Disable ssl on Chef-server?

吃可爱长大的小学妹 提交于 2019-12-10 10:49:21

问题


I have setup nginx['enable_non_ssl']=true in the /etc/opscode/chef-server.rb file and run chef-server-ctl reconfigure but I still get a redirect when I try to curl the http port for chef which kind of defeats the purpose of this setting. See errors below.

My chef-server.rb file:

cat /etc/opscode/chef-server.rb

nginx['enable_non_ssl']=true
nginx['non_ssl_port']=80

Running reconfigure:

chef-server-ctl reconfigure

Starting Chef Client, version 12.0.3
resolving cookbooks for run list: ["private-chef::default"]
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
....

Curl command showing that I still get redirected:

curl http://chef-xxx.xxxxxx.com

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty/1.7.10.1</center>
</body>
</html>

How do I get a working chef-server up?


回答1:


I got the same issue an fixed it

I got the same issue with a rencent install of Chef Server (chef-manage v2.4.4)

You can see your Chef Manage version by reading the change log of your deployed chef server: http(s)://your-chef-server.com/changelog

What we want

After installed my chef server instance on a dedicated server, it did works correctly with SSL.

But our production servers are deployed on dedicated host in a private VLAN, and users acces to the services or web apps through a nginx web server running as a reverse proxy.

So to put the chef server in production mode, I had to configure my reverse proxy to proxy the requests:

Here the correct request/response route pattern:

Request:

client    443 >> 443 chef.company.com (DNS: rev-proxy)
rev-proxy  80 >> 80  chef.vlan

Response:

rev-proxy  80 << 80  chef.vlan
client    443 << 443 chef.company.com

The normal issue

But, like you, the chef server default configuration force the SSL redirection from the reverse proxy to the chef host in the vlan. It causes an infinite redirection loop:

client     443 >> 443 rev-proxy
proxy       80 >> 80  chef.vlan
client      80 << 80  chef.company.com (redirect to https://$host$request_uri)
client     443 >> 443 rev-proxy
proxy       80 >> 80  chef.vlan
client      80 << 80  chef.company.com (redirect to https://$host$request_uri)
...
client     443 >> 443 rev-proxy
proxy       80 >> 80  chef.vlan
client      80 << 80  chef.company.com (redirect to https://$host$request_uri)
...

The normal fix

So we have to disable the SSL chef.vlan side.

The normal method is to edit the file /opt/obscode.chef-server.rb (and create it if it doesn't exist), by inserting the following directive:

nginx['enable_non_ssl']=true

and optionally (because this is already the default value) the following one:

nginx['non_ssl_port']=80

Thus we would just had to reconfigure the chef server:

# chef-server-ctl reconfigure

But there is a bug in chef-server

But there is a bug in the chef template recipe that it used to generate the nginx confi file. Thus the previous directives are ignored when we reconfigure the chef server.

So the infinite loop stays there.

Bug Ticket: https://tickets.opscode.com/browse/CHEF-3999

Also, you can see these other resources:

https://github.com/chef/omnibus-chef/pull/57

https://docs.chef.io/config_rb_server.html

https://github.com/chef/chef-server/issues/973

Fixing the issue

To fix this situation, I had to adapt the proposed solution from the bug ticket.

Find the nginx config files on the chef host

root@chef-srv:~# find / -name nginx.conf
/opt/chef-manage/embedded/service/gem/ruby/2.2.0/gems/unicorn-4.9.0/examples/nginx.conf
/opt/opscode/embedded/service/gem/ruby/2.2.0/gems/unicorn-5.1.0/examples/nginx.conf
/opt/opscode/embedded/conf/nginx.conf
/var/opt/opscode/nginx/etc/nginx.conf

The last one is embedded nginx conf file. It contains the following bloc code, source of the issue:

# We support three options: serve nothing on non_ssl_port (80),
# redirect to https, or actually serve the API.
      server {
        listen 80;
        access_log /var/log/opscode/nginx/rewrite-port-80.log;
        return 301 https://$host$request_uri;
      }

Find the nginx config recipes that sources the embedded nginx config

root@chef-srv:~# find / -name nginx.rb
/opt/chef-manage/embedded/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/chef-manage/embedded/cookbooks/cache/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/nginx.rb

The third is the template generating the embedded nginx config:

/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
  === > /var/opt/opscode/nginx/etc/nginx.conf

Fix the recipe

We had to fix it addind the following lines:

node.default['private_chef']['nginx']['enable_non_ssl']=true

We should append it to the following block:

# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam

So the final block code looks like:

# nano /opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb

:

# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam
node.default['private_chef']['nginx']['enable_non_ssl']=true

Apply the changes

Finally we must regenerate the nginx config file from the recipe template by reconfiguring the chef server:

# chef-server-ctl reconfigure

Then the route pattern works as expected.

Enjoy!




回答2:


Relevant settings from Chef:

Note The chef-server.rb file does not exist by default. To modify the settings for the Chef server, create a file named chef-server.rb in the /etc/opscode/ directory.

Note This file was named private-chef.rb in previous versions of Enterprise Chef. After an upgrade to Chef server 12 from Enterprise Chef, the private-chef.rb file is symlinked to chef-server.rb. The private-chef.rb file is deprecated, starting with Chef server 12.

nginx['enable_non_ssl']

Use to allow port 80 redirects to port 443. When this value is set to false, load balancers on the front-end hardware are allowed to do SSL termination of the WebUI and API. Default value: false.

nginx['non_ssl_port']   

The port on which the WebUI and API are bound for non-SSL connections. Default value: 80. Use nginx['enable_non_ssl'] to enable or disable SSL redirects on this port number. Set to false to disable non-SSL connections.

So according to the above I believe you will need to edit/create the chef-server.rb file in the /etc/opscode/ directory, then run chef-server-ctl reconfigure.




回答3:


The change in the chef-server.rb file made the url as http but when I logged in prompted again for https login means; user login is twice once in http and once in https.

let me know if you had a chance to try this and any success in the configuration as HTTP Instance Thanks in advance.




回答4:


So, I investigated the issue and found next:

Except Nginx the WebUI chef-manage uses Unicorn web-server and the App has property config.force_ssl=true unless ENV['NO_SSL'].

So for disabling SSL you need pass env variable export NO_SSL=true to run command or run-script of the WebUI.



来源:https://stackoverflow.com/questions/30405996/disable-ssl-on-chef-server

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!