nginx_stage.yml

Many of the options in the per-user NGINX staging and configuration can be configured within nginx_stage. In a default installation this YAML configuration file is located at:

/etc/ood/config/nginx_stage.yml

On a fresh installation you may need to create this file or copy the default file from:

/opt/ood/nginx_stage/share/nginx_stage_example.yml

In most cases it is recommended that you don’t edit this file as the chosen defaults should work out of the box for most scenarios.

Warning

Modifying application specific configuration options or URI options can have unintended consequences for some of the Open OnDemand applications, so be sure you know what you are doing.

Configuration Options

ondemand_version_path (String)

path to the OnDemand version file

Default

Set to default path

ondemand_version_path: "/opt/ood/VERSION"

Example

Supply a custom version file with a different version in it

ondemand_version_path: "/path/to/VERSION"

ondemand_portal (String, null)

unique name of this OnDemand portal used to namespace multiple hosted portals

Default

Do not set a custom namespace for this portal

ondemand_portal: null

Example

Use a custom namespace for this portal

ondemand_portal: "custom"

Note

If this is not set then most apps will use the default namespace ondemand.

ondemand_title (String, null)

title of this OnDemand portal that apps should display in their navbar

Default

Do not set a custom title for this portal

ondemand_title: null

Example

Use a custom title for this portal

ondemand_title: "My Custom Portal"

Note

If this is not set then most apps will use the default title Open OnDemand.

pun_custom_env (Object, null)

Custom environment variables to set for the PUN environment.

Default

No new environment variables.

pun_custom_env: {}

Example

Set some custom environment variables.

pun_custom_env:
   OOD_DASHBOARD_TITLE: "Open OnDemand"
   OOD_BRAND_BG_COLOR: "#53565a"
   OOD_BRAND_LINK_ACTIVE_BG_COLOR: "#fff"

pun_custom_env_declarations (Array, null)

List of environment variables to pass onto PUN environment from /etc/ood/profile. Example below shows some default env vars that are declared.

Default

No declarations of new environment variables.

pun_custom_env_declarations: []

Example

Decleary several environment variables to pass to the PUN.

pun_custom_env_declarations:
  - PATH
  - LD_LIBRARY_PATH
  - MANPATH
  - SCLS
  - X_SCLS

template_root (String)

the root directory containing the ERB templates used in generating the NGINX configuration files

Default

Set to default installation location

template_root: "/opt/ood/nginx_stage/templates"

Example

Use custom templates

template_root: "/path/to/my/templates"

proxy_user (String)

the user name that the Apache proxy runs as so permissions can be added to the Unix domain sockets

Default

Set to the typical apache user

proxy_user: "apache"

Example

Use a different user for the Apache proxy

proxy_user: "proxy_user"

nginx_bin (String)

the path to the NGINX binary

Default

Use NGINX installed by OnDemand Software Collections

nginx_bin: "/opt/ood/ondemand/root/usr/sbin/nginx"

Example

NGINX is installed in a different directory

nginx_bin: "/path/to/sbin/nginx"

nginx_signals (Array<String>)

valid signals that can be sent to the NGINX process

Default

Supported NGINX signals

nginx_signals: [stop, quit, reopen, reload]

Example

Further restrict valid signals

nginx_signals: [stop]

Note

This option is sent as -s signal to the NGINX command line.

mime_types_path (String)

the path to the system-installed NGINX mime.types file

Default

Use the NGINX installed by OnDemand Software Collections file

mime_types_path: "/opt/ood/ondemand/root/etc/nginx/mime.types"

Example

Use a custom mime file

mime_types_path: "/path/to/custom/mime.types"

passenger_root (String)

the locations.ini file that describes Passenger installation

Default

Use the file supplied by Passenger from OnDemand Software Collections

passenger_root: "/opt/ood/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini"

Example

Use a custom file

passenger_root: "/path/to/custom/locations.ini"

passenger_ruby (String)

the path to the Ruby binary that Passenger uses for itself and web apps

Default

Use the Ruby wrapper script supplied by this code

passenger_ruby: "/opt/ood/nginx_stage/bin/ruby"

Example

Use the binary supplied by Ruby 2.4 installed by Software Collections

passenger_ruby: "/opt/rh/rh-ruby25/root/usr/bin/ruby"

passenger_nodejs (String, null)

the path to the Node.js binary that Passenger uses for web apps

Default

Use the Node.js wrapper script supplied by this code

passenger_nodejs: "/opt/ood/nginx_stage/bin/node"

Example

Use the binary supplied by Node.js installed by Software Collections

passenger_nodejs: "/opt/rh/rh-nodejs6/root/usr/bin/node"

passenger_python (String, null)

the path to the Python binary that Passenger uses for web apps

Default

Use the Python wrapper script supplied by this code

passenger_python: "/opt/ood/nginx_stage/bin/python"

Example

Use the system-installed Python binary

passenger_python: "/usr/bin/python"

passenger_pool_idle_time (Integer)

The maximum number of seconds that an application process may be idle. Set to false if you don’t want this specified in the nginx config

Default

Set idle time to 300

passenger_pool_idle_time: 300

Example

Increase idle time

passenger_pool_idle_time: 900

passenger_log_file (String)

The log file that passenger will write standard out and standard error to.

Note

You may use the variable %{user} to write user specific files.

Default

Write to a per user location in /var/log/ondemand-nginx/.

passenger_log_file: '/var/log/ondemand-nginx/%{user}/error.log'

Example

Write to a per user location in /some/other/location/.

passenger_log_file: '/some/other/location/%{user}/error.log'

passenger_options (Hash)

A Hash of additional Passenger options Keys without passenger_ prefix will be ignored

Default

No additional Passenger options defined

passenger_options: {}

Example

Define custom Passenger options

passenger_options:
  passenger_max_preloader_idle_time: 300

nginx_file_upload_max (Integer, 10737420000)

Max file upload size in bytes (e.g., 10737420000)

Default

~10 GB max upload.

nginx_file_upload_max: 10737420000

Example

Double the max upload.

nginx_file_upload_max: 21474840000

pun_config_path (String)

the interpolated path to the user’s PUN config file

Default

Namespace the user config files by their user name

pun_config_path: "/var/lib/ondemand-nginx/config/puns/%{user}.conf"

Example

Namespace configs under user directories

pun_config_path: "/var/lib/ondemand-nginx/config/puns/%{user}/nginx.conf"

pun_tmp_root (String)

the interpolated root directory used for NGINX tmp directories

Default

Namespace under user directories

pun_tmp_root: "/var/lib/ondemand-nginx/tmp/%{user}"

Example

Use a custom namespace for root directory

pun_tmp_root: "/path/to/%{user}-tmp"

Warning

NGINX will store the full request body in this location before sending it to the Passenger app. The size of the disk partition this directory resides in will limit the maximum file upload size.

pun_access_log_path (String)

the interpolated path to the NGINX access log

Default

Namespace access logs under user directories

pun_access_log_path: "/var/log/ondemand-nginx/%{user}/access.log"

Example

Use a custom location for the access log file

pun_access_log_path: "/custom/path/access-%{user}.log"

pun_error_log_path (String)

the interpolated path to the NGINX error log

Default

Namespace error logs under user directories

pun_error_log_path: "/var/log/ondemand-nginx/%{user}/error.log"

Example

Use a custom location for the error log file

pun_error_log_path: "/custom/path/error-%{user}.log"

pun_secret_key_base_path (String)

The secret key location. Note these are per user.

Default

Per User secret in var lib ondemand-nginx.

pun_secret_key_base_path: "/var/lib/ondemand-nginx/config/puns/%{user}.secret_key_base.txt"

Example

Use a custom location for secret files.

pun_secret_key_base_path: "/custom/secrets/%{user}.secret_key_base.txt"

pun_log_format (String)

The format of the access and error logs.

Default

The default.

pun_log_format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'

Example

Use a custom log format.

pun_log_format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent'

pun_pid_path (String)

the interpolated path to the NGINX pid file

Default

Namespace pid files under user directories

pun_pid_path: "/var/run/ondemand-nginx/%{user}/passenger.pid"

Example

Use a custom location for the pid files

pun_pid_path: "/custom/path/pid-%{user}.pid"

pun_socket_path (String)

the interpolated path to the NGINX socket file

Default

Namespace socket files under user directories

pun_pid_path: "/var/run/ondemand-nginx/%{user}/passenger.sock"

Example

Use a custom location for the socket files

pun_pid_path: "/custom/path/socket-%{user}.sock"

Warning

The root directory containing the Unix domain socket file will have restricted permissions so that only the Apache proxy user can access this socket file.

Danger

Currently the proxy will only look for socket files following the format:

$OOD_PUN_SOCKET_ROOT/<user>/passenger.sock

It is not recommended to alter pun_pid_path unless you know what you are doing.

pun_sendfile_root (String)

the root directory that NGINX serves files from using sendfile

Default

Serve all files on file system

pun_sendfile_root: "/"

Example

Only serve files under home directories

pun_sendfile_root: "/home"

Warning

All URL requests to sendfile will be relative to the pun_sendfile_root. If you alter this configuration option you may break certain web applications that expect it under /.

pun_sendfile_uri (String)

the internal URL path used by NGINX to serve files from using sendfile (not directly accessible by the client browser)

Default

Serve files under a unique path

pun_sendfile_uri: "/sendfile"

Example

Server files under a custom URL path

pun_sendfile_root: "/custom/files"

pun_app_configs (Array<Hash>)

a list of interpolated hashes that define what wildcard app config file paths to include in a user’s NGINX config (the hashes are arguments for app_config_path)

Default

Serve a user’s dev apps, all shared apps, all system apps through NGINX

pun_app_configs:
  -
    env: dev
    name: "*"
    owner: "%{user}"
  -
    env: usr
    name: "*"
    owner: "*"
  -
    env: sys
    name: "*"
    owner: "*"

Example

Serve only system apps through NGINX

pun_app_configs:
  -
    env: dev
    name: "*"
    owner: "%{user}"

app_config_path (Hash)

an interpolated hash detailing the path to the NGINX app configs for each app type

Default

A recommended solution for app config locations

app_config_path:
  dev: "/var/lib/ondemand-nginx/config/apps/dev/%{owner}/%{name}.conf"
  usr: "/var/lib/ondemand-nginx/config/apps/usr/%{owner}/%{name}.conf"
  sys: "/var/lib/ondemand-nginx/config/apps/sys/%{name}.conf"

app_root (Hash)

an interpolated hash detailing the root directory where the app is installed for each app type

Default

A recommended solution for app deployment locations

app_root:
  dev: "/var/www/ood/apps/dev/%{owner}/gateway/%{name}"
  usr: "/var/www/ood/apps/usr/%{owner}/gateway/%{name}"
  sys: "/var/www/ood/apps/sys/%{name}"

Note

A common solution is to map the user shared app location as a symlink to the user’s home directory:

/var/www/ood/apps/usr/<owner>/gateway => ~<owner>/ondemand/share

This allows the owner of the app to update the app in real time as well as maintain file permissions.

Warning

Modifying this configuration option may break how the Dashboard app searches for apps.

app_request_uri (Hash)

an interpolated hash detailing the URL path used to access the given type of app (not including the base-URI)

Default

A recommended solution for app request URL’s

app_request_uri:
  dev: "/dev/%{name}"
  usr: "/usr/%{owner}/%{name}"
  sys: "/sys/%{name}"

Note

Modifying this will require you also modify app_request_regex.

Warning

Modifying this configuration option may break how the various apps link to each other.

app_request_regex (Hash)

a hash detailing the regular expressions used to determine the type of app and its corresponding parameters from a URL request (this should match what you used in app_request_uri)

Default

A recommended solution for app request URL regular expressions

app_request_regex:
  dev: "^/dev/(?<name>[-\\w.]+)"
  usr: "^/usr/(?<owner>[\\w]+)/(?<name>[-\\w.]+)"
  sys: "^/sys/(?<name>[-\\w.]+)"

Note

Modifying anything in this configuration option other than the allowed characters will require you modify app_request_uri as well.

app_token (Hash)

an interpolated hash detailing a uniquely identifiable string for each app

Default

A recommended solution for generating app tokens

app_token:
  dev: "dev/%{owner}/%{name}"
  usr: "usr/%{owner}/%{name}"
  sys: "sys/%{name}"

Note

Not currently used and may be deprecated in the future.

app_passenger_env (Hash)

a hash detailing the Passenger environment to run the type of app under

Default

A recommended solution for setting Passenger environments

app_passenger_env:
  dev: "development"
  usr: "production"
  sys: "production"

Warning

Modifying this configuration option can lead to unintended consequences for web apps such as issues with serving their assets.

user_regex (String)

regular expression used to validate a given user name

Default

Username can consist of any characters typically found in an email address

user_regex: '[\w@\.\-]+'

Example

Restrict user name to just alphanumeric characters

user_regex: '\w+'

min_uid (Integer)

the minimum user id required to start a per-user NGINX process as

Default

User id’s typically start at 1000

min_uid: 1000

Example

Define new minimum UID

min_uid: 500

disabled_shell (String)

Restrict starting a per-user NGINX process as a user with the given shell.

Default

Do not start a per-user NGINX for anyone with /access/denied shell.

disabled_shell: "/access/denied"

Example

Do not start a per-user NGINX for anyone with /usr/bin/false shell.

disabeled_shell: "/usr/bin/false"

Note

This will only restrict access to a per-user NGINX process started with the nginx_stage pun command (used by the Apache proxy). This doesn’t restrict the other administrative commands nginx_stage nginx and nginx_stage nginx_clean when manually starting and stopping the NGINX process.

disable_bundle_user_config (Integer)

Set BUNDLE_USER_CONFIG to /dev/null in the PUN environment. NB: This prevents a user’s ~/.bundle/config from affecting OnDemand applications.

Default

Disable bundle user configuration.

disable_bundle_user_config: true

Example

Enable bundle user configuration. This may adversly affect system deployed apps.

disable_bundle_user_config: false