Project

General

Profile

Actions
History

Tutorials & Articles (Archived) »

Setting up Nginx + Passenger » History » Revision 4

« Previous | Revision 4/7 (diff) | Next »
Dominic Cleal, 01/30/2013 02:49 AM
Update SSL settings

Setting up Nginx + Passenger

Passenger packages/repos are available at http://passenger.stealthymonkeys.com/

Install packages

    # yum install -y nginx-passenger

Create self signed certificate

    # cd /etc/nginx/
    # openssl genrsa -des3 -out server.key 1024
    # openssl req -new -key server.key -out server.csr
    # cp server.key server.key.org
    # openssl rsa -in server.key.org -out server.key
    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Make a local copy of the apps `public` directory (local to rails, as nginx/passenger doesn't seem to like symbolic links)

    # cd /usr/share/foreman
    # rm public
    # cp -a /var/lib/foreman/public .

Add to `/etc/nginx/nginx.conf`:

    env PATH;

Create foreman application config file `/etc/nginx/conf.d/foreman.conf`:

    server {
        listen 443;
        server_name _;
        ssl on;
        ssl_certificate /etc/nginx/server.crt;
        ssl_certificate_key /etc/nginx/server.key;

        # Verify puppetmaster clients against Puppet CA
        ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
        ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
        ssl_verify_client optional;
        ssl_verify_depth 1;

        access_log /var/log/nginx/foreman_access.log;
        error_log /var/log/nginx/foreman_error.log debug;
        root /usr/share/foreman/public;

        passenger_enabled on;
        passenger_set_cgi_param HTTPS on;
        passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
        passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify;

        #location / {
        #}
    }

The SSL configuration here can verify clients for SSL communications with puppetmaster scripts, as per the Securing Communications with SSL documentation. It verifies clients using the Puppet CA and passes the information to Passenger and Foreman.

This guide uses a self-signed certificate for the Foreman server, so the ENC and report scripts will need to reference the certificate generated here in the :ssl_ca and $foreman_ssl_ca settings.

Updated by Dominic Cleal almost 12 years ago · 7 revisions