小贝子编程

如何使用管理控制台和nginx反向代理安装chef服务器



我正在尝试在我当前的nginx Web服务器环境中集成一个厨师服务器。

不幸的是,如果我调用https://chef.example.com而不是重定向到https://chef.example.com/login(这会起作用),nginx会重定向到https://chef.example.com:4000/login(这不起作用)。

我的配置:

/etc/opscode manage/manage.rb:

public_port 443
webapp.port 443

/etc/opscode/chef服务器.rb:

server_name = "chef.example.com"
api_fqdn server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/#{server_name}.key"
nginx['non_ssl_port'] = 4001
nginx['ssl_port'] = 4000

/etc/nginx/sites-available/example.com/chef:

server {
  listen 80;
  server_name chef.example.com;
  return 301 https://$server_name$request_uri;  # enforce https
  port_in_redirect off;
}
server {
  listen 127.0.0.1:443 ssl;
  server_name chef.example.com;
  ssl_certificate /etc/nginx/ssl/example.com/chef.example.com.crt;
  ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
  location / {
    gzip off;
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;
    proxy_pass https://127.0.0.1:4000;
  }
}

这是通过curl:向https://chef.example.com发出的请求

> curl -Sv --insecure https://chef.example.com 
* Rebuilt URL to: https://chef.example.com/
*   Trying 62.[...] ...
* Connected to proxy (62.[...] ) port 3128 (#0)
* Establish HTTP proxy tunnel to chef.example.com:443
> CONNECT chef.example.com:443 HTTP/1.1
> Host: chef.example.com:443
> User-Agent: curl/7.46.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection established
< 
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: C=US; O=YouCorp; OU=Operations; CN=chef.example.com
*        start date: Dec 17 11:19:51 2015 GMT
*        expire date: Dec 14 11:19:51 2025 GMT
*        issuer: C=US; O=YouCorp; OU=Operations; CN=chef.example.com
*        SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: chef.example.com
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.4.7
< Date: Mon, 21 Dec 2015 08:33:09 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 302 Found
< Strict-Transport-Security: max-age=631138519
< X-Frame-Options: DENY
< X-WebKit-CSP: default-src 'self' chrome-extension:; connect-src 'self' chrome-extension:; font-src 'self' themes.googleusercontent.com chrome-extension:; frame-src 'none' chrome-extension:; img-src 'self' https://ssl.google-analytics.com chrome-extension: data:; media-src 'none' chrome-extension:; object-src 'none' chrome-extension:; script-src 'self' https://ssl.google-analytics.com 'unsafe-inline' 'unsafe-eval' chrome-extension:; style-src 'self' 'unsafe-inline' fonts.googleapis.com chrome-extension:; script-nonce 2ec8a63645785f329650e82150502b62;
< X-XSS-Protection: 1
< Location: https://chef.example.com:4000/login
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< Set-Cookie: chef-manage=01f350576b270bbfb72fa8f17c0ba28e; path=/; secure; HttpOnly
< X-Request-Id: e89cbb4417b658e8fb857c786747fe1d
< X-Runtime: 0.018629
<
* Connection #0 to host proxy left intact
<html><body>You are being <a href="https://chef.example.com:4000/login">redirected</a>.</body></html>%

在chef文档中没有任何关于如何使用chef服务器设置反向代理的建议。

知道如何调整配置以停止nginx(或chef)重定向到端口4000吗?

这真的不起作用。你最终可以对它进行装配,但需要相当复杂的厨师服务器配置才能实现。厨师服务器是一种设备,它希望至少在一定程度上控制机器。症结通常是让它与Bookshelf生成的URL一起工作。

也就是说,proxy_redirect可能会解决眼前的问题。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium