flectra/doc/setup/deploy.rst

539 lines
21 KiB
ReStructuredText

:banner: banners/flectra_deploying.jpg
=================
Deploying Flectra
=================
This document describes basic steps to set up Flectra in production or on an
internet-facing server. It follows :ref:`installation <setup/install>`, and is
not generally necessary for a development systems that is not exposed on the
internet.
.. warning:: If you are setting up a public server, be sure to check our :ref:`security` recommandations!
.. _db_filter:
dbfilter
========
Flectra is a multi-tenant system: a single Flectra system may run and serve a number
of database instances. It is also highly customizable, with customizations
(starting from the modules being loaded) depending on the "current database".
This is not an issue when working with the backend (web client) as a logged-in
company user: the database can be selected when logging in, and customizations
loaded afterwards.
However it is an issue for non-logged users (portal, website) which aren't
bound to a database: Flectra needs to know which database should be used to load
the website page or perform the operation. If multi-tenancy is not used that is not an
issue, there's only one database to use, but if there are multiple databases
accessible Flectra needs a rule to know which one it should use.
That is one of the purposes of :option:`--db-filter <flectra-bin --db-filter>`:
it specifies how the database should be selected based on the hostname (domain)
that is being requested. The value is a `regular expression`_, possibly
including the dynamically injected hostname (``%h``) or the first subdomain
(``%d``) through which the system is being accessed.
For servers hosting multiple databases in production, especially if ``website``
is used, dbfilter **must** be set, otherwise a number of features will not work
correctly.
Configuration samples
---------------------
* Show only databases with names beginning with 'mycompany'
in ``/etc/flectra.conf`` set:
.. code-block:: ini
[options]
dbfilter = ^mycompany.*$
* Show only databases matching the first subdomain after ``www``: for example
the database "mycompany" will be shown if the incoming request
was sent to ``www.mycompany.com`` or ``mycompany.co.uk``, but not
for ``www2.mycompany.com`` or ``helpdesk.mycompany.com``.
in ``/etc/flectra.conf`` set:
.. code-block:: ini
[options]
dbfilter = ^%d$
.. note::
Setting a proper :option:`--db-filter <flectra-bin --db-filter>` is an important part
of securing your deployment.
Once it is correctly working and only matching a single database per hostname, it
is strongly recommended to block access to the database manager screens,
and to use the ``--no-database-list`` startup paramater to prevent listing
your databases, and to block access to the database management screens.
See also security_.
PostgreSQL
==========
By default, PostgreSQL only allows connection over UNIX sockets and loopback
connections (from "localhost", the same machine the PostgreSQL server is
installed on).
UNIX socket is fine if you want Flectra and PostgreSQL to execute on the same
machine, and is the default when no host is provided, but if you want Flectra and
PostgreSQL to execute on different machines [#different-machines]_ it will
need to `listen to network interfaces`_ [#remote-socket]_, either:
* Only accept loopback connections and `use an SSH tunnel`_ between the
machine on which Flectra runs and the one on which PostgreSQL runs, then
configure Flectra to connect to its end of the tunnel
* Accept connections to the machine on which Flectra is installed, possibly
over ssl (see `PostgreSQL connection settings`_ for details), then configure
Flectra to connect over the network
Configuration sample
--------------------
* Allow tcp connection on localhost
* Allow tcp connection from 192.168.1.x network
in ``/etc/postgresql/9.5/main/pg_hba.conf`` set:
.. code-block:: text
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 192.168.1.0/24 md5
in ``/etc/postgresql/9.5/main/postgresql.conf`` set:
.. code-block:: text
listen_addresses = 'localhost,192.168.1.2'
port = 5432
max_connections = 80
.. _setup/deploy/flectra:
Configuring Flectra
-------------------
Out of the box, Flectra connects to a local postgres over UNIX socket via port
5432. This can be overridden using :ref:`the database options
<reference/cmdline/server/database>` when your Postgres deployment is not
local and/or does not use the installation defaults.
The :ref:`packaged installers <setup/install/packaged>` will automatically
create a new user (``flectra``) and set it as the database user.
* The database management screens are protected by the ``admin_passwd``
setting. This setting can only be set using configuration files, and is
simply checked before performing database alterations. It should be set to
a randomly generated value to ensure third parties can not use this
interface.
* All database operations use the :ref:`database options
<reference/cmdline/server/database>`, including the database management
screen. For the database management screen to work requires that the PostgreSQL user
have ``createdb`` right.
* Users can always drop databases they own. For the database management screen
to be completely non-functional, the PostgreSQL user needs to be created with
``no-createdb`` and the database must be owned by a different PostgreSQL user.
.. warning:: the PostgreSQL user *must not* be a superuser
Configuration sample
~~~~~~~~~~~~~~~~~~~~
* connect to a PostgreSQL server on 192.168.1.2
* port 5432
* using an 'flectra' user account,
* with 'pwd' as a password
* filtering only db with a name beginning with 'mycompany'
in ``/etc/flectra.conf`` set:
.. code-block:: ini
[options]
admin_passwd = mysupersecretpassword
db_host = 192.168.1.2
db_port = 5432
db_user = flectra
db_password = pwd
dbfilter = ^mycompany.*$
.. _builtin_server:
Builtin server
==============
Flectra includes built-in HTTP servers, using either multithreading or
multiprocessing.
For production use, it is recommended to use the multiprocessing server as it
increases stability, makes somewhat better use of computing resources and can
be better monitored and resource-restricted.
* Multiprocessing is enabled by configuring :option:`a non-zero number of
worker processes <flectra-bin --workers>`, the number of workers should be based
on the number of cores in the machine (possibly with some room for cron
workers depending on how much cron work is predicted)
* Worker limits can be configured based on the hardware configuration to avoid
resources exhaustion
.. warning:: multiprocessing mode currently isn't available on Windows
Worker number calculation
-------------------------
* Rule of thumb : (#CPU * 2) + 1
* Cron workers need CPU
* 1 worker ~= 6 concurrent users
memory size calculation
-----------------------
* We consider 20% of the requests are heavy requests, while 80% are simpler ones
* A heavy worker, when all computed field are well designed, SQL requests are well designed, ... is estimated to consume around 1Go of RAM
* A lighter worker, in the same scenario, is estimated to consume around 150MB of RAM
Needed RAM = #worker * ( (light_worker_ratio * light_worker_ram_estimation) + (heavy_worker_ratio * heavy_worker_ram_estimation) )
LiveChat
--------
In multiprocessing, a dedicated LiveChat worker is automatically started and
listening on :option:`the longpolling port <flectra-bin --longpolling-port>` but
the client will not connect to it.
Instead you must have a proxy redirecting requests whose URL starts with
``/longpolling/`` to the longpolling port. Other request should be proxied to
the :option:`normal HTTP port <flectra-bin --http-port>`
Configuration sample
--------------------
* Server with 4 CPU, 8 Thread
* 60 concurrent users
* 60 users / 6 = 10 <- theorical number of worker needed
* (4 * 2) + 1 = 9 <- theorical maximal number of worker
* We'll use 8 workers + 1 for cron. We'll also use a monitoring system to measure cpu load, and check if it's between 7 and 7.5 .
* RAM = 9 * ((0.8*150) + (0.2*1024)) ~= 3Go RAM for Flectra
in ``/etc/flectra.conf``:
.. code-block:: ini
[options]
limit_memory_hard = 1677721600
limit_memory_soft = 629145600
limit_request = 8192
limit_time_cpu = 600
limit_time_real = 1200
max_cron_threads = 1
workers = 8
.. _https_proxy:
HTTPS
=====
Whether it's accessed via website/web client or web service, Flectra transmits
authentication information in cleartext. This means a secure deployment of
Flectra must use HTTPS\ [#switching]_. SSL termination can be implemented via
just about any SSL termination proxy, but requires the following setup:
* Enable Flectra's :option:`proxy mode <flectra-bin --proxy-mode>`. This should only be enabled when Flectra is behind a reverse proxy
* Set up the SSL termination proxy (`Nginx termination example`_)
* Set up the proxying itself (`Nginx proxying example`_)
* Your SSL termination proxy should also automatically redirect non-secure
connections to the secure port
.. warning::
In case you are using the Point of Sale module in combination with a `POSBox`_,
you must disable the HTTPS configuration for the route ``/pos/web`` to avoid
mixed-content errors.
Configuration sample
--------------------
* Redirect http requests to https
* Proxy requests to flectra
in ``/etc/flectra.conf`` set:
.. code-block:: ini
proxy_mode = True
in ``/etc/nginx/sites-enabled/flectra.conf`` set:
.. code-block:: nginx
#flectra server
upstream flectra {
server 127.0.0.1:7073;
}
upstream flectrachat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name flectrahq.mycompany.com;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name flectrahq.mycompany.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for flectra proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/flectra.access.log;
error_log /var/log/nginx/flectra.error.log;
# Redirect requests to flectra backend server
location / {
proxy_redirect off;
proxy_pass http://flectrahq;
}
location /longpolling {
proxy_pass http://flectrahqchat;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
Flectra as a WSGI Application
=============================
It is also possible to mount Flectra as a standard WSGI_ application. Flectra
provides the base for a WSGI launcher script as ``flectra-wsgi.example.py``. That
script should be customized (possibly after copying it from the setup directory) to correctly set the
configuration directly in :mod:`flectra.tools.config` rather than through the
command-line or a configuration file.
However the WSGI server will only expose the main HTTP endpoint for the web
client, website and webservice API. Because Flectra does not control the creation
of workers anymore it can not setup cron or livechat workers
Cron Workers
------------
To run cron jobs for an Flectra deployment as a WSGI application requires
* A classical Flectra (run via ``flectra-bin``)
* Connected to the database in which cron jobs have to be run (via
:option:`flectra-bin -d`)
* Which should not be exposed to the network. To ensure cron runners are not
network-accessible, it is possible to disable the built-in HTTP server
entirely with :option:`flectra-bin --no-http` or setting ``http_enable = False``
in the configuration file
LiveChat
--------
The second problematic subsystem for WSGI deployments is the LiveChat: where
most HTTP connections are relatively short and quickly free up their worker
process for the next request, LiveChat require a long-lived connection for
each client in order to implement near-real-time notifications.
This is in conflict with the process-based worker model, as it will tie
up worker processes and prevent new users from accessing the system. However,
those long-lived connections do very little and mostly stay parked waiting for
notifications.
The solutions to support livechat/motifications in a WSGI application are:
* Deploy a threaded version of Flectra (instread of a process-based preforking
one) and redirect only requests to URLs starting with ``/longpolling/`` to
that Flectra, this is the simplest and the longpolling URL can double up as
the cron instance.
* Deploy an evented Flectra via ``flectra-gevent`` and proxy requests starting
with ``/longpolling/`` to
:option:`the longpolling port <flectra-bin --longpolling-port>`.
Serving Static Files
====================
For development convenience, Flectra directly serves all static files in its
modules. This may not be ideal when it comes to performances, and static
files should generally be served by a static HTTP server.
Flectra static files live in each module's ``static/`` folder, so static files
can be served by intercepting all requests to :samp:`/{MODULE}/static/{FILE}`,
and looking up the right module (and file) in the various addons paths.
.. todo:: test whether it would be interesting to serve filestored attachments
via this, and how (e.g. possibility of mapping ir.attachment id to
filestore hash in the database?)
.. _security:
Security
========
For starters, keep in mind that securing an information system is a continuous process,
not a one-shot operation. At any moment, you will only be as secure as the weakest link
in your environment.
So please do not take this section as the ultimate list of measures that will prevent
all security problems. It's only intended as a summary of the first important things
you should be sure to include in your security action plan. The rest will come
from best security practices for your operating system and distribution,
best practices in terms of users, passwords, and access control management, etc.
When deploying an internet-facing server, please be sure to consider the following
security-related topics:
- Always set a strong super-admin admin password, and restrict access to the database
management pages as soon as the system is set up. See :ref:`db_manager_security`.
- Choose unique logins and strong passwords for all administrator accounts on all databases.
Do not use 'admin' as the login. Do not use those logins for day-to-day operations,
only for controlling/managing the installation.
*Never* use any default passwords like admin/admin, even for test/staging databases.
- Use appropriate database filters ( :option:`--db-filter <flectra-bin --db-filter>`)
to restrict the visibility of your databases according to the hostname.
See :ref:`db_filter`.
You may also use :option:`-d <flectra-bin -d>` to provide your own (comma-separated)
list of available databases to filter from, instead of letting the system fetch
them all from the database backend.
- Once your ``db_name`` and ``db_filter`` are configured and only match a single database
per hostname, you should set ``list_db`` configuration option to ``False``, to prevent
listing databases entirely, and to block access to the database management screens
(this is also exposed as the :option:`--no-database-list <flectra-bin --no-database-list>`
command-line option)
- Make sure the PostgreSQL user (:option:`--db_user <flectra-bin --db_user>`) is *not* a super-user,
and that your databases are owned by a different user. For example they could be owned by
the ``postgres`` super-user if you are using a dedicated non-privileged ``db_user``.
See also :ref:`setup/deploy/flectra`.
- Keep installations updated by regularly installing the latest builds,
either via GitHub or by downloading the latest version from
https://flectrahq.com/download
- Configure your server in multi-process mode with proper limits matching your typical
usage (memory/CPU/timeouts). See also :ref:`builtin_server`.
- Run Flectra behind a web server providing HTTPS termination with a valid SSL certificate,
in order to prevent eavesdropping on cleartext communications. SSL certificates are
cheap, and many free options exist.
Configure the web proxy to limit the size of requests, set appropriate timeouts,
and then enable the :option:`proxy mode <flectra-bin --proxy-mode>` option.
See also :ref:`https_proxy`.
- Whenever possible, host your public-facing demo/test/staging instances on different
machines than the production ones. And apply the same security precautions as for
production.
- If you are hosting multiple customers, isolate customer data and files from each other
using containers or appropriate "jail" techniques.
- Setup daily backups of your databases and filestore data, and copy them to a remote
archiving server that is not accessible from the server itself.
.. _db_manager_security:
Database Manager Security
-------------------------
:ref:`setup/deploy/flectra` mentioned ``admin_passwd`` in passing.
This setting is used on all database management screens (to create, delete,
dump or restore databases).
If the management screens must not be accessible at all, you should set ``list_db``
configuration option to ``False``, to block access to all the database selection and
management screens. But be sure to setup an appropriate ``db_name`` parameter
(and optionally, ``db_filter`` too) so that the system can determine the target database
for each request, otherwise users will be blocked as they won't be allowed to choose the
database themselves.
If the management screens must only be accessible from a selected set of machines,
use the proxy server's features to block access to all routes starting with ``/web/database``
except (maybe) ``/web/database/selector`` which displays the database-selection screen.
If the database-management screen should be left accessible, the
``admin_passwd`` setting must be changed from its ``admin`` default: this
password is checked before allowing database-alteration operations.
It should be stored securely, and should be generated randomly e.g.
.. code-block:: console
$ python3 -c 'import base64, os; print(base64.b64encode(os.urandom(24)))'
which will generate a 32 characters pseudorandom printable string.
Supported Browsers
==================
Flectra is supported by multiple browsers for each of its versions. No
distinction is made according to the browser version in order to be
up-to-date. Flectra is supported on the current browser version. The list
of the supported browsers by Flectra version is the following:
- **Flectra 1.0+:** Mozilla Firefox, Google Chrome, Safari, Microsoft Edge
.. [#different-machines]
to have multiple Flectra installations use the same PostgreSQL database,
or to provide more computing resources to both software.
.. [#remote-socket]
technically a tool like socat_ can be used to proxy UNIX sockets across
networks, but that is mostly for software which can only be used over
UNIX sockets
.. [#switching]
or be accessible only over an internal packet-switched network, but that
requires secured switches, protections against `ARP spoofing`_ and
precludes usage of WiFi. Even over secure packet-switched networks,
deployment over HTTPS is recommended, and possible costs are lowered as
"self-signed" certificates are easier to deploy on a controlled
environment than over the internet.
.. _regular expression: https://docs.python.org/3/library/re.html
.. _ARP spoofing: http://en.wikipedia.org/wiki/ARP_spoofing
.. _Nginx termination example:
http://nginx.com/resources/admin-guide/nginx-ssl-termination/
.. _Nginx proxying example:
http://nginx.com/resources/admin-guide/reverse-proxy/
.. _socat: http://www.dest-unreach.org/socat/
.. _PostgreSQL connection settings:
.. _listen to network interfaces:
http://www.postgresql.org/docs/9.3/static/runtime-config-connection.html
.. _use an SSH tunnel:
http://www.postgresql.org/docs/9.3/static/ssh-tunnels.html
.. _WSGI: http://wsgi.readthedocs.org/
.. _POSBox: https://flectrahq.com/point-of-sale