Setting up Nginx + Passenger » History » Version 6
Gabor Garami, 03/02/2015 09:58 AM
1 | 1 | Rytis Sileika | h1. Setting up Nginx + Passenger |
---|---|---|---|
2 | |||
3 | Passenger packages/repos are available at http://passenger.stealthymonkeys.com/ |
||
4 | |||
5 | 6 | Gabor Garami | h2. Nginx + Passenger with foreman on CentOS |
6 | 1 | Rytis Sileika | |
7 | Install packages |
||
8 | |||
9 | <pre> |
||
10 | # yum install -y nginx-passenger |
||
11 | </pre> |
||
12 | |||
13 | Create self signed certificate |
||
14 | |||
15 | <pre> |
||
16 | # cd /etc/nginx/ |
||
17 | # openssl genrsa -des3 -out server.key 1024 |
||
18 | # openssl req -new -key server.key -out server.csr |
||
19 | # cp server.key server.key.org |
||
20 | # openssl rsa -in server.key.org -out server.key |
||
21 | # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
||
22 | </pre> |
||
23 | |||
24 | Make a local copy of the apps `public` directory (local to rails, as nginx/passenger doesn't seem to like symbolic links) |
||
25 | |||
26 | <pre> |
||
27 | # cd /usr/share/foreman |
||
28 | # rm public |
||
29 | # cp -a /var/lib/foreman/public . |
||
30 | </pre> |
||
31 | |||
32 | Add to `/etc/nginx/nginx.conf`: |
||
33 | |||
34 | <pre> |
||
35 | env PATH; |
||
36 | </pre> |
||
37 | |||
38 | Create foreman application config file `/etc/nginx/conf.d/foreman.conf`: |
||
39 | |||
40 | <pre> |
||
41 | server { |
||
42 | listen 443; |
||
43 | server_name _; |
||
44 | ssl on; |
||
45 | ssl_certificate /etc/nginx/server.crt; |
||
46 | ssl_certificate_key /etc/nginx/server.key; |
||
47 | 4 | Dominic Cleal | |
48 | # Verify puppetmaster clients against Puppet CA |
||
49 | ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; |
||
50 | ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; |
||
51 | ssl_verify_client optional; |
||
52 | ssl_verify_depth 1; |
||
53 | |||
54 | 1 | Rytis Sileika | access_log /var/log/nginx/foreman_access.log; |
55 | error_log /var/log/nginx/foreman_error.log debug; |
||
56 | root /usr/share/foreman/public; |
||
57 | 4 | Dominic Cleal | |
58 | 1 | Rytis Sileika | passenger_enabled on; |
59 | 4 | Dominic Cleal | passenger_set_cgi_param HTTPS on; |
60 | passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn; |
||
61 | passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify; |
||
62 | |||
63 | 1 | Rytis Sileika | #location / { |
64 | #} |
||
65 | } |
||
66 | </pre> |
||
67 | 4 | Dominic Cleal | |
68 | The SSL configuration here can verify clients for SSL communications with puppetmaster scripts, as per the "Securing Communications with SSL":http://theforeman.org/manuals/1.1/index.html#5.4SecuringCommunicationswithSSL documentation. It verifies clients using the Puppet CA and passes the information to Passenger and Foreman. |
||
69 | |||
70 | This guide uses a self-signed certificate for the Foreman server, so the ENC and report scripts will need to reference the certificate generated here in the @:ssl_ca@ and @$foreman_ssl_ca@ settings. |
||
71 | 5 | Sachar de Vries | |
72 | |||
73 | h2. Nginx + Passenger with foreman 1.2 on RHEL6.x/Scientific Linux |
||
74 | |||
75 | To run both puppermaster and foreman 1.2 on the same host using nginx + passenger an upgrade to phusion passenger 4.0 is required. To not break your existing puppetmaster setup, which uses the system supplied ruby follow the following steps: |
||
76 | |||
77 | setup assumes you are upgrading from foreman 1.1 and have a working nginx-passenger setup already. |
||
78 | |||
79 | <pre> |
||
80 | the current phusion supplied rpm is still a 3 version, so using yum upgrade won't help |
||
81 | yum info passenger-release |
||
82 | Loaded plugins: security |
||
83 | Available Packages |
||
84 | Name : passenger-release |
||
85 | Arch : noarch |
||
86 | Version : 3 |
||
87 | Release : 6.el6 |
||
88 | Size : 5.5 k |
||
89 | Repo : passenger |
||
90 | Summary : Phusion Passenger release RPM/Yum repository configuration |
||
91 | URL : http://passenger.stealthymonkeys.com/ |
||
92 | License : MIT |
||
93 | Description : Phusion Passenger Yum/RPM configuration. This package contains the Yum |
||
94 | : repository configuration to install & update Phusion Passenger, as |
||
95 | : well as the GPG signing key to verify them. |
||
96 | </pre> |
||
97 | |||
98 | So instead use gem to install the correct package (as per: https://www.phusionpassenger.com/download#open_source): |
||
99 | <pre> |
||
100 | 1 | Rytis Sileika | gem install passenger |
101 | 6 | Gabor Garami | Fetching: daemon_controller-1.1.4.gem (100%) |
102 | Fetching: passenger-4.0.5.gem (100%) |
||
103 | 5 | Sachar de Vries | Successfully installed daemon_controller-1.1.4 |
104 | Successfully installed passenger-4.0.5 |
||
105 | 2 gems installed |
||
106 | Installing ri documentation for daemon_controller-1.1.4... |
||
107 | Installing ri documentation for passenger-4.0.5... |
||
108 | Installing RDoc documentation for daemon_controller-1.1.4... |
||
109 | Installing RDoc documentation for passenger-4.0.5... |
||
110 | </pre> |
||
111 | |||
112 | Configure nginx: |
||
113 | you might need to install some packages ( yum install libcurl-devel libcurl ) |
||
114 | <pre> |
||
115 | passenger-install-nginx-module |
||
116 | Welcome to the Phusion Passenger Nginx module installer, v4.0.5. |
||
117 | |||
118 | This installer will guide you through the entire installation process. It |
||
119 | shouldn't take more than 5 minutes in total. |
||
120 | |||
121 | Here's what you can expect from the installation process: |
||
122 | |||
123 | 1. This installer will compile and install Nginx with Passenger support. |
||
124 | 2. You'll learn how to configure Passenger in Nginx. |
||
125 | 3. You'll learn how to deploy a Ruby on Rails application. |
||
126 | |||
127 | Don't worry if anything goes wrong. This installer will advise you on how to |
||
128 | solve any problems. |
||
129 | |||
130 | Press Enter to continue, or Ctrl-C to abort. |
||
131 | |||
132 | |||
133 | -------------------------------------------- |
||
134 | |||
135 | Checking for required software... |
||
136 | |||
137 | * Checking for GNU C compiler... |
||
138 | Found: yes |
||
139 | Location: /usr/bin/gcc |
||
140 | * Checking for GNU C++ compiler... |
||
141 | Found: yes |
||
142 | Location: /usr/bin/g++ |
||
143 | * Checking for A download tool like 'wget' or 'curl'... |
||
144 | Found: yes |
||
145 | Location: /usr/bin/wget |
||
146 | * Checking for Ruby development headers... |
||
147 | Found: yes |
||
148 | Location: /usr/lib64/ruby/1.8/x86_64-linux/ruby.h |
||
149 | * Checking for OpenSSL support for Ruby... |
||
150 | Found: yes |
||
151 | * Checking for RubyGems... |
||
152 | Found: yes |
||
153 | * Checking for Rake (associated with /usr/bin/ruby)... |
||
154 | Found: yes |
||
155 | Location: /usr/bin/ruby /usr/bin/rake |
||
156 | * Checking for rack... |
||
157 | Found: yes |
||
158 | * Checking for Curl development headers with SSL support... |
||
159 | Found: yes |
||
160 | Version: libcurl 7.19.7 |
||
161 | Usable: yes |
||
162 | curl-config location: /usr/bin/curl-config |
||
163 | Supports SSL: yes |
||
164 | Header location: /usr/include/curl/curl.h |
||
165 | * Checking for OpenSSL development headers... |
||
166 | Found: yes |
||
167 | Location: /usr/include/openssl/ssl.h |
||
168 | * Checking for Zlib development headers... |
||
169 | Found: yes |
||
170 | Location: /usr/include/zlib.h |
||
171 | </pre> |
||
172 | |||
173 | Stop nginx and update /etc/init.d/nginx to use the correct binary |
||
174 | <pre> |
||
175 | vi /etc/init.d/nginx |
||
176 | #nginx="/usr/sbin/nginx" |
||
177 | 1 | Rytis Sileika | nginx="/opt/nginx/sbin/nginx" |
178 | 5 | Sachar de Vries | </pre> |
179 | |||
180 | 6 | Gabor Garami | Make sure passenger.conf in /etc/nginx/conf,d still points to the system ruby passenger version |
181 | 5 | Sachar de Vries | <pre> |
182 | # cat passenger.conf |
||
183 | |||
184 | passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5; |
||
185 | passenger_ruby /usr/bin/ruby; |
||
186 | </pre> |
||
187 | |||
188 | Update foreman.conf (do not set the passenger_root) |
||
189 | <pre> |
||
190 | # cat foreman.conf |
||
191 | |||
192 | server { |
||
193 | passenger_ruby /usr/bin/ruby193-ruby; |
||
194 | |||
195 | ..... |
||
196 | 1 | Rytis Sileika | } |
197 | <snip> |
||
198 | </pre> |
||
199 | |||
200 | 6 | Gabor Garami | Start nginx and check if the website is working now. |
201 | 1 | Rytis Sileika | |
202 | 6 | Gabor Garami | h2. Post-install setup for Foreman 1.1+ to support certificate authentication via Nginx |
203 | |||
204 | Starting from Foreman 1.1 it requires a bit more configuration because by default it supports only Apache webserver environment but Foreman also provides a configuration to make it fit to any other webserver. |
||
205 | |||
206 | Log in to the administration area and go to Administer -> Setting page. Find *ssl_client_dn_env* variable and set its value to @HTTP_X_CLIENT_DN@ . Also find *ssl_client_verify_env* and set it to @HTTP_X_CLIENT_VERIFY@ . |
||
207 | |||
208 | These modifications are required since nginx behaves a bit different than Apache and passes SSL certificate informations on different way. |
||
209 | |||
210 | If you plan to use Nginx for Puppet Master too, check the corresponding variables in puppet.conf: *ssl_client_header* and *ssl_client_verify_header* |
||
211 | |||
212 | http://www.modrails.com/documentation/Users%20guide%20Nginx.html#_configuring_phusion_passenger has more information |