Refactor .ebextensions, add support for Environment Properties

- Rolled like ebextensions into singular config and support scripts
- Renamed ebextensions to control execution order
- Added support to EB Environment Properties
- Added X-Forwarded-For IP to access logs
- Added option to drop poisoned DNS requests
- Added force ssl an option
- Added Papertrail support
- Added new log globbing

bin/release/aws-eb/.ebextensions/01_metabase.config

+######
+# Metabase Report server Elastic Beanstalk configuration
+# Modify the environmental variables below to customize your installation
+# Comment out a variable to disable a feature
+#####
+container_commands:
+    #customize_env: 
+        #env:
+            #NGINX_SERVER_NAME: metabase.example.com
+            #NGINX_FORCE_SSL: 1
+            #PAPERTRAIL_HOSTNAME: $HOSTNAME
+            #PAPERTRAIL_HOST: foobar.papertrailapp.com
+            #PAPERTRAIL_PORT: 12345
+            #PAPERTRAIL_FILES: /var/log/nginx/access.log /var/log/nginx/error.log
+        #command: true
+        #ignoreErrors: false
+
+    01_server-name:
+        command: ".ebextensions/metabase_config/metabase-setup.sh server_name"
+        test: test $NGINX_SERVER_NAME
+        ignoreErrors: true
+
+    02_server_https:
+        command: ".ebextensions/metabase_config/metabase-setup.sh server_https"
+        test: test $NGINX_FORCE_SSL
+        ignoreErrors: true
+
+    03_log_x_real_ip:
+        command: ".ebextensions/metabase_config/metabase-setup.sh log_x_real_ip"
+        ignoreErrors: true
+
+    04_install_papertrail:
+        command: ".ebextensions/metabase_config/metabase-setup.sh install_papertrail"
+        test: test $PAPERTRAIL_HOST
+        ignoreErrors: true
+
+    05_try_papertrail:
+        command: "/sbin/service remote_syslog restart"
+        test: test -e /etc/log_files.yml
+        ignoreErrors: true
+
+    06_try_nginx:
+        command: "/sbin/service nginx restart"
+        test: nginx -t
+        ignoreErrors: false
+
+option_settings:
+  - namespace: aws:elasticbeanstalk:command
+    option_name: Timeout
+    value: 600

bin/release/aws-eb/.ebextensions/extend_timeout.config

-option_settings:
-  - namespace: aws:elasticbeanstalk:command
-    option_name: Timeout
-    value: 600

bin/release/aws-eb/.ebextensions/metabase_config/metabase-setup.sh

+#!/bin/bash
+####
+# Metabase Report server Elastic Beanstalk metabase-setup.sh
+# Modify the environmental variables to customize your installation
+# Unset a variable to disable a feature
+####
+
+# add files to papertrail
+pt_files () {
+    sed -i '/  - .*/d' /etc/log_files.yml
+    set -f
+    for file in $PAPERTRAIL_FILES; do
+        sed -i 's|files:|files:\n  - '$file'|' /etc/log_files.yml
+    done
+    set +f
+}
+
+# papertail remote host
+pt_remote_host () {
+    sed -i "s/.*host:.*/  host: $PAPERTRAIL_HOST/" /etc/log_files.yml
+}
+
+# papertail remote port
+pt_port () {
+    sed -i "s/.*port:.*/  port: $PAPERTRAIL_PORT/" /etc/log_files.yml
+}
+
+# papertail local host
+pt_local_host () {
+    eval export PAPERTRAIL_HOSTNAME=$PAPERTRAIL_HOSTNAME # expand vars like $HOSTNAME
+    sed -i "s/.*hostname:.*/hostname: $PAPERTRAIL_HOSTNAME/" /etc/log_files.yml
+}
+
+# nginx server name
+server_name () {
+    [[ "$NGINX_SERVER_NAME" ]] && cp_default_server
+    cd /etc/nginx/sites-available/
+    if [[ "$NGINX_SERVER_NAME" ]] ; then
+        if ! grep -q server_name elasticbeanstalk-nginx-docker-proxy.conf ; then
+            sed -i "s|listen 80\;|listen 80\;\n        server_name $NGINX_SERVER_NAME \*\.$NGINX_SERVER_NAME\;\n|" elasticbeanstalk-nginx-docker-proxy.conf
+        fi
+    else
+        # no hostname passed, disable default_server
+        sed -i '/server_name/d' elasticbeanstalk-nginx-docker-proxy.conf
+        [[ -e /etc/nginx/sites-enabled/default_server ]] && rm /etc/nginx/sites-enabled/default_server
+    fi
+}
+
+# enable https redirect
+server_https () {
+    cd /etc/nginx/sites-available/
+    if [[ "$NGINX_FORCE_SSL" ]] && ! grep -q https elasticbeanstalk-nginx-docker-proxy.conf ; then
+        sed -i 's|location \/ {|location \/ {\n\n        if ($http_x_forwarded_proto != "https") {\n                rewrite ^ https:\/\/$host$request_uri? permanent;\n        }\n|' elasticbeanstalk-nginx-docker-proxy.conf
+    fi
+}
+
+# download, install and configure papertrail
+install_papertrail () {
+    cp .ebextensions/metabase_config/papertrail/log_files.yml /etc/log_files.yml && chmod 644 /etc/log_files.yml
+    cp .ebextensions/metabase_config/papertrail/remote_syslog /etc/init.d/remote_syslog && chmod 555 /etc/init.d/remote_syslog
+    cd /tmp/
+    wget -q "https://github.com/papertrail/remote_syslog2/releases/download/v0.14/remote_syslog_linux_amd64.tar.gz" &&
+        tar xzf remote_syslog_linux_amd64.tar.gz
+    /sbin/service remote_syslog stop
+    mv /tmp/remote_syslog/remote_syslog /usr/local/bin/
+    rm -rf remote_syslog_linux_amd64.tar.gz remote_syslog
+    # Setup Papertrail
+    [[ "$PAPERTRAIL_HOST" ]] && pt_remote_host
+    [[ "$PAPERTRAIL_PORT" ]] && pt_port
+    [[ "$PAPERTRAIL_FILES" ]] && pt_files
+    [[ "$PAPERTRAIL_HOSTNAME" ]] && pt_local_host
+}
+
+# enable default_server to drop DNS poisoning
+cp_default_server () {
+    cp .ebextensions/metabase_config/nginx/default_server /etc/nginx/sites-available/default_server
+    [[ ! -e /etc/nginx/sites-enabled/default_server ]] &&
+        ln -s /etc/nginx/sites-available/default_server /etc/nginx/sites-enabled/default_server
+}
+
+# update nginx logging to include x_real_ip
+log_x_real_ip () {
+    cp .ebextensions/metabase_config/nginx/log_x_real_ip.conf /etc/nginx/conf.d/log_x_real_ip.conf
+    cd  /etc/nginx/sites-available
+    if ! grep -q access_log *-proxy.conf ; then 
+        sed -i 's|location \/ {|location \/ {\n\n        access_log \/var\/log\/nginx\/access.log log_x_real_ip;\n|' *-proxy.conf
+    fi
+}
+
+case $1 in
+server_name)
+    server_name
+    ;;
+server_https)
+    server_https
+    ;;
+install_papertrail)
+    install_papertrail
+    ;;
+log_x_real_ip)
+    log_x_real_ip
+    ;;
+esac

bin/release/aws-eb/.ebextensions/metabase_config/nginx/default_server

+# /etc/nginx/sites-available/default_server
+server {
+    listen 80 default_server;
+
+    location /api/health {
+        access_log off;
+        proxy_pass            http://docker;
+        proxy_http_version    1.1;
+        proxy_set_header    Connection            $connection_upgrade;
+        proxy_set_header    Upgrade               $http_upgrade;
+        proxy_set_header    Host                  $host;
+        proxy_set_header    X-Real-IP             $remote_addr;
+        proxy_set_header    X-Forwarded-For       $proxy_add_x_forwarded_for;
+    }
+
+    location / {
+        return 444;
+    }
+}

bin/release/aws-eb/.ebextensions/metabase_config/nginx/log_x_real_ip.conf

+# /etc/nginx/conf.d/log_x_real_ip.conf
+log_format log_x_real_ip '$proxy_add_x_forwarded_for - [$time_local] '
+                      '$request $status $body_bytes_sent '
+                      '$http_referer $http_user_agent';

bin/release/aws-eb/.ebextensions/metabase_config/papertrail/log_files.yml

+# /etc/log_files.yml - Papertrail
+files:
+  - /var/log/nginx/access.log
+hostname:
+destination:
+  host:
+  port:
+  protocol: tls
+new_file_check_interval: "10" # Check every 10 seconds

bin/release/aws-eb/.ebextensions/metabase_config/papertrail/remote_syslog

+#!/bin/bash
+# /etc/init.d/remote_syslog
+#
+# remote_syslog This shell script takes care of starting and stopping
+#               remote_syslog daemon
+#
+# chkconfig: - 58 74
+# description: papertrail/remote_syslog \
+#              https://github.com/papertrail/remote_syslog2/blob/master/examples/remote_syslog.init.d
+
+### BEGIN INIT INFO
+# Provides: remote_syslog
+# Required-Start: $network $local_fs $remote_fs
+# Required-Stop: $network $local_fs $remote_fs
+# Should-Start: $syslog $named ntpdate
+# Should-Stop: $syslog $named
+# Short-Description: start and stop remote_errolog
+# Description: papertrail/remote_syslog2
+#              https://github.com/papertrail/remote_syslog2/blob/master/examples/remote_syslog.init.d
+### END INIT INFO
+
+# Source function library.
+. /etc/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+ 
+prog="/usr/local/bin/remote_syslog"   
+config="/etc/log_files.yml"
+pid_dir="/var/run"
+
+EXTRAOPTIONS=""
+
+pid_file="$pid_dir/remote_syslog.pid"
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+
+RETVAL=0
+
+is_running(){
+    # Do we have PID-file?
+    if [ -f "$pid_file" ]; then
+        # Check if proc is running
+        pid=`cat "$pid_file" 2> /dev/null`
+        if [[ $pid != "" ]]; then
+            exepath=`readlink /proc/"$pid"/exe 2> /dev/null`
+            exe=`basename "$exepath"`
+            if [[ $exe == "remote_syslog" ]]; then
+                # Process is running
+                return 0
+            fi
+        fi
+    fi
+    return 1
+}
+
+start(){
+    echo -n $"Starting $prog: "
+    unset HOME MAIL USER USERNAME
+    $prog -c $config --pid-file=$pid_file $EXTRAOPTIONS
+    RETVAL=$?
+    echo
+    return $RETVAL
+}
+
+stop(){
+    echo -n $"Stopping $prog: "
+    if (is_running); then
+      kill `cat $pid_file`
+      RETVAL=$?
+      echo
+      return $RETVAL
+    else
+      echo "$pid_file not found"
+    fi
+}
+
+status(){
+    echo -n $"Checking for $pid_file: "
+
+    if (is_running); then
+      echo "found"
+    else
+      echo "not found"
+    fi
+}
+
+reload(){
+    restart
+}
+
+restart(){
+    stop
+    start
+}
+
+condrestart(){
+    is_running && restart
+    return 0
+}
+
+# See how we were called.
+case "$1" in
+    start)
+  start
+  ;;
+    stop)
+  stop
+  ;;
+    status)
+  status
+  ;;
+    restart)
+  restart
+  ;;
+    reload)
+  reload
+  ;;
+    condrestart)
+  condrestart
+  ;;
+    *)
+  echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
+  RETVAL=1
+esac
+
+exit $RETVAL