Project

General

Profile

Setting up Nginx + Passenger » History » Version 4

Dominic Cleal, 01/30/2013 02:49 AM
Update SSL settings

1 1 Rytis Sileika
h1. Setting up Nginx + Passenger 
2
3
Passenger packages/repos are available at http://passenger.stealthymonkeys.com/
4
5
6
Install packages
7
8
<pre>
9
    # yum install -y nginx-passenger
10
</pre>
11
12
Create self signed certificate
13
14
<pre>
15
    # cd /etc/nginx/
16
    # openssl genrsa -des3 -out server.key 1024
17
    # openssl req -new -key server.key -out server.csr
18
    # cp server.key server.key.org
19
    # openssl rsa -in server.key.org -out server.key
20
    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
21
</pre>
22
23
Make a local copy of the apps `public` directory (local to rails, as nginx/passenger doesn't seem to like symbolic links)
24
25
<pre>
26
    # cd /usr/share/foreman
27
    # rm public
28
    # cp -a /var/lib/foreman/public .
29
</pre>
30
31
Add to `/etc/nginx/nginx.conf`:
32
33
<pre>
34
    env PATH;
35
</pre>
36
37
Create foreman application config file `/etc/nginx/conf.d/foreman.conf`:
38
39
<pre>
40
    server {
41
        listen 443;
42
        server_name _;
43
        ssl on;
44
        ssl_certificate /etc/nginx/server.crt;
45
        ssl_certificate_key /etc/nginx/server.key;
46 4 Dominic Cleal
47
        # Verify puppetmaster clients against Puppet CA
48
        ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
49
        ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
50
        ssl_verify_client optional;
51
        ssl_verify_depth 1;
52
53 1 Rytis Sileika
        access_log /var/log/nginx/foreman_access.log;
54
        error_log /var/log/nginx/foreman_error.log debug;
55
        root /usr/share/foreman/public;
56 4 Dominic Cleal
57 1 Rytis Sileika
        passenger_enabled on;
58 4 Dominic Cleal
        passenger_set_cgi_param HTTPS on;
59
        passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
60
        passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
61
62 1 Rytis Sileika
        #location / {
63
        #}
64
    }
65
</pre>
66 4 Dominic Cleal
67
The SSL configuration here can verify clients for SSL communications with puppetmaster scripts, as per the "Securing Communications with SSL":http://theforeman.org/manuals/1.1/index.html#5.4SecuringCommunicationswithSSL documentation.  It verifies clients using the Puppet CA and passes the information to Passenger and Foreman.
68
69
This guide uses a self-signed certificate for the Foreman server, so the ENC and report scripts will need to reference the certificate generated here in the @:ssl_ca@ and @$foreman_ssl_ca@ settings.