New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow SSL to be enabled on Nginx #47

Closed
JonathanTron opened this Issue May 25, 2015 · 7 comments

Comments

Projects
None yet
3 participants
@JonathanTron
Collaborator

JonathanTron commented May 25, 2015

No description provided.

@JonathanTron JonathanTron added this to the chef-grafana 2.0 milestone May 25, 2015

@lanyonm lanyonm added the 2.x label May 28, 2015

@lanyonm

This comment has been minimized.

Show comment
Hide comment
@lanyonm

lanyonm Jun 6, 2015

Collaborator

Closing this as out of scope for this recipe.

Collaborator

lanyonm commented Jun 6, 2015

Closing this as out of scope for this recipe.

@lanyonm lanyonm closed this Jun 6, 2015

@eheydrick

This comment has been minimized.

Show comment
Hide comment
@eheydrick

eheydrick Jun 19, 2015

Contributor

SSL support would be beneficial especially since grafana now supports authentication. Would you consider a use_ssl attribute that enabled SSL in the nginx conf? Alternatively, one could supply their own template with whatever config they wanted.

Contributor

eheydrick commented Jun 19, 2015

SSL support would be beneficial especially since grafana now supports authentication. Would you consider a use_ssl attribute that enabled SSL in the nginx conf? Alternatively, one could supply their own template with whatever config they wanted.

@JonathanTron

This comment has been minimized.

Show comment
Hide comment
@JonathanTron

JonathanTron Jun 19, 2015

Collaborator

Hi @eheydrick,
the reason SSL was marked as out-of-scope is the added complexity to handle it appropriately.
Let's say we take the easy path and allow one config use_ssl to enable it, we should then make sure we have a certificate/key to use: some nginx packages generate one by default (is it always the case? what about the source install?) or generate one ourself (easy to do, but goes too far for this cookbook).

So let's say we take more options: use_ssl, ssl_crt_path and ssl_key_path, then the end-user is responsible for making the certificate and key available to nginx (with appropriate right, etc.). But then we're responsible for making the SSL configuration secure. Which is something we would then have to maintain and keep up-to-date.

The recommended way to use this cookbook being to create a wrapper cookbook, it makes far more sense to handle the nginx bits in it when the config becomes more sensitive. The default cookbook allows a quick up and running nginx config for discovery/dev/testing purpose, but is not meant to replace a secured production nginx configuration.

I hope to have clarified our POV on the matter, should you have any other remarks/propositions don't hesitate.

Thanks for your participation.

Collaborator

JonathanTron commented Jun 19, 2015

Hi @eheydrick,
the reason SSL was marked as out-of-scope is the added complexity to handle it appropriately.
Let's say we take the easy path and allow one config use_ssl to enable it, we should then make sure we have a certificate/key to use: some nginx packages generate one by default (is it always the case? what about the source install?) or generate one ourself (easy to do, but goes too far for this cookbook).

So let's say we take more options: use_ssl, ssl_crt_path and ssl_key_path, then the end-user is responsible for making the certificate and key available to nginx (with appropriate right, etc.). But then we're responsible for making the SSL configuration secure. Which is something we would then have to maintain and keep up-to-date.

The recommended way to use this cookbook being to create a wrapper cookbook, it makes far more sense to handle the nginx bits in it when the config becomes more sensitive. The default cookbook allows a quick up and running nginx config for discovery/dev/testing purpose, but is not meant to replace a secured production nginx configuration.

I hope to have clarified our POV on the matter, should you have any other remarks/propositions don't hesitate.

Thanks for your participation.

@lanyonm

This comment has been minimized.

Show comment
Hide comment
@lanyonm

lanyonm Jun 21, 2015

Collaborator

Hey @eheydrick,
As Jonathan explained, a production-ready SSL setup will be too specific to a given organization to create a useful generic nginx template. I found this to be the case when I began the implementation with the use-case of my organization as the sample. For example, my org uses HSTS and a relatively aggressive cipher list. Adding these to the grafana cookbook felt like scope creep for the cookbook.

I hope to write a brief blog post about how I added attributes to the template, and I'll add a link to that once it's published.

Cheers.

Collaborator

lanyonm commented Jun 21, 2015

Hey @eheydrick,
As Jonathan explained, a production-ready SSL setup will be too specific to a given organization to create a useful generic nginx template. I found this to be the case when I began the implementation with the use-case of my organization as the sample. For example, my org uses HSTS and a relatively aggressive cipher list. Adding these to the grafana cookbook felt like scope creep for the cookbook.

I hope to write a brief blog post about how I added attributes to the template, and I'll add a link to that once it's published.

Cheers.

@eheydrick

This comment has been minimized.

Show comment
Hide comment
@eheydrick

eheydrick Jun 23, 2015

Contributor

Makes perfect sense, thanks for the explanation. Implementing SSL via wrapper is the way to go.

Contributor

eheydrick commented Jun 23, 2015

Makes perfect sense, thanks for the explanation. Implementing SSL via wrapper is the way to go.

@lanyonm

This comment has been minimized.

Show comment
Hide comment
@lanyonm

lanyonm Jul 6, 2015

Collaborator

Here's the blog post about overriding a template resource to change the template and add variables: http://blog.lanyonm.org/articles/2015/06/28/grafana-chef-cookbook-nginx-ssl.html.

Cheers!

Collaborator

lanyonm commented Jul 6, 2015

Here's the blog post about overriding a template resource to change the template and add variables: http://blog.lanyonm.org/articles/2015/06/28/grafana-chef-cookbook-nginx-ssl.html.

Cheers!

@lock

This comment has been minimized.

Show comment
Hide comment
@lock

lock bot Jul 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock bot commented Jul 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jul 24, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.