在Chef服务器上禁用SSL? [英] Disable ssl on Chef-server?
问题描述
我在 /etc/opscode/chef-server.rb nginx ['enable_non_ssl'] = true c>文件并运行 chef-server-ctl reconfigure ,但是当我尝试为厨师卷曲http端口时,我仍然得到重定向,这有点违反了此设置的目的。见下面的错误。
我的 chef-server.rb 文件:
cat /etc/opscode/chef-server.rb
nginx ['enable_non_ssl'] = true
nginx ['non_ssl_port'] = 80
运行重新配置:
chef-server-ctl重新配置
启动Chef Client,版本12.0.3
解析运行清单的菜谱:[ private-chef :: default]
[ 2015-05-25T13:12:26 + 00:00]警告:食谱'local-mode-cache'为空或完全被/ opt / opscode / embedded / cookbooks / local-mode-cache
[2015 -05-25T13:12:26 + 00:00]警告:食谱'local-mode-cache'为空或完全被/ opt / opscode / embedded / cookbooks / local-mode-cache
[2015- 05-25T13:12:26 + 00:00]警告:食谱'local-mode-cache'是空的,或者在/ opt / opscode / embedded / cookbooks / local-mode-cache
...中完全被忽略。
显示我仍然被重定向的卷曲命令:
curl
我们想要的
将我的厨师服务器实例安装在专用服务器上之后,它确实可以与SSL一起正常工作。
但是我们的生产服务器部署在专用VLAN中的专用主机上,并且用户通过作为反向代理运行的nginx Web服务器访问服务或Web应用程序。
因此,要使Chef服务器进入生产模式,我必须配置我的反向代理以代理请求:
以下是正确的请求/响应路由模式:
请求:
客户端443>> 443 Chef.company.com(DNS:rev-proxy)
rev-proxy 80>> 80 Chef.vlan
响应:
rev-proxy 80<< 80 Chef.vlan
客户443< 443 Chef.company.com
正常问题
但是,像您一样, Chef服务器的默认配置会强制将SSL从反向代理重定向到vlan中的Chef主机。
这会导致无限重定向循环:
客户端443>> 443 rev-proxy
代理80> 80 Chef.vlan
客户80<< 80 Chef.company.com(重定向到https:// $ host $ request_uri)
客户端443>> 443 rev-proxy
代理80> 80 Chef.vlan
客户80<< 80 Chef.company.com(重定向到https:// $ host $ request_uri)
...
客户端443>> 443 rev-proxy
代理80> 80 Chef.vlan
客户80<< 80 Chef.company.com(重定向到https:// $ host $ request_uri)
...
普通修复程序
因此,我们必须禁用SSL cook.vlan端。
常规方法是编辑通过插入以下指令,将文件 /opt/obscode.chef-server.rb (如果不存在,请创建该文件):
nginx ['enable_non_ssl'] = true
和可选的(因为这已经是默认值),如下所示:
nginx ['non_ssl_port'] = 80
因此,我们将不得不重新配置厨师服务器:
#Chef-server-ctl重新配置
但是Chef-server中有一个错误
但是Chef模板配方中存在一个错误,该错误曾用于生成nginx confi文件。因此,当我们重新配置厨师服务器时,先前的指令将被忽略。
因此无限循环停留在那里。
错误票证: https://tickets.opscode.com/browse/CHEF-3999
此外,您还可以看到以下其他资源:
> https://github.com/chef/omnibus-chef/pull/57
https://docs.chef.io/config_rb_server.html
https://github.com/chef / chef-server / issues / 973
解决问题
要解决此问题,我不得不根据错误清单修改建议的解决方案。
在t上找到nginx配置文件厨师主持人
root @ chef-srv:〜#find / -name nginx.conf
/ opt / chef-manage / embedded /service/gem/ruby/2.2.0/gems/unicorn-4.9.0/examples/nginx.conf
/opt/opscode/embedded/service/gem/ruby/2.2.0/gems/unicorn-5.1 .0 / examples / nginx.conf
/opt/opscode/embedded/conf/nginx.conf
/var/opt/opscode/nginx/etc/nginx.conf
最后一个是嵌入式nginx conf文件。它包含下面的块代码,是问题的根源:
#我们支持三个选项:对non_ssl_port(80),
不提供任何服务#重定向到https,或实际提供API。
服务器{
监听80;
access_log /var/log/opscode/nginx/rewrite-port-80.log;
返回301 https:// $ host $ request_uri;
}
查找源于嵌入式nginx配置的nginx配置食谱
root @ chef-srv:〜#查找/ -name nginx.rb
/ opt / chef-manage / embedded / cookbooks / omnibus-chef-manage / recipes / nginx .rb
/opt/chef-manage/embedded/cookbooks/cache/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/ opt / opscode / embedded / cookbooks / private-chef / recipes /nginx.rb
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/nginx.rb
第三个是生成嵌入式nginx配置的模板:
/ opt / opscode / embedded / cookbooks / private-chef /recipes/nginx.rb
===> /var/opt/opscode/nginx/etc/nginx.conf
修正食谱
我们必须对其进行修复,请添加以下几行:
node.default ['private_chef'] ['nginx'] ['enable_non_ssl'] = true
我们应该将其附加到以下块中:
#保存节点属性以供配置模板生成时使用
节点.default ['private_chef'] ['nginx'] ['ssl_certificate'] || = ssl_crtfile
node.default ['private_chef'] ['nginx'] ['ssl_certificate_key'] || = ssl_keyfile
node.default ['private_chef'] ['nginx'] ['ssl_dhparam'] || = ssl_dhparam
所以最终的代码如下:
#nano /opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
:
#保存节点属性以供在配置模板生成
node.default ['private_chef'] ['nginx'] ['ssl_certificate'] || = ssl_crtfile
node.default ['private_chef'] ['nginx'] [[ssl_certificate_k ey'] || = ssl_keyfile
node.default ['private_chef'] ['nginx'] ['ssl_dhparam'] || = ssl_dhparam
node.default ['private_chef'] ['nginx'] ['enable_non_ssl'] = true
应用更改
最后,我们必须重新生成通过重新配置厨师服务器,从食谱模板中获取nginx配置文件:
#Chef-server-ctl重新配置
然后路由模式将按预期工作。
享受!
I have setup nginx['enable_non_ssl']=true in the /etc/opscode/chef-server.rb file and run chef-server-ctl reconfigure but I still get a redirect when I try to curl the http port for chef which kind of defeats the purpose of this setting. See errors below.
My chef-server.rb file:
cat /etc/opscode/chef-server.rb
nginx['enable_non_ssl']=true
nginx['non_ssl_port']=80
Running reconfigure:
chef-server-ctl reconfigure
Starting Chef Client, version 12.0.3
resolving cookbooks for run list: ["private-chef::default"]
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
....
Curl command showing that I still get redirected:
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty/1.7.10.1</center>
</body>
</html>
How do I get a working chef-server up?
I got the same issue an fixed it
I got the same issue with a rencent install of Chef Server (chef-manage v2.4.4)
You can see your Chef Manage version by reading the change log of your deployed chef server: http(s)://your-chef-server.com/changelog
What we want
After installed my chef server instance on a dedicated server, it did works correctly with SSL.
But our production servers are deployed on dedicated host in a private VLAN, and users acces to the services or web apps through a nginx web server running as a reverse proxy.
So to put the chef server in production mode, I had to configure my reverse proxy to proxy the requests:
Here the correct request/response route pattern:
Request:
client 443 >> 443 chef.company.com (DNS: rev-proxy)
rev-proxy 80 >> 80 chef.vlan
Response:
rev-proxy 80 << 80 chef.vlan
client 443 << 443 chef.company.com
The normal issue
But, like you, the chef server default configuration force the SSL redirection from the reverse proxy to the chef host in the vlan. It causes an infinite redirection loop:
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
...
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
...
The normal fix
So we have to disable the SSL chef.vlan side.
The normal method is to edit the file /opt/obscode.chef-server.rb (and create it if it doesn't exist), by inserting the following directive:
nginx['enable_non_ssl']=true
and optionally (because this is already the default value) the following one:
nginx['non_ssl_port']=80
Thus we would just had to reconfigure the chef server:
# chef-server-ctl reconfigure
But there is a bug in chef-server
But there is a bug in the chef template recipe that it used to generate the nginx confi file. Thus the previous directives are ignored when we reconfigure the chef server.
So the infinite loop stays there.
Bug Ticket: https://tickets.opscode.com/browse/CHEF-3999
Also, you can see these other resources:
https://github.com/chef/omnibus-chef/pull/57
Fixing the issue
To fix this situation, I had to adapt the proposed solution from the bug ticket.
Find the nginx config files on the chef host
root@chef-srv:~# find / -name nginx.conf
/opt/chef-manage/embedded/service/gem/ruby/2.2.0/gems/unicorn-4.9.0/examples/nginx.conf
/opt/opscode/embedded/service/gem/ruby/2.2.0/gems/unicorn-5.1.0/examples/nginx.conf
/opt/opscode/embedded/conf/nginx.conf
/var/opt/opscode/nginx/etc/nginx.conf
The last one is embedded nginx conf file. It contains the following bloc code, source of the issue:
# We support three options: serve nothing on non_ssl_port (80),
# redirect to https, or actually serve the API.
server {
listen 80;
access_log /var/log/opscode/nginx/rewrite-port-80.log;
return 301 https://$host$request_uri;
}
Find the nginx config recipes that sources the embedded nginx config
root@chef-srv:~# find / -name nginx.rb
/opt/chef-manage/embedded/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/chef-manage/embedded/cookbooks/cache/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/nginx.rb
The third is the template generating the embedded nginx config:
/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
=== > /var/opt/opscode/nginx/etc/nginx.conf
Fix the recipe
We had to fix it addind the following lines:
node.default['private_chef']['nginx']['enable_non_ssl']=true
We should append it to the following block:
# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam
So the final block code looks like:
# nano /opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
:
# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam
node.default['private_chef']['nginx']['enable_non_ssl']=true
Apply the changes
Finally we must regenerate the nginx config file from the recipe template by reconfiguring the chef server:
# chef-server-ctl reconfigure
Then the route pattern works as expected.
Enjoy!
这篇关于在Chef服务器上禁用SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
