I hope I remember everything I did. My project used m1.medium servers with Ubuntu 12.04.
If I missed something here, let me know and I'll track it down. After this was all done, all new servers were able to be spun up with SSL enabled by default. Since this is a private repo, I was able to get away with having the .cert and .key in source control, but that might be the only thing that I would change if I were to make this a public change.
Here is what I was able to do to get this working:
config/rubber/role/nginx/company.com.cert
<%
@path = rubber_env.ssl_cert
@owner = "root"
@group = "ssl-cert"
@perms = 0440
%>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
config/rubber/role/nginx/company.com.key<%
@path = rubber_env.ssl_key
@owner = "root"
@group = "ssl-cert"
@perms = 0440
%>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
config/rubber/rubber.ymlssl_cert_name: "company.com.cert"
ssl_key_name: "company.com.key"
ssl_cert: "/etc/ssl/certs/#{ssl_cert_name}"
ssl_key: "/etc/ssl/private/#{ssl_key_name}"
config/rubber/deploy-nginx.rb
task :install, :roles => :nginx do
# Setup apt sources for current nginx
sources = <<-SOURCES
deb http://nginx.org/packages/ubuntu/ lucid nginx
deb-src http://nginx.org/packages/ubuntu/ lucid nginx
SOURCES
sources.gsub!(/^ */, '')
put(sources, "/etc/apt/sources.list.d/nginx.list")
rsudo "wget -qO- http://nginx.org/keys/nginx_signing.key | apt-key add -"
rsudo "if [[ ! -d /etc/nginx ]]; then mkdir /etc/nginx; fi"
rsudo "ln -sf #{rubber_env.ssl_cert} /etc/nginx/company.com.cert"
rsudo "ln -sf #{rubber_env.ssl_key} /etc/nginx/company.com.key"
end
config/rubber/role/nginx/unicorn_nginx.conf<%
@path = "/etc/nginx/rubber/unicorn_nginx.conf"
%>
upstream unicorn_server {
# This is the socket we configured in unicorn.rb
server unix:/var/run/unicorn.sock;
# This will break https if we use it.
#fail_timeout=0;
}
# Maybe we can get port 80 to redirect to 443 at some point...
#server {
# listen 80;
# server_name <%= [ rubber_env.domain, rubber_env.web_aliases ].flatten.compact.join(" ") %>;
# rewrite ^ https://$http_host$request_uri? permanent;
#}
server {
listen 443;
client_max_body_size 4G;
server_name <%= [ rubber_env.domain, rubber_env.web_aliases ].flatten.compact.join(" ") %>;
ssl on;
ssl_certificate <%= rubber_env.ssl_cert_name %>;
ssl_certificate_key <%= rubber_env.ssl_key_name %>;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
keepalive_timeout 5;
# Location of our static files
root <%= Rubber.root + "/public" %>;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
# If you don't find the filename in the static files
# Then request it from the unicorn server
if (!-f $request_filename) {
proxy_pass http://unicorn_server;
break;
}
}
# this rewrites all the requests to the maintenance.html
# page if it exists in the doc root. This is for capistrano's
# disable web task
if (-f $document_root/system/maintenance.html)
{
rewrite ^(.*)$ /system/maintenance.html last;
break;
}
error_page 500 502 503 504 /500.html;
location = /500.html
{
root <%= Rubber.root + "/public" %>;
}
error_page 404 /404.html;
location = /404.html
{
root <%= Rubber.root + "/public" %>;
}
}config/rubber/role/nginx/nginx.conf<%
@path = "/etc/nginx/nginx.conf"
@post = "mkdir -p #{rubber_env.nginx_log_dir}"
%>
user www-data;
worker_processes 10;
pid /var/run/nginx.pid;
events
{
worker_connections 1024;
}
http
{
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# configure log format like to Apache's "combined" log format
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_cookie"';
# default log files
error_log <%= rubber_env.nginx_log_dir %>/error.log notice;
access_log <%= rubber_env.nginx_log_dir %>/access.log main;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
include /etc/nginx/rubber/*.conf;
}