Apologies this question is a mix of Chef and Apache-httpd, but ultimately I believe it's an Apache-httpd configuration issue.
I have a Chef client/node happily hitting a Chef Server w/ SSL.
Chef client/node - /etc/chef/client.rb
chef_server_url 'https://chefserverhostname/organizations/myOrg'
ssl_verify_mode :verify_peer
I'm trying to put a proxy in front of the Chef Server so I can re-point down the road if needed. Apache-httpd is installed fine (on the same box as Chef Server), all firewall and iptables are consistent with my below configuration.
Chef Server - /etc/httpd/conf/httpd.conf
Listen 8443
<VirtualHost *:8443>
ServerAdmin me#email
ServerName chefserverhostname
ServerAlias CDS-PROXY
ProxyPass / https://chefserverhostname:443/
ProxyPassReverse / https://chefserverhostname:443/
RewriteEngine On
</VirtualHost>
I reconfigure the Chef client/node's client.rb to point to https://chefserverhostname:8443/organizations/myOrg, and hope to have the request pass through the proxy. ChefServer/nginx is listening on 443 and I'm assuming that it's taking care of the SSL decrypt, and 8443 is just the 'pass-through'. But when I fire up my Chef client/node I'm getting an SSL error message:
ERROR: SSL Validation failure connecting to host: chefserverhostname - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol
You are using HTTPS but your vhost does not have any configuration to enable mod_ssl or another TLS option. As such, you should be using http://hostname:8443 but this very not recommended.
Chef Server is an appliance at heart and this kind of extra proxy layer is possible but not how things are intended to operate. You should just use the default setup which already includes a fronting nginx proxy for Erchef and friends.
You can check https://github.com/chef-cookbooks/httpd this recipe and configure properly apache ssl and additional modules.
To me is also not ok to drop SSL connection on chef server - base on your current setup.
Since you have nginx on your machine you can extend the configuration there to support reverse proxy. Later on if you remove chefserver/nginx from this machine and you want only to leave proxy, install new nginx and apply the same conf for proxy configuration.
I rather drop apache from your setup.
Related
I can't figure how to create an SSL certificate for a Shiny server that runs on a CentOS machine.
My end goal is to be able to access my app with HTTPS.
So instead of - HTTP://mydomain.com:3838/my-app/
To have something like - HTTPS://mydomain.com:3838/my-app/
Or even better - HTTPS://mydomain/my-app/
I tried my best with numerous tutorials but I'm not an expert in system administration and didn't have a lot of success.
Would really appreciate any help here!
# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
# shiny-server --version
Shiny Server v1.5.7.907
Thanks!
My answer in one word: letsencrypt.
Letsencrypt provides an executable that will grant you SSL certificates for all the domains your server handles. For this, it validates your machine by mounting a temporary web server and checks if can reach it with the domain names you provided.
There's more info in the official website. Once you have the certs, simply add them to nginx or Apache or whatever web server you are using.
UPDATE:
To forward http calls to your shiny web server you have to use Apache web server as a proxy, that means, that every call yo yourdomain:80, will be redirected to locahost:3838.
You have to edit your default conf. In ubuntu you can find it in this path: /etc/apache2/sites-enabled/000-default.conf
Then, in the conf file:
<VirtualHost *:80>
# These lines configures SSL
SSLEngine on
SSLCertificateFile /path/to/your/ssl.crt
SSLCertificateKeyFile /path/to/your/ssl.key
# These lines configure the proxy
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:3838/
ProxyPassReverse / http://0.0.0.0:3838/
# This sets the domain name to listen for
ServerName yourdomain.com
</VirtualHost>
Then, restart apache and you're good to go.
It seems that it is possible to get Apache server to Proxy and Manage SSL handshake on https requests and service them as 'http' thru another server behind it.
I have configured an apache server for ProxyPass using following configuration
SSLProxyEngine On
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
I am able to get all all traffic to the apache server that is listening to port 8080 direct and serve by the localhost:8081 server so
http://localhost:8080/hi is being correctly served by http://localhost:8081/hi
However the following does not work :
http**s**://localhost:8080/hi to be served by http://localhost:8081/hi
Apache is trying to pass the https:// traffic to the 8081 server, without managing the SSL handshake.
Your Apache listener on port 8080 is an http listener, not an https listener. You can't handle both types of traffic on the same port. If you want to handle SSL traffic, you'll need to set up a new context on another port with SSLEngine On and all the other normal SSL configuration (certificate, key, etc).
This question has one version of this configuration.
Also this post.
I've installed Apache on CentOS and have not enabled SSL, and yet I get the following error.
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please. Hint:
https://192.168.1.50/ Apache/2.2.15 (CentOS) Server at 192.168.1.50
Port 443
The page I was testing it is a simple html page.
I did not make many changes to the fleshly installed Apache. The only things I edited are IPTABLES config file to allow LAN access on port 80 and the httpd.conf file to change document root.
I've installed Apache before(on Fedora), but didn't have this problem.
Thank you.
I managed to find the problem. I found a sll.conf file that contains all of the SSL configuration lines. The SSL was enabled by default, its weird. It is located in /etc/httpd/conf.d/ and a simple
<VirtualHost _default_:443>
SSLEngine off
</VirtualHost>
did the trick.
The document is not clear. How to install certificate and etc in localhost?
force-ssl
This package causes Meteor to redirect insecure connections (HTTP) to a secure URL (HTTPS). Use this package to ensure that communication to the server is always encrypted to protect users from active spoofing attacks.
To simplify development, unencrypted connections from localhost are always accepted over HTTP.
Application bundles (meteor bundle) do not include an HTTPS server or certificate. A proxy server that terminates SSL in front of a Meteor bundle must set the standard x-forwarded-proto header for the force-ssl package to work.
Applications deployed to meteor.com subdomains with meteor deploy are automatically served via HTTPS using Meteor's certificate.
I've slogged through setting up an Apache reverse proxy that terminates SSL in front of Meteor, and wanted to document that here as well.
I added the following to the config file for the SSL virtual host:
<VirtualHost _default_:443>
ServerName server.domain.com
## SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
## Proxy to port 3000 for Meteor apps
SSLProxyEngine On
ProxyRequests Off # Disable forward proxying
ProxyPass / http://localhost:3000
ProxyPassReverse / http://localhost:3000
## Your other SSL config directives such as certificates, etc.
</VirtualHost>
You do not need to install certificates on localhost. As it says "To simplify development, unencrypted connections from localhost are always accepted over HTTP.", which means that you can develop and test the application without using SSL and without installing certificates. Just run you application and access it with http://localhost:3000 as usual.
If you are talking about installing certificates for publicly facing applications it is probably best to use a reverse proxy server such as nginx and install the certificates for that server. http://wiki.nginx.org/HttpProxyModule
I have apache httpd that I want to proxy to two different tomcat servers.
I see this:
http://tomcat.apache.org/connectors-doc-archive/jk2/proxy.html
But that is only for one tomcat server. What if I had one server running on 8081 in addition to a tomcat running at 8080?
There's an easier way to setup load balancing using mod_proxy_balancer. Simply list the tomcat servers under a balancer list than put that balancer in your ProxyPass:
<Proxy balancer://mycluster>
BalancerMember http://tomcat1:8080/
BalancerMember http://tomcat2:8081/
</Proxy>
ProxyPass /test balancer://mycluster
Apache httpd two out-of-the-box options for proxying to any number of backend Tomcat instances:
mod_proxy_http
mod_proxy_ajp
They are configured identically to each other, except that the former uses the HTTP protocol for communication and the latter uses the AJP protocol and URLs that start with ajp:// instead of http:// for the backend server. Both can be configured for load-balancing, failover, etc. in the same way. You can proxy to completely separate Tomcat instances (i.e. no load-balancing: just separate backends) by providing separate proxy configuration for separate URL spaces (e.g. /app1 -> Tomcat1 and /app2 -> Tomcat2) or you can configure the two (or more) backend instances for load-balancing, etc.
Specifically, look at the documentation for the following httpd configuration directives:
<Proxy>
BalanceMember
ProxyPass
ProxyPassReverse
You can find documentation for all of these here:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html (General)
http://httpd.apache.org/docs/2.2/mod/mod_proxy_http.html (HTTP)
http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html (AJP)
http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html (load-balancer)
If you want to use the AJP protocol and you have more complex configuration needs, you can also use mod_jk (not mod_jk2, which is an old, dead, abandoned, completely irrelevant project, now). You can find out more about mod_jk on the Tomcat site here: http://tomcat.apache.org/connectors-doc/
mod_jk has a radically different configuration procedure and a lot more AJP-specific options than mod_proxy_ajp.
The (short) documentation you mentioned in your original post (from the old mod_jk2 docs) points to Apache httpd's mod_proxy_ajp and mod_proxy_balancer modules (though it points to the unstable httpd 2.1, which was the bleeding-edge at the time that documentation was written). You were on the right track: you just needed to keep reading. You can definitely proxy to as many backend instances of Tomcat as you want with any of the modules described here.
You can install HAProxy on either 3rd server which will work as LB to both of them or you can install HAProxy on any one of them and then do following configuration.
To install HAProxy (if you're running Ubuntu/Debain distro)
$ sudo apt-get install haproxy
# Setup config file in /etc/haproxy/haproxy.cnf per requirement
# change /etc/default/ to Enabled = 1 and restart haproxy service
after setup do following mods in config:
$ sudo vim /etc/haproxy/haproxy.cfg
global
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen webcluster *:80
mode http
stats enable
stats auth us3r:passw0rd
balance roundrobin
option httpchk HEAD / HTTP/1.0
option forwardfor
cookie LSW_WEB insert
option httpclose
server web01 192.168.0.1:8080 cookie LSW_WEB01 check
server web02 192.168.0.2:8081 cookie LSW_WEB02 check
Once done, restart HAProxy service by:
$ sudo service haproxy restart
Here 192.168.0.1 and 192.168.0.2 can be your two servers one can be running on port 8080 and another can be on 8081.
Ref. Post: http://www.leaseweblabs.com/2011/07/high-availability-load-balancing-using-haproxy-on-ubuntu-part-1/
You will also find online help if you will google about how to setup haproxy on your linux distribution if you're not using Ubuntu/Debain. But yes you can bet on it as it's proven tool for the job.