How to setup SSL for Nginx + Unicorn - Help!

352 views
Skip to first unread message

Felipe Lopes

unread,
May 8, 2013, 2:26:37 PM5/8/13
to rubbe...@googlegroups.com
I'm trying to setup ssl for my rails application, but I could not figure out the correct way to do it with rubber.

I tryed set the use_ssl_key: true on the rubber-unicorn-inx.yml file and then ran cap staging deploy but it didn't worked. I commit the changes and pushed everything.

I tried also to created the certs manually on the server and moved to /etc/ssl/certs and /etc/ssl/private, but I want to figure out a way to do it automatically in order to replicate to other environments. 

Does anyone know how to make it work properly?

Thank you, Felipe

Robert Pohl

unread,
Aug 30, 2013, 10:45:44 AM8/30/13
to rubbe...@googlegroups.com
Also have this problem. It won't update the server with the added SSL settings.
Please advise.

Ivan Varghese

unread,
Aug 31, 2013, 8:10:59 PM8/31/13
to rubbe...@googlegroups.com
I'm also in the same position. Any advice on implementing SSL on nginx + unicorn with Rubber would be appreciated.

Ivan Varghese

unread,
Sep 1, 2013, 12:22:51 AM9/1/13
to rubbe...@googlegroups.com
I've managed to set up nginx + unicorn with Rubber on SSL. I'll post what I did for anyone needing help in the future.

As far as I can tell, the main configuration is in unicorn_nginx.conf. Here's the gist of my conf file: https://gist.github.com/anonymous/f29f0678af78169a3a3b

I placed my ssl certs in /config/certs but as long as you link them properly in the conf file, you should be fine. Also I only tested with self-signed certificates.

Set config.force_ssl = true in your production.rb and cap deploy. If anyone has any advice or better solutions, I'm sure others including myself would love to hear it.

On Wednesday, May 8, 2013 1:26:37 PM UTC-5, Felipe Lopes wrote:

Jon Uhal

unread,
Sep 3, 2013, 5:17:25 PM9/3/13
to rubbe...@googlegroups.com
I hope I remember everything I did. My project used m1.medium servers with Ubuntu 12.04.

If I missed something here, let me know and I'll track it down. After this was all done, all new servers were able to be spun up with SSL enabled by default. Since this is a private repo, I was able to get away with having the .cert and .key in source control, but that might be the only thing that I would change if I were to make this a public change.

Here is what I was able to do to get this working:

config/rubber/role/nginx/company.com.cert
<%
  @path = rubber_env.ssl_cert
  @owner = "root"
  @group = "ssl-cert"
  @perms = 0440
%>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


config/rubber/role/nginx/company.com.key

<%
  @path = rubber_env.ssl_key
  @owner = "root"
  @group = "ssl-cert"
  @perms = 0440
%>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----


config/rubber/rubber.yml
ssl_cert_name: "company.com.cert"
ssl_key_name: "company.com.key"
ssl_cert: "/etc/ssl/certs/#{ssl_cert_name}"
ssl_key: "/etc/ssl/private/#{ssl_key_name}"


config/rubber/deploy-nginx.rb
task :install, :roles => :nginx do # Setup apt sources for current nginx sources = <<-SOURCES deb http://nginx.org/packages/ubuntu/ lucid nginx deb-src http://nginx.org/packages/ubuntu/ lucid nginx SOURCES sources.gsub!(/^ */, '') put(sources, "/etc/apt/sources.list.d/nginx.list") rsudo "wget -qO- http://nginx.org/keys/nginx_signing.key | apt-key add -" rsudo "if [[ ! -d /etc/nginx ]]; then mkdir /etc/nginx; fi" rsudo "ln -sf #{rubber_env.ssl_cert} /etc/nginx/company.com.cert" rsudo "ln -sf #{rubber_env.ssl_key} /etc/nginx/company.com.key" end


config/rubber/role/nginx/unicorn_nginx.conf
<%
  @path = "/etc/nginx/rubber/unicorn_nginx.conf"
%>

upstream unicorn_server {
 # This is the socket we configured in unicorn.rb
 server unix:/var/run/unicorn.sock;
 # This will break https if we use it.
 #fail_timeout=0;
}

# Maybe we can get port 80 to redirect to 443 at some point...
#server {
#  listen 80;
#  server_name <%= [ rubber_env.domain, rubber_env.web_aliases ].flatten.compact.join(" ") %>;
#  rewrite ^ https://$http_host$request_uri? permanent;
#}

server {
  listen 443;
  client_max_body_size 4G;
  server_name <%= [ rubber_env.domain, rubber_env.web_aliases ].flatten.compact.join(" ") %>;

  ssl on;
  ssl_certificate <%= rubber_env.ssl_cert_name %>;
  ssl_certificate_key <%= rubber_env.ssl_key_name %>;
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  keepalive_timeout 5;

  # Location of our static files
  root <%= Rubber.root + "/public" %>;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;

    # If you don't find the filename in the static files
    # Then request it from the unicorn server
    if (!-f $request_filename) {
      proxy_pass http://unicorn_server;
      break;
    }
  }

  # this rewrites all the requests to the maintenance.html
  # page if it exists in the doc root. This is for capistrano's
  # disable web task
  if (-f $document_root/system/maintenance.html)
  {
    rewrite  ^(.*)$  /system/maintenance.html last;
    break;
  }
  error_page   500 502 503 504  /500.html;
  location = /500.html
  {
    root <%= Rubber.root + "/public" %>;
  }
  error_page 404  /404.html;
  location = /404.html
  {
    root <%= Rubber.root + "/public" %>;
  }
}


config/rubber/role/nginx/nginx.conf
<%
  @path = "/etc/nginx/nginx.conf"
  @post = "mkdir -p #{rubber_env.nginx_log_dir}"
%>

user www-data;
worker_processes 10;

pid /var/run/nginx.pid;

events
{
  worker_connections 1024;
}

http
{
  include           /etc/nginx/mime.types;
  default_type      application/octet-stream;

  sendfile          on;
  tcp_nopush        on;
  tcp_nodelay       off;

  gzip              on;
  gzip_http_version 1.0;
  gzip_comp_level   2;
  gzip_proxied      any;
  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  # configure log format like to Apache's "combined" log format
  log_format        main
                      '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_cookie"';

  # default log files
  error_log         <%= rubber_env.nginx_log_dir %>/error.log notice;
  access_log        <%= rubber_env.nginx_log_dir %>/access.log main;

  ssl_session_cache   shared:SSL:10m;
  ssl_session_timeout 10m;

  include /etc/nginx/rubber/*.conf;
}
Reply all
Reply to author
Forward
0 new messages