Skip to content

Setting up ssl

Jump to bottom Edit New page
duelinmarkers edited this page Apr 16, 2011 · 2 revisions

Note: This manual process is not recommended for a production server. Please see Production Server Setup

Here are the steps taken to set up SSL on dev.rapidftr.com. Similar steps worked on Hume's Mac laptop, with differences below.

# created certificate and key files as described here: http://www.akadia.com/services/ssh_test_certificate.html

gem install passenger  # to upgrade to 3.0.0, which builds nginx w/ SSL by default

sudo /path/passenger-install-nginx-module  # to rebuild nginx
# which failed because no libcurl w/ ssl headers, so
sudo apt-get install libcurl4-openssl-dev  # as instructed by passenger install

sudo /path/passenger-install-nginx-module
# <1> ("Yes: download, compile and install Nginx for me. (recommended)")
# <Enter> for default prefix dir

sudo vim /opt/nginx/conf/nginx.conf  # to create ssl servers on 443 and 3443
# add this inside the http block:
server {
    listen       443;
    server_name dev.rapidftr.com;

    ssl                  on;
    ssl_certificate      /home/jorge/rapidftrdev.crt;
    ssl_certificate_key  /home/jorge/rapidftrdev.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    passenger_enabled on;
    rails_env production;
    root /home/jorge/Code/RapidFTR-prod/public;
}
# and likewise for 3443, with a different port, rails_env, and root.

sudo /opt/nginx/sbin/nginx -t  # to test config
# /etc/init.d/nginx doesn't do anything! I wasted a lot of time before I realized that!
sudo /opt/nginx/sbin/nginx -s stop  # to shut down
sudo /opt/nginx/sbin/nginx  # to start back up
# sudo /opt/nginx/sbin/nginx -s reload might have worked as well

ufw allow 3443/tcp  # to open firewall rule for this weird uat SSL port

# then set up the port 80 server to rewrite all requests to https
server {
    listen 80;
    server_name dev.rapidftr.com;
    rewrite ^(.*) https://dev.rapidftr.com$1 permanent;
}

On Hume's Mac laptop, SSL setup was very easy.

  • generated a certificate for local.rapidftr.com and put an entry in /etc/hosts to point that name at 127.0.0.1.
  • built nginx to a directory in my home so I didn't have to sudo except to start it (with port 80 and 443).
  • didn't have to do anything with firewall rules.
  • set rails_env development so code would reload as normal.
Add a custom footer
Add a custom sidebar
Clone this wiki locally