Project

General

Profile

History

Tutorials & Articles (Archived) ยป

Setting up Nginx + Passenger » History » Revision 4

Revision 3 (Kevin Cormier, 01/11/2013 12:54 PM) → Revision 4/7 (Dominic Cleal, 01/30/2013 02:49 AM) 

h1. Setting up Nginx + Passenger  

 Passenger packages/repos are available at http://passenger.stealthymonkeys.com/ 


 Install packages 

 <pre> 
     # yum install -y nginx-passenger 
 </pre> 

 Create self signed certificate 

 <pre> 
     # cd /etc/nginx/ 
     # openssl genrsa -des3 -out server.key 1024 
     # openssl req -new -key server.key -out server.csr 
     # cp server.key server.key.org 
     # openssl rsa -in server.key.org -out server.key 
     # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 
 </pre> 

 Make a local copy of the apps `public` directory (local to rails, as nginx/passenger doesn't seem to like symbolic links) 

 <pre> 
     # cd /usr/share/foreman 
     # rm public 
     # cp -a /var/lib/foreman/public . 
 </pre> 

 Add to `/etc/nginx/nginx.conf`: 

 <pre> 
     env PATH; 
 </pre> 

 Create foreman application config file `/etc/nginx/conf.d/foreman.conf`: 

 <pre> 
     server { 
         listen 443; 
         server_name _; 
         ssl on; 
         ssl_certificate /etc/nginx/server.crt; 
         ssl_certificate_key /etc/nginx/server.key; 

         # Verify puppetmaster clients against Puppet CA 
         ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; 
         ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; 
         ssl_verify_client optional; 
         ssl_verify_depth 1; 

         access_log /var/log/nginx/foreman_access.log; 
         error_log /var/log/nginx/foreman_error.log debug; 
         root /usr/share/foreman/public; 

         
         passenger_enabled on; 
         passenger_set_cgi_param HTTPS on; 
         passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn; 
         passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify; 

         #location / { 
         #} 
     } 
 </pre> 

 The SSL configuration here can verify clients for SSL communications with puppetmaster scripts, as per the "Securing Communications with SSL":http://theforeman.org/manuals/1.1/index.html#5.4SecuringCommunicationswithSSL documentation.    It verifies clients using the Puppet CA and passes the information to Passenger and Foreman. 

 This guide uses a self-signed certificate for the Foreman server, so the ENC and report scripts will need to reference the certificate generated here in the @:ssl_ca@ and @$foreman_ssl_ca@ settings.