SSL

1 view
Skip to first unread message

Martin Sweeney

unread,
Oct 9, 2008, 5:51:03 PM10/9/08
to scalr-discuss
Hi all,

I'd appreciate some pointers on how to get https://www.mydomain.com
set up on scalr.net

Am I correct in thinking that the SSL matters are handled by nginx? Is
there some documentation or recommended reading on this subject (with
more of a focus on php apps)

At what point does Apache on app instances come into the equation? Or,
is it never relevant?

I see that php is configured with openssl - why might this be useful
to me?

Thanks in advance for your help and tolerance with my ignorance.

Martin Sweeney

Alex Kovalyov

unread,
Oct 10, 2008, 7:29:50 AM10/10/08
to scalr-discuss
Replied in http://groups.google.com/group/scalr-discuss/t/10f6076adf52fb08
For some reason ggl considered it a new thread.

On 10 окт, 00:51, Martin Sweeney <martin.swee...@gmail.com> wrote:
> Hi all,
>
> I'd appreciate some pointers on how to gethttps://www.mydomain.com

mikeytag

unread,
Oct 10, 2008, 3:22:00 PM10/10/08
to scalr-discuss
Hi Martin,
Here is what I did to get ssl working. Your first problem is that more
than ssl certificates require unique ips for each certificate. Given
the fact that scalr may grow your www instances automatically, this
can quickly become a problem.

To work around this problem I purchased a multi domain ssl cert from
Godaddy. This is an ssl cert that allows you to add domains and
subdomains at will up to a certain amount, and the good news is that
it is all contained in one cert! BTW, I have multiple domains running
in Scalr so this is an issue for me, but if you only have 1 domain
than you can buy any 1 cert you want.

Here are the steps I did to set this up on nginx:

1. Create key and csr
2. Purchase certificate with csr
3. Download cert (If you do the multiple domain cert add the contents
of gd_bundle.crt to the bottom of yourdomain.com.crt)
4. Put your cert in /etc/nginx/certs (I also put my csr and key files
there as well)
5. chmod 600 /etc/nginx/certs/*
6. edit /etc/nginx/nginx.conf
# add the following info directly after the server section for port 80
server {
listen 443;
ssl on;
# path to your certificate
ssl_certificate /etc/nginx/certs/godaddy_15_domain.crt;
# path to your ssl key
ssl_certificate_key /etc/nginx/certs/godaddy_15_domain.key;

if ( $remote_addr = 127.0.0.1 ) {
rewrite ^(.*)$ /500.html last;
return 302;
}

location / {
proxy_pass http://backend;
proxy_buffering on;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header HTTPS on;
error_page 500 501 = /500.html;
error_page 502 503 504 = /502.html;
}

location /500.html {
root /var/www/nginx-default;
}

location /502.html {
root /var/www/nginx-default;
}
}
7. /etc/init.d/nginx restart
8. Enjoy SSL goodness!

*Take special note of the line that says proxy_set_header HTTPS on.
The way this works is nginx will proxy all the requests that come in
on port 443 to port 80 on your app servers. This little goodie gives
me an environment variable on the app server that let's me know the
connection is secure. Then I can do things in PHP like redirect to
https if that variable is not on. Oh and for some reason the variable
comes through as HTTP_HTTPS. So I can reference it via
$_SERVER['HTTP_HTTPS'];

Hope this helps!
Mike

Once you download the cert you add the contents of gd_bundle.crt to
the bottom of yourdomain.com.crt

On Oct 9, 2:51 pm, Martin Sweeney <martin.swee...@gmail.com> wrote:
> Hi all,
>
> I'd appreciate some pointers on how to gethttps://www.mydomain.com

mikeytag

unread,
Oct 10, 2008, 3:28:14 PM10/10/08
to scalr-discuss
Sorry, I just took a look at the wiki here: http://code.google.com/p/scalr/wiki/HTTPS

I thus changed my ssl server section to include there recommendations
(i.e. ssl_session_timeout) that I didn't have before. My ssl server
section in /etc/nginx/nginx.conf now looks like this:

server {
listen 443;
ssl on;
# path to your certificate
ssl_certificate /etc/nginx/certs/godaddy_15_domain.crt;
# path to your ssl key
ssl_certificate_key /etc/nginx/certs/godaddy_15_domain.key;

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
proxy_pass http://backend;
proxy_buffering on;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header HTTPS on;

client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_connect_timeout 15;
proxy_intercept_errors on;
}
}

On Oct 9, 2:51 pm, Martin Sweeney <martin.swee...@gmail.com> wrote:
> Hi all,
>
> I'd appreciate some pointers on how to gethttps://www.mydomain.com

sam lee

unread,
Oct 17, 2008, 3:41:57 PM10/17/08
to scalr-discuss
Hi.

I am using scalr.net service.
I followed http://code.google.com/p/scalr/wiki/HTTPS and restarted
nginx.
Do I need to syncronize all of my roles (www, app, mysql) before users
can visit https://mydomain.com/ ?
When I visit https://mydomain.com/, I get Network Timeout.
But, http://mydomain.com/ works fine.
Do I need to change firewall settings if any?

Thank you.
Sam.


On Oct 10, 3:28 pm, mikeytag <mikey...@gmail.com> wrote:
> Sorry, I just took a look at the wiki here:http://code.google.com/p/scalr/wiki/HTTPS
>
> I thus changed mysslserver section to include there recommendations
> > Am I correct in thinking that theSSLmatters are handled by nginx? Is

Frédéric Sidler

unread,
Oct 17, 2008, 4:09:58 PM10/17/08
to scalr-...@googlegroups.com
I have not played with HTTPS yet, but I don't think that port 443 is open by default. Check you sercurity groups and open if it is not the case.

sam lee

unread,
Oct 17, 2008, 4:19:16 PM10/17/08
to scalr-...@googlegroups.com
from my www instance:
$ nmap localhost -p 443
443/tcp closed https
$ nmap localhost -p 80
80/tcp closed http

I can't telnet localhost to either port.
But, when I go to http://mydomain.com/ it works.
Maybe i'm missing something?

sam lee

unread,
Oct 17, 2008, 4:50:47 PM10/17/08
to scalr-...@googlegroups.com
Oh no, nginx was down. That's why those ports were closed.

Now they are:
80/tcp open http
443/tcp filtered https

But, https://mydomain.com/ is not responding.

sam lee

unread,
Oct 20, 2008, 11:55:35 AM10/20/08
to scalr-discuss
I tried to enable SSL on app instance (apache2 server).
I followed this: https://help.ubuntu.com/community/forum/server/apache2/SSL

And, my instance ip works: http://67.202.34.208/ (not an elastic ip.
it's temporary)
But, visiting https://67.202.34.208/ gives Network Timeout.
I can't telnet 67.202.34.208 443 while I can telnet 67.202.34.208 80.

netstat -an |grep LISTEN
tcp 0 0 0.0.0.0:11211 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN

But in the web interface of scalr.net, security group rules don't have
443 forwarding set. And I can't add a forwarding rule for 443 for
security group of my app instance.

Does anyone have working SSL?

Thanks.
Sam.

On Oct 17, 4:50 pm, "sam lee" <skyn...@gmail.com> wrote:
> Oh no, nginx was down. That's why those ports were closed.
>
> Now they are:
> 80/tcp open  http
> 443/tcp filtered https
>
> But,https://mydomain.com/is not responding.
>
> On Fri, Oct 17, 2008 at 4:19 PM, sam lee <skyn...@gmail.com> wrote:
> > from my www instance:
> > $ nmap localhost -p 443
> > 443/tcp closed https
> > $ nmap localhost -p 80
> > 80/tcp closed http
>
> > I can't telnet localhost to either port.
> > But, when I go tohttp://mydomain.com/ it works.

sam lee

unread,
Oct 20, 2008, 12:41:47 PM10/20/08
to scalr-discuss
I found the problem.
The web interface on scalr.net doesn't update security group settings
even when I click Save button.
I updated security group settings on amazon directly using ElasticFox plugin.
Now, it's working.

Thanks.

Reply all
Reply to author
Forward
0 new messages