This procedure describes how to use Apache's mod_proxy to provide an SSL front-end to the Chef Server Merb processes, without adding Passenger to the mix. This is tested on Debian and Ubuntu using the Opscode APT packages, and will require adjustment for other platforms' methods of configuring Apache.
 | New in Chef 0.8.x The API and WebUI are separate, and run on separate ports on the Chef Server. This will require setting up multiple virtual hosts. Use two separate CNAMEs in your DNS, for example:
These instructions and the Opscode Chef Cookbook recipe are still being modified to reflect the changes. |
Configure and Start Chef-Server
The Chef Server is a Merb application, and the configuration file is /etc/chef/server.rb. Here's the minimum used in this configuration. Filesystem locations are FHS compliant per Debian Packaging. Adjust the locations for your platform requirements or preferences.
Once the configuration file is tweaked as required for your environment, start the chef-server. On systems with the Debian/Ubuntu
Install Apache
Install Apache for your platform. For example, on Debian-based systems, use APT:
Enable Apache Modules
The following Apache modules need to be enabled:
- proxy
- proxy_http
- proxy_balancer
- ssl
- rewrite
- headers
For Debian-based systems, use the a2enmod script.
See your platform's Apache documentation if you're not runnin Debian/Ubuntu.
Create Chef Server Virtual Host
Set up a vhost config file for the Chef Server. This will use the Proxy balancer for the Merb workers running on the localhost. Replace "server_fqdn" with the fully qualified domain name of the server.
On Debian/Ubuntu systems, use a2ensite script to enable the vhost:
Add listen Port for the WebUI
Add Listen 444 to the Apache config. On Debian/Ubuntu, this is in /etc/apache2/ports.conf. Depending on your environment, you may need to enable access to port 444 on your firewall.
| Default Port 80 If you're not using another web service running on port 80, you may wish to set up a mod_rewrite rule to force SSL. |
Create SSL Certificates
If you're using the Chef Repository, you can use the ssl_cert rake task to create a self-signed certificate.
If you purchased an SSL certificate, you can use that instead, be sure to name it appropriately and change the vhost configuration as required.
| Chef Repository We recommend using the Chef Repository, anyway. The Rakefile provides a number of helpers for maintaining Chef, and it is a convenient way to get started using a Version Control System for your infrastructure's configuration. |
(Re)Start Apache
With all the proper bits in place, (re)start Apache.
Client Configuration
The following configuration is required for clients to connect to the Chef server.
Replace server_fqdn with the server's fully qualified domain name.
Next Steps
Point your browser at https://server_fqdn:444, where server_fqdn is the server you just configured. You should get the login page.
Comments (3)
Sep 17, 2009
Erik Speckman says:
So, why is this preferable to the apache + passenger approach (or is it)?So, why is this preferable to the apache + passenger approach (or is it)?
Sep 18, 2009
Joshua Timberman says:
This will be the new default recommendation for configuring an SSL-frontend for ...This will be the new default recommendation for configuring an SSL-frontend for Chef because it works well with both RubyGems installations and Platform-specific packages. Not all platforms have Passenger available as a package that can be added as a dependency (e.g., Debian/Ubuntu). We will still make a passenger recipe available for the Chef server, but it won't be the default.
Mar 09
Robert J. Berger says:
Is there an example for doing the same with Nginx?Is there an example for doing the same with Nginx?