Serving static contents from S3 is common, but using Varnish in front is a bit tricky. Especially if you want to keep the bucket secure and only serve from Varnish, here is a simple Varnish file to solve this problem.
First secure your bucket via IP policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example.bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"5.6.7.8/32" //varnish ip
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example.bucket/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}
]
}
Setting up PostgreSQL on RDS using ansible is a bit tricky because the main user on RDS is not a SUPERUSER and roles membership is not automatically granted for ex: “ERROR: must be member of role ..” is quite common. Here is a working solution:
Cachita is a golang file and memory cache library
- Simple caching with auto type assertion included.
- In memory file cache index to avoid unneeded I/O.
- Msgpack based binary serialization using msgpack library for file caching.
API docs: https://godoc.org/github.com/gadelkareem/cachita.
Examples: https://godoc.org/github.com/gadelkareem/cachita#pkg-examples.
InstallationInstall:
go get -u github.com/gadelkareem/cachita
#!/usr/bin/env bash
####Usage
# ./vault.sh encrypt
# ./vault.sh dencrypt
# ./vault.sh encrypt /full/path/to/file.yml
######
set -euo pipefail
cd `dirname $0`
if [ -z "$PASSWORD" ]; then
read -s -p "Enter Password: " PASSWORD
fi
VAULT_FILE=vault_key
echo "${PASSWORD}" > "${VAULT_FILE}"
ACTION=decrypt
if [ "$1" != "" ]; then
ACTION="$1"
fi
FILES=(group_vars/prod/*.yml)
if [ ! -z "${2-}" ]; then
FILES=("$2")
fi
for FILE in "${FILES[@]}"
do
if [ "${ACTION}" = "encrypt" ]; then
echo "Encrypting ${FILE}"
ansible-vault encrypt "${FILE}.decrypted" --output=$FILE --vault-password-file "${VAULT_FILE}"
else
echo "Decrypting ${FILE}"
ansible-vault decrypt $FILE --output="${FILE}.decrypted" --vault-password-file "${VAULT_FILE}"
fi
done
rm -rf "${VAULT_FILE}"
Working example here