-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to enable https support #8
Comments
Nothing special, but a few steps:
|
Thank you for quick response. I am just reinstalling server with newest version of your script. Will try it after. |
I am having a new problem with SSL There are no errors on very but when I restart nginx I get: li71-22:/var/log/nginx# /etc/init.d/nginx restart |
linuxgeneral: I think this is due to nginx not killing all processes upon restart... I've noticed this as well (lots!). Maybe we need a new bugfixed version of nginx. If I run a killall nginx as root, nginx will start just fine, but if I try to restart the service, it tells me it can't bind. |
nginx is segfaulting. I found these errors on console. I am going to reboot and take a better look at the system logs on startup. li71-22:~# warning: process |
killall nginx and starting nginx worked for me and i had to run it after a verify on any ssl site to get it working. In addition I think the certificate directory should be shared for all instances to allow for wildcard and multi domain certs to be used without requiring and additional IP on reboot I still get: |
This "deprecated sysctl system call" is irrelevant and "correct" (I mean, by design) see: http://marc.info/?l=nginx&m=120428158303541&w=2 Right now it appears that Debian Lenny secure updates (only for contrib and non-free) are broken for all and install can results with unexpected errors, not related to Barracuda and Aegir. We need to temporarily change (and rewrite already installed) our We will confirm when the workaround is ready to use (it is tested now). Also, the nginx init script is now much better (Barracuda replaces it on upgrade), so standard reload and restart should work without issues. As for SSL - please open separate issue. |
Yeah I think the sysctl is not an issue, of course. Omega, are you saying that you've updated the script w/ a new init script that will solve the manual kill requirement when restarting nginx? |
The new init script should work better. However on every site create/verify it runs reload, not a full restart, so not sure if that can still affect SSL related changes. |
Shared SSL cert and secure login is now enabled "out of the box" (including chive). We can now skip the 6 steps listed above. |
Looking for a few bits of advice... Just did a update, and noticed the certs Common Name was *.$_THISHOST and I'm not sure how to change it or if I should. I can access chive via https, but I can still access it via http, unlike aegir which is being forced to https. |
Hello, To replace self signed certs with your own, real certs, run this: cd /etc/ssl/private Only hostmaster instances have forced SSL now, while both Chive and Collectd are by design available in http and https mode. Kind Regards, |
Here is how I got multiple verified certs working for individual sites with the SSL features enabled. As this this is work in progress it may be subject to change. Note: You should always test this on a non production server and have tested restoring your backups files before trying this on a live production site.
|
In this model does each SSL enabled site need to be running on an Octopus instance? |
No, A single instance can manage multiple domains and certificates. I am currently using separate instances for user access privileges to the sites file system. |
Keep in mind that this is all work in progress. Omega8 contrib is ahead of agier core. We are kicking the tires as we go on this bleeding edge. I believe this is the future of Drupal. Posting results will help with documentation. |
Is a separate IP address needed for each domain with a SSL? |
A separate IP is needed for each installed certificate. Multi domain and wild card certificates will allow for additional domains and sub-domains on the same cert. (not supported by IE6) For $49.00 you can get unlimited certs at: http://www.startssl.com/ |
Although aegir can create a self signed cert, after step 7, I did this to create a new self signed certs with my own info (just so it looks nice) $cd /data/disk/(your-octopus-instance)/config/ssl.d/ $ openssl req -new -nodes -keyout myssl.key -out myssl.csr fill in form $ openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt Continue with step 8.. "Posting results will help with documentation." Every thing worked fine for me, with no problems until I ran out of IP's. Then I decided I should actually try and get the Octopi to have individual certs with their own IP - which was a bit disastrous (but fun). I can get mydomain.com to appear with the generic under construction page I know that this DNS stuff is all work in progress but was wondering how you got it working linuxgeneral http://github.com/omega8cc/nginx-for-drupal/issues/issue/73 |
Looking at your 10-step instructions above: If I have barracuda installed on server.example.com and octopus at octopus.example.com and want to install a 3rd-party verified SSL cert on a site that is on the octopus instance, do i do steps 1 and 2 on octopus.example.com ? |
@arelqgold Yes, and also for each hostmaster instance that manages sites that would use the 3rd-party certificate you installed. As could be the case for wildcard or multiple domain certs. One thing to note that as of Alpha14, the hostmaster instance will not be aware of a cert that it not create. To configure an existing certificate for an additional hostmaster instance, type in the certificate name in the "New encryption key" field of the create site screen while "Generate a new encryption key" is selected. Your existing cert will then be available on future new site installs for that host master instance. You also have to be careful not to generate certificates that you don't have IP addresses for nginx to bind the cert with. in some cases I have had manually delete certificates because nginx would not start on boot. Where should i open this issue? |
I can't reproduce it. I was able to restart the Nginx, reboot the VM w/o any issue while using global self-signed cert/SSL proxy and valid true certs for sites managed in Octopus instances on the same (one) IP. I tested it with Safari, Chrome, Opera and FF on a Mac. Please open a new issue and include more details so we could analyze it better. |
Also, when using true, signed certs, I recommend to add a self signed certs in Aegir first and then only replace the content of those files, without touching its filenames etc. |
i purchased valid certificates and got it working after chatting with omega8cc, without multiple ip addresses, but a separate octopus instance for each domain with a ssl cert. Only one problem, which I'll file a separate issue for: In some browsers, including the factory browser on my Droid X and IE6, I get a security warning that the cert doesn't match the domain name. Somehow those browsers are picking up the wildcard cert for *.myserver.mydomain.com and not the individual, valid cert. |
@arielqgold However, some browsers do not support it like IE6. be sure to view the offending cert in your complaining browser. You may see that it is the valid cert. if not you may have to append the key file supplied by your certificate provider to get it to work. Don't forget to clear the stored self signed certs from your modern browser when you test it. |
@omega8cc |
@omega8cc We can't enable Wildcard HTTPS Proxy for all your hosted sites, If you wish to use provided now by Barracuda Wildcard HTTPS Proxy, We will continue in 30 seconds... I Unselected nginx on all Octopus servers and ran the Barracuda upgrade again. All platforms reverified and sites that were non SSL enabled are accepting SSL connections. Does this mean we now have a full SSL proxy? If so this eliminates several steps above for at least first cert. Nice work Grace! |
So you're saying I can somehow avoid getting IE6 or other browsers to give a security alert? Can you explain how? Just to clarify, when I visit example.com (which has a valid cert installed per your instructions above) a security alert comes up saying it is a valid cert, but that it doesn't match the domain. Then when I view the cert I see that it doesn't show the cert installed for example.com but the wildcard cert *.aegirserver.mydomain.com |
If your commercial cert is for a single domain and configured properly IE6 will not complain. IE6 will always complain about a wild card cert and all browsers will on self signed certs until they are installed in the browsers during the initial error, Based on the recent update noted above, the install instructions will be much simpler. A more detailed discussion is here: The other instructions above would now be for multiple certs and IP addresses but lets let omega8cc chime in with the intended use case. |
That's good to hear. Do you think you can help me get there? |
Well, there is nothing like "the intended use case". Instead, we are listening your suggestions and trying to introduce some handy defaults. In this case the basic concept is simple: every site can use HTTPS proxy (and you can replace its cert with your "valid" cert), while on the same server you should be able to use any number of certs enabled per site (and per Octopus instance) using Aegir built-in SSL feature. Plus, we are forcing SSL mode for all Octopus based hostmasters. We are open to ideas on how it can be improved. |
Octopus is serving the certificate properly. You may have to clear your browser certificates and cache. Did you chain your cert from the Authority Certificates Repository? It is located here: |
It looks like you have the ability for 2 modes or use cases for SSL.
I am considering using the default domain redirect for admin access to all domains by default. This would be a nice hosting feature to implement. One question I have is: How can I set the sites to encryption required outside of aegir that will be supported by you in the future? |
I have a feeling your are mixing some unrelated stuff here. I'm not sure what you mean in the 1, the entire SSL stuff has no relation to performance delivered by Pressflow. Of course the HTTPS protocol is slower, but I don't understand how you see any difference between using a server wide HTTPS proxy and SSL enabled for site using Aegir SSL feature. There is also already enabled global SSL optimization for all SSL requests, and it doesn't matter if they go via proxy or via Aegir SSL enabled vhost. Remember: all vhosts and HTTPS proxy share the same Nginx engine and configuration. The 2 is something I don't understand completely, could you explain it in more detail? Again, I have a feeling you are using some "shortcuts" in this explanation, which are not known to the reader and not obvious even for Barracuda author :) Regarding forced/required SSL connections for only some URLs, there are modules to do just that, but there are known issues with such setups, fixed in d7 by using 2 cookies: plain and secure, so you can safely click between HTTP and HTTPS parts of your site and you will not loose the sessions and there is no risk your secure cookie will be sent over plain HTTP. In general, we should be always compatible with those solutions, since we operate on a low level here and entire sessions stuff must be managed properly on the app (Drupal) level. See also: http://drupal.org/node/1577 At any rate, at the Barracuda/Aegir/Nginx level we will always work on making things transparent when it comes to HTTPS, so you should be able to introduce/use your own preferred modules/tweaks on the app level. Of course some global stuff could be added in global.inc. Suggestions are more than welcome. |
Even after purchasing a valid cert still having problems. This time it's with IE8 on xp where example.com gives a certificate error saying that that the cert for *.barracuda.mydomain.com doesn't match example.com I don't need wildcard SSL, so I thought as a workaround to disable the wildcard cert might help. Per omega8cc's instructions I removed /var/aegir/config/server_master/nginx/pre.d/nginx_wild_ssl.conf and commented out forced SSL in /var/aegir/config/includes/global.inc lines 35-38 Then I got a cert error, this time complaining that the cert for example2.com doesn't match the site name example.com. So I tried to login to octopus to disable encryption on example2.com, but I still get redirected to https, confirm a security exception, and get a 403 error on https://octopus.mydomain.com/install.php. So I put the wildcard cert back, uncommented lines, logged into octopus, disabled encryption on example2.com, got rid of wildcard cert, recommented lines, and finally IE8 doesn't give any errors with a https connection on example.com. This workaround seems like it will only allow you to have a single site working with SSL, and breaks UI of octopus. |
This is probably because IE doesn't support TLS/SNI on Windows XP - see: http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers |
OK. Is there a way to support Windows XP? I came across this: http://nginx.org/en/docs/http/configuring_https_servers.html Will adding ip addresses fix the issue? |
Since Win XP doesn't support TLS/SNI, you need to add more IPs (as separate servers nodes in Aegir) or create separate Octopus instances for every SSL enabled IP/domain. Of course adding more ssl enabled servers with separate IPs on the same Aegir instance is much easier to manage, while using separate Octopus is really not good idea in this case. |
I logged into barracuda instance at aegir.mydomain.com and did create content -> server: Then the verify fails with:
I have ssh on a nonstandard port not permitting root login. I have two ip addresses pointed at the same physical server and wasn't anticipating needing to remotely access it. I suspect I added the server incorrectly. What am I doing wrong? Does it need to remotely access the same machine? |
Adding only web server can cause unexpected results like this one. Try to add another server with same settings for mysql server. Previously also adding more IPs to the existing server worked (without creating another) but then they changed http to listen on wildcard instead on IP for Apache and I'm not sure how it is expected to work in the future. We need to test it better. |
If I add a new server with a new IP address, how do I move a site to use SSL from that server? |
This is probably a good question to post/add to the docs on the Aegir community site, since it is not a Barracuda/Nginx specific. |
I answered it myself, I basically copied the platform from the primary Barracuda server to the new Octopus instance with its own IP, and then copied my site folder over, de-activated the old site, and then added the platform in the Octopus UI. It recognized my site afterwards, verified it. Changed the site to use nginx_ssl and had it make a new key for me. Bougth a SSL certificate, and then copied my certs into the placeholder that AEgir sets up, and re-verified. Seemed to work ok. Now, possibly this was insanely dumb and slow way, but hope it helps a lost soul. Feature request? Migrate a platform + a site of choice on it to another instance of Aegir (Octopus) |
Migrating platforms/sites between Octopus instances is already on our wish list and todo. Thanks for sharing your how-to. |
Q? is this necessary https://github.com/omega8cc/nginx-for-drupal/blob/master/docs/SSL.txt - I really appreciate the help, but at the top it recommends Aegirs built in SSL handling.. If I have Barracuda Instance - Hosting one SSL Enabled Site and then, an Octopus Instance - Hosting One SSL Enable Site if the Barracuda webserver aegir.mydomain.com has 2 IP addresses listed, will Site A and Site B get SSL certs delivered properly? I'm experiencing an issue where the Barracuda Instance site is receiving the certificate for the Octopus site. Ideas here? Again, thanks! |
After running your amazing install script everything seems to work. But I can access Aegir only on http, but not https.
Do I have to do something special to enable ssl support for Nginx?
The text was updated successfully, but these errors were encountered: