Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Location code before server code in ssl_nodes #915

Closed
delhora opened this issue Oct 10, 2016 · 3 comments
Closed

Location code before server code in ssl_nodes #915

delhora opened this issue Oct 10, 2016 · 3 comments

Comments

@delhora
Copy link

delhora commented Oct 10, 2016

Hello,

I've just installed module and I've configured some vhosts, but I got some problems with ssl_node

role.yaml

 nginx::nginx_vhosts:
    'api_80':
      www_root: '/var/www'
      ensure: present
      listen_port: 80
      ssl: false
      server_name: 
        - localhost
      listen_options: 'default_server'
      use_default_location: false

  'api_443':
      ensure: present
      www_root: '/var/www'      
      ssl: true
      server_name: 
        - localhost
      listen_port: '443'
      listen_options: 'default_server'
      ssl_port: '443'
      ssl_listen_option: true
      ssl_cert: '/etc/ssl/certs/mypem.pem'
      ssl_key: '/etc/ssl/private/mykey.key'
      use_default_location: false

   nginx::nginx_locations:
        '/':
      location: '/'
      vhost: 'api_80'
      rewrite_rules:
        - "^/.* https://foobar.baz permanent"
      internal: true

    'nginx_status':
      location: '/nginx_status'
      vhost: 'api_80'
      stub_status: on
      location_cfg_append:
        'allow': '127.0.0.1'
        'deny': 'all'

    'v3':
      location: '/v3/' 
      vhost: 'api_443'
      proxy_set_header:
        - "X-Forwarded-Host $host"
        - "X-Forwarded-Server $host"
        - "X-Forwarded-For $proxy_add_x_forwarded_for"
        - "X-Real-ÎP $remote_addr"
        - "Host $host"
      proxy_read_timeout: 1200s
      proxy: "http://foobar:9999/"

    '502':
      location: '/502.html'
      vhost: 'api_443'
      www_root: '/var/www'

and the result are two files (as expected)

api_80

# MANAGED BY PUPPET
server {
  listen *:80 default_server;
  server_name           localhost;

  root /var/www;
  index  index.html index.htm index.php;

  access_log            /var/log/nginx/api_80.access.log combined;
  error_log             /var/log/nginx/apiv_443.error.log;

  location / {
    internal;
    rewrite ^/.* https://foobar.baz permanent;
  }

  location /nginx_status {
    stub_status on;
    allow 127.0.0.1;
    deny all;
  }
}

And the wrong one...

api_443

   location /502.html {
    root      /var/www;
    index     index.html index.htm index.php;
  }

  location /v3/ {
    proxy_pass            http://foobar:8080/;
    proxy_read_timeout    1200s;
    proxy_connect_timeout 90;
    proxy_redirect        off;
    proxy_set_header      X-Forwarded-Host $host;
    proxy_set_header      X-Forwarded-Server $host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Real-ÎP $remote_addr;
    proxy_set_header      Host $host;
  }

# MANAGED BY PUPPET
server {
  listen       *:443 ssl default_server;
  server_name  localhost;

  ssl on;

  ssl_certificate           /etc/ssl/certs/mypem.pem;
  ssl_certificate_key       /etc/ssl/private/mykey.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-api_443.access.log combined;
  error_log             /var/log/nginx/ssl-api_443.error.log;

  root /var/www;
}

when I run a puppet apply nginx fails because configuration option.

any hint what is going wrong with configuration and why locations are printed first?

Thanks in advance!

@wyardley
Copy link
Collaborator

wyardley commented Oct 11, 2016

See notes in README about mapping locations for SSL only vhosts:

HTTPS only vhost

If you have set ssl => true and also set listen_port and ssl_port to the same value on the vhost, you will have a single HTTPS vhost listening on ssl_port. To add a location to this vhost set ssl => true and ssl_only => true on the location.

I'm not sure why, but seems like it wants those parameters set. Your formatting is kind of off too in a couple places, unless github is mangling it. Following YAML seems to work for me:

---
classes:
  - nginx

nginx::nginx_vhosts:
  'api_80':
    www_root: '/var/www'
    ensure: present
    listen_port: 80
    ssl: false
    server_name: 
      - localhost
    listen_options: 'default_server'
    use_default_location: false
  'api_443':
    ensure: present
    www_root: '/var/www'      
    ssl: true
    server_name: 
      - localhost
    listen_port: '443'
    listen_options: 'default_server'
    ssl_port: '443'
    ssl_listen_option: true
    ssl_cert: '/etc/ssl/certs/mypem.pem'
    ssl_key: '/etc/ssl/private/mykey.key'
    use_default_location: false

nginx::nginx_locations:
  '/':
    location: '/'
    vhost: 'api_80'
    rewrite_rules:
      - "^/.* https://foobar.baz permanent"
    internal: true
  'nginx_status':
    location: '/nginx_status'
    vhost: 'api_80'
    stub_status: on
    location_cfg_append:
      allow: '127.0.0.1'
      deny: 'all'
  'v3':
    location: '/v3/' 
    vhost: 'api_443'
    ssl: true
    ssl_only: true
    proxy_set_header:
      - "X-Forwarded-Host $host"
      - "X-Forwarded-Server $host"
      - "X-Forwarded-For $proxy_add_x_forwarded_for"
      - "X-Real-ÎP $remote_addr"
      - "Host $host"
    proxy_read_timeout: 1200s
    proxy: "http://foobar:9999/"
  '502':
    location: '/502.html'
    vhost: 'api_443'
    ssl: true
    ssl_only: true
    www_root: '/var/www'

I get:

# cat api_443.conf 
# MANAGED BY PUPPET
server {
  listen       *:443 ssl default_server;
  server_name  localhost;

  ssl on;

  ssl_certificate           /etc/ssl/certs/mypem.pem;
  ssl_certificate_key       /etc/ssl/private/mykey.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-api_443.access.log combined;
  error_log             /var/log/nginx/ssl-api_443.error.log;

  root /var/www;

  location /v3/ {
    proxy_pass            http://foobar:9999/;
    proxy_read_timeout    1200s;
    proxy_connect_timeout 90;
    proxy_redirect        off;
    proxy_set_header      X-Forwarded-Host $host;
    proxy_set_header      X-Forwarded-Server $host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Real-ÎP $remote_addr;
    proxy_set_header      Host $host;
  }

  location /502.html {
    root      /var/www;
    index     index.html index.htm index.php;
  }
}

BTW, I think you can put locations inside the nginx::nginx_vhosts block if you want.

@delhora
Copy link
Author

delhora commented Oct 11, 2016

@wyardley Thanks that did the trick!

I think github was messing with my yaml :P

Thanks again for your help !

@wyardley
Copy link
Collaborator

Glad that helped... even though it's in the docs (which is the only reason I was able to figure it out), I do think it could work in a slightly easier to use way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants