Random thoughts of a warped mind…

August 15, 2012

Making Chef servers GUI and API endpoints accessible over SSL

Filed under: All,Amazon EC2,Chef,Development,Linux — Srinivas @ 14:34

If you run your own Chef server instance at EC2, its probably in a specific security group that other hosts in the same group can access. However, you may not want to have instances in other regions access this Chef server via unencrypted connections – say you have the chef server in east coast and you have servers in west coast that need to talk to it…

In this case, Its handy to spin up Nginx on the chef server box and have it reverse proxy access over SSL to the Chef servers ports i.e. TCP/4000 for the REST API and TCP/4040 for the Web GUI.

See the gist for sample config to do this. Drop the config file into /etc/nginx/sites-available, symlink it to sites-enabled and bounce Nginx.

If you have a SSL certificate thats self-signed or else issued along with a CA Cert Bundle, your chef nodes/clients may not be able to verify the authenticity of the SSL certificate. In the cases, you may need to symlink/copy the CA cert bundle into /etc/ssl/certs and run “c_rehash /etc/ssl/certs” so that your CA is now understood by your system to be a “valid” one…

Powered by WordPress