Setting up Nginx + Passenger » History » Version 4
Dominic Cleal, 01/30/2013 02:49 AM
Update SSL settings
| 1 | 1 | Rytis Sileika | h1. Setting up Nginx + Passenger |
|---|---|---|---|
| 2 | |||
| 3 | Passenger packages/repos are available at http://passenger.stealthymonkeys.com/ |
||
| 4 | |||
| 5 | |||
| 6 | Install packages |
||
| 7 | |||
| 8 | <pre> |
||
| 9 | # yum install -y nginx-passenger |
||
| 10 | </pre> |
||
| 11 | |||
| 12 | Create self signed certificate |
||
| 13 | |||
| 14 | <pre> |
||
| 15 | # cd /etc/nginx/ |
||
| 16 | # openssl genrsa -des3 -out server.key 1024 |
||
| 17 | # openssl req -new -key server.key -out server.csr |
||
| 18 | # cp server.key server.key.org |
||
| 19 | # openssl rsa -in server.key.org -out server.key |
||
| 20 | # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
||
| 21 | </pre> |
||
| 22 | |||
| 23 | Make a local copy of the apps `public` directory (local to rails, as nginx/passenger doesn't seem to like symbolic links) |
||
| 24 | |||
| 25 | <pre> |
||
| 26 | # cd /usr/share/foreman |
||
| 27 | # rm public |
||
| 28 | # cp -a /var/lib/foreman/public . |
||
| 29 | </pre> |
||
| 30 | |||
| 31 | Add to `/etc/nginx/nginx.conf`: |
||
| 32 | |||
| 33 | <pre> |
||
| 34 | env PATH; |
||
| 35 | </pre> |
||
| 36 | |||
| 37 | Create foreman application config file `/etc/nginx/conf.d/foreman.conf`: |
||
| 38 | |||
| 39 | <pre> |
||
| 40 | server { |
||
| 41 | listen 443; |
||
| 42 | server_name _; |
||
| 43 | ssl on; |
||
| 44 | ssl_certificate /etc/nginx/server.crt; |
||
| 45 | ssl_certificate_key /etc/nginx/server.key; |
||
| 46 | 4 | Dominic Cleal | |
| 47 | # Verify puppetmaster clients against Puppet CA |
||
| 48 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; |
||
| 49 | ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; |
||
| 50 | ssl_verify_client optional; |
||
| 51 | ssl_verify_depth 1; |
||
| 52 | |||
| 53 | 1 | Rytis Sileika | access_log /var/log/nginx/foreman_access.log; |
| 54 | error_log /var/log/nginx/foreman_error.log debug; |
||
| 55 | root /usr/share/foreman/public; |
||
| 56 | 4 | Dominic Cleal | |
| 57 | 1 | Rytis Sileika | passenger_enabled on; |
| 58 | 4 | Dominic Cleal | passenger_set_cgi_param HTTPS on; |
| 59 | passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn; |
||
| 60 | passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify; |
||
| 61 | |||
| 62 | 1 | Rytis Sileika | #location / { |
| 63 | #} |
||
| 64 | } |
||
| 65 | </pre> |
||
| 66 | 4 | Dominic Cleal | |
| 67 | The SSL configuration here can verify clients for SSL communications with puppetmaster scripts, as per the "Securing Communications with SSL":http://theforeman.org/manuals/1.1/index.html#5.4SecuringCommunicationswithSSL documentation. It verifies clients using the Puppet CA and passes the information to Passenger and Foreman. |
||
| 68 | |||
| 69 | This guide uses a self-signed certificate for the Foreman server, so the ENC and report scripts will need to reference the certificate generated here in the @:ssl_ca@ and @$foreman_ssl_ca@ settings. |