown reason, it just won't start with unix socket. (Try it on v11 Lucid File Server Appliance)

So...

Is there going to be an offical LEMP release?

What's the status of this patch? Is it nearly production-ready?

 

Your efforts are appreciated. Thanks.

Jeremy's picture

AFAIK there will be an official TKL LEMP release

But no clear timeframe other than a vague 'soon'. The devs are on the job but their todo list is a mile long and rather than say a date and dissapoint when things don't go to plan they promise nothing and deliver when ready.

I have no idea whether the patch is 'production ready' although my reading of Basil & Liraz's comments suggest that it probably would be ok. But obviously as this is a community produced/supported patch (rather than an official TKL appliance) it hasn't recieved the same level of testing as an official appliance.

If you desperately need it now or you would like to test, then use the patch. If you need an official TKL appliance then you'll need to wait.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)