问题
I have setup nginx['enable_non_ssl']=true
in the /etc/opscode/chef-server.rb
file and run chef-server-ctl reconfigure
but I still get a redirect when I try to curl the http port for chef which kind of defeats the purpose of this setting. See errors below.
My chef-server.rb
file:
cat /etc/opscode/chef-server.rb
nginx['enable_non_ssl']=true
nginx['non_ssl_port']=80
Running reconfigure:
chef-server-ctl reconfigure
Starting Chef Client, version 12.0.3
resolving cookbooks for run list: ["private-chef::default"]
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
[2015-05-25T13:12:26+00:00] WARN: Cookbook 'local-mode-cache' is empty or entirely chefignored at /opt/opscode/embedded/cookbooks/local-mode-cache
....
Curl command showing that I still get redirected:
curl http://chef-xxx.xxxxxx.com
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty/1.7.10.1</center>
</body>
</html>
How do I get a working chef-server up?
回答1:
I got the same issue an fixed it
I got the same issue with a rencent install of Chef Server (chef-manage v2.4.4
)
You can see your Chef Manage version by reading the change log of your deployed chef server: http(s)://your-chef-server.com/changelog
What we want
After installed my chef server instance on a dedicated server, it did works correctly with SSL.
But our production servers are deployed on dedicated host in a private VLAN, and users acces to the services or web apps through a nginx web server running as a reverse proxy.
So to put the chef server in production mode, I had to configure my reverse proxy to proxy the requests:
Here the correct request/response route pattern:
Request:
client 443 >> 443 chef.company.com (DNS: rev-proxy)
rev-proxy 80 >> 80 chef.vlan
Response:
rev-proxy 80 << 80 chef.vlan
client 443 << 443 chef.company.com
The normal issue
But, like you, the chef server default configuration force the SSL redirection from the reverse proxy to the chef host in the vlan. It causes an infinite redirection loop:
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
...
client 443 >> 443 rev-proxy
proxy 80 >> 80 chef.vlan
client 80 << 80 chef.company.com (redirect to https://$host$request_uri)
...
The normal fix
So we have to disable the SSL chef.vlan side.
The normal method is to edit the file /opt/obscode.chef-server.rb
(and create it if it doesn't exist), by inserting the following directive:
nginx['enable_non_ssl']=true
and optionally (because this is already the default value) the following one:
nginx['non_ssl_port']=80
Thus we would just had to reconfigure the chef server:
# chef-server-ctl reconfigure
But there is a bug in chef-server
But there is a bug in the chef template recipe that it used to generate the nginx confi file. Thus the previous directives are ignored when we reconfigure the chef server.
So the infinite loop stays there.
Bug Ticket: https://tickets.opscode.com/browse/CHEF-3999
Also, you can see these other resources:
https://github.com/chef/omnibus-chef/pull/57
https://docs.chef.io/config_rb_server.html
https://github.com/chef/chef-server/issues/973
Fixing the issue
To fix this situation, I had to adapt the proposed solution from the bug ticket.
Find the nginx config files on the chef host
root@chef-srv:~# find / -name nginx.conf
/opt/chef-manage/embedded/service/gem/ruby/2.2.0/gems/unicorn-4.9.0/examples/nginx.conf
/opt/opscode/embedded/service/gem/ruby/2.2.0/gems/unicorn-5.1.0/examples/nginx.conf
/opt/opscode/embedded/conf/nginx.conf
/var/opt/opscode/nginx/etc/nginx.conf
The last one is embedded nginx conf file. It contains the following bloc code, source of the issue:
# We support three options: serve nothing on non_ssl_port (80),
# redirect to https, or actually serve the API.
server {
listen 80;
access_log /var/log/opscode/nginx/rewrite-port-80.log;
return 301 https://$host$request_uri;
}
Find the nginx config recipes that sources the embedded nginx config
root@chef-srv:~# find / -name nginx.rb
/opt/chef-manage/embedded/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/chef-manage/embedded/cookbooks/cache/cookbooks/omnibus-chef-manage/recipes/nginx.rb
/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
/var/opt/opscode/local-mode-cache/cookbooks/private-chef/recipes/nginx.rb
The third is the template generating the embedded nginx config:
/opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
=== > /var/opt/opscode/nginx/etc/nginx.conf
Fix the recipe
We had to fix it addind the following lines:
node.default['private_chef']['nginx']['enable_non_ssl']=true
We should append it to the following block:
# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam
So the final block code looks like:
# nano /opt/opscode/embedded/cookbooks/private-chef/recipes/nginx.rb
:
# Save node attributes back for use in config template generation
node.default['private_chef']['nginx']['ssl_certificate'] ||= ssl_crtfile
node.default['private_chef']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
node.default['private_chef']['nginx']['ssl_dhparam'] ||= ssl_dhparam
node.default['private_chef']['nginx']['enable_non_ssl']=true
Apply the changes
Finally we must regenerate the nginx config file from the recipe template by reconfiguring the chef server:
# chef-server-ctl reconfigure
Then the route pattern works as expected.
Enjoy!
回答2:
Relevant settings from Chef:
Note The chef-server.rb file does not exist by default. To modify the settings for the Chef server, create a file named chef-server.rb in the /etc/opscode/ directory.
Note This file was named private-chef.rb in previous versions of Enterprise Chef. After an upgrade to Chef server 12 from Enterprise Chef, the private-chef.rb file is symlinked to chef-server.rb. The private-chef.rb file is deprecated, starting with Chef server 12.
nginx['enable_non_ssl']
Use to allow port 80 redirects to port 443. When this value is set to false, load balancers on the front-end hardware are allowed to do SSL termination of the WebUI and API. Default value: false.
nginx['non_ssl_port']
The port on which the WebUI and API are bound for non-SSL connections. Default value: 80. Use nginx['enable_non_ssl'] to enable or disable SSL redirects on this port number. Set to false to disable non-SSL connections.
So according to the above I believe you will need to edit/create the chef-server.rb
file in the /etc/opscode/
directory, then run chef-server-ctl reconfigure
.
回答3:
The change in the chef-server.rb file made the url as http but when I logged in prompted again for https login means; user login is twice once in http and once in https.
let me know if you had a chance to try this and any success in the configuration as HTTP Instance Thanks in advance.
回答4:
So, I investigated the issue and found next:
Except Nginx the WebUI chef-manage uses Unicorn web-server and the App has property config.force_ssl=true unless ENV['NO_SSL'].
So for disabling SSL you need pass env variable export NO_SSL=true
to run command or run-script of the WebUI.
来源:https://stackoverflow.com/questions/30405996/disable-ssl-on-chef-server