Skip to end of metadata
Go to start of metadata


This procedure describes how to use Apache's mod_proxy to provide an SSL front-end to the Chef Server Merb processes, without adding Passenger to the mix. This is tested on Debian and Ubuntu using the Opscode APT packages, and will require adjustment for other platforms' methods of configuring Apache.

New in Chef 0.8.x
The API and WebUI are separate, and run on separate ports on the Chef Server. This will require setting up multiple virtual hosts. Use two separate CNAMEs in your DNS, for example:
  • chef.example.com - API
  • chef-www.example.com - WebUI

The instructions below still require modification to reflect these changes, however, the Opscode Chef Cookbook recipe is up to date.

Configure and Start Chef-Server

The Chef Server is a Merb application, and the configuration file is /etc/chef/server.rb. Here's the minimum used in this configuration. Filesystem locations are FHS compliant per Debian Packaging. Adjust the locations for your platform requirements or preferences.

/etc/chef/server.rb

Once the configuration file is tweaked as required for your environment, start the chef-server. On systems with the Debian/Ubuntu


Install Apache

Install Apache for your platform. For example, on Debian-based systems, use APT:

Enable Apache Modules

The following Apache modules need to be enabled:

  • proxy
  • proxy_http
  • proxy_balancer
  • ssl
  • rewrite
  • headers

For Debian-based systems, use the a2enmod script.

See your platform's Apache documentation if you're not runnin Debian/Ubuntu.

Create Chef Server Virtual Host

Set up a vhost config file for the Chef Server. This will use the Proxy balancer for the Merb workers running on the localhost. Replace "server_fqdn" with the fully qualified domain name of the server.

/etc/apache2/sites-available/chef_server.conf

On Debian/Ubuntu systems, use a2ensite script to enable the vhost:

Add listen Port for the WebUI

Add Listen 444 to the Apache config. On Debian/Ubuntu, this is in /etc/apache2/ports.conf. Depending on your environment, you may need to enable access to port 444 on your firewall.

Default Port 80
If you're not using another web service running on port 80, you may wish to set up a mod_rewrite rule to force SSL.

Create SSL Certificates

If you're using the Chef Repository, you can use the ssl_cert rake task to create a self-signed certificate.

If you purchased an SSL certificate, you can use that instead, be sure to name it appropriately and change the vhost configuration as required.

Chef Repository
We recommend using the Chef Repository, anyway. The Rakefile provides a number of helpers for maintaining Chef, and it is a convenient way to get started using a Version Control System for your infrastructure's configuration.

(Re)Start Apache

With all the proper bits in place, (re)start Apache.

Client Configuration

The following configuration is required for clients to connect to the Chef server.

/etc/chef/client.rb

Replace server_fqdn with the server's fully qualified domain name.

Next Steps

Point your browser at https://server_fqdn:444, where server_fqdn is the server you just configured. You should get the login page.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

4 Comments

comments.show.hide

  1. Sep 17, 2009

    Erik Speckman

    So, why is this preferable to the apache + passenger approach (or is it)?

    1. Sep 18, 2009

      Joshua Timberman

      This will be the new default recommendation for configuring an SSL-frontend for Chef because it works well with both RubyGems installations and Platform-specific packages. Not all platforms have Passenger available as a package that can be added as a dependency (e.g., Debian/Ubuntu). We will still make a passenger recipe available for the Chef server, but it won't be the default.

  2. Mar 09, 2010

    Robert J. Berger

    Is there an example for doing the same with Nginx?

  3. Apr 12, 2011

    Benedikt Böhm

    nginx version