如何使用管理控制台和nginx反向代理安装chef-server?

时间:2015-12-17 13:01:53

标签: ruby nginx chef reverse-proxy

我尝试在当前的nginx网络服务器环境中集成一个厨师服务器。

不幸的是,如果我调用https://chef.example.com:4000/login而不是重定向到https://chef.example.com(这会起作用),nginx会重定向到https://chef.example.com/login(这不起作用)。

我的配置:

/etc/opscode-manage/manage.rb: 

public_port 443
webapp.port 443

/etc/opscode/chef-server.rb: 

server_name = "chef.example.com"
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"
nginx['non_ssl_port'] = 4001
nginx['ssl_port'] = 4000

/etc/nginx/sites-available/example.com/chef: 

server {
  listen 80;
  server_name chef.example.com;
  return 301 https://$server_name$request_uri;  # enforce https
  port_in_redirect off;
}

server {
  listen 127.0.0.1:443 ssl;
  server_name chef.example.com;

  ssl_certificate /etc/nginx/ssl/example.com/chef.example.com.crt;
  ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;

  location / {
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass https://127.0.0.1:4000;
  }
}

此处通过curl向https://chef.example.com发出请求:

> curl -Sv --insecure https://chef.example.com 
* Rebuilt URL to: https://chef.example.com/
*   Trying 62.[...] ...
* Connected to proxy (62.[...] ) port 3128 (#0)
* Establish HTTP proxy tunnel to chef.example.com:443
> CONNECT chef.example.com:443 HTTP/1.1
> Host: chef.example.com:443
> User-Agent: curl/7.46.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection established
< 
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: C=US; O=YouCorp; OU=Operations; CN=chef.example.com
*        start date: Dec 17 11:19:51 2015 GMT
*        expire date: Dec 14 11:19:51 2025 GMT
*        issuer: C=US; O=YouCorp; OU=Operations; CN=chef.example.com
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: chef.example.com
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.4.7
< Date: Mon, 21 Dec 2015 08:33:09 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 302 Found
< Strict-Transport-Security: max-age=631138519
< X-Frame-Options: DENY
< X-WebKit-CSP: default-src 'self' chrome-extension:; connect-src 'self' chrome-extension:; font-src 'self' themes.googleusercontent.com chrome-extension:; frame-src 'none' chrome-extension:; img-src 'self' https://ssl.google-analytics.com chrome-extension: data:; media-src 'none' chrome-extension:; object-src 'none' chrome-extension:; script-src 'self' https://ssl.google-analytics.com 'unsafe-inline' 'unsafe-eval' chrome-extension:; style-src 'self' 'unsafe-inline' fonts.googleapis.com chrome-extension:; script-nonce 2ec8a63645785f329650e82150502b62;
< X-XSS-Protection: 1
< Location: https://chef.example.com:4000/login
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< Set-Cookie: chef-manage=01f350576b270bbfb72fa8f17c0ba28e; path=/; secure; HttpOnly
< X-Request-Id: e89cbb4417b658e8fb857c786747fe1d
< X-Runtime: 0.018629
<
* Connection #0 to host proxy left intact
<html><body>You are being <a href="https://chef.example.com:4000/login">redirected</a>.</body></html>%

厨师文档中没有任何建议如何使用chef-server设置反向代理。

知道如何调整该配置以阻止nginx(或厨师)对端口4000进行重定向吗?

1 个答案:

答案 0 :(得分:1)

这不起作用。你最终可以进行装配,但它需要一个相当复杂的厨师服务器配置来完成它。 Chef Server是一个设备,它希望至少在一定程度上控制机器。关键点通常是使用生成的Bookshelf URL。

尽管如此,proxy_redirect可能会解决当前问题。

相关问题
最新问题