Chef server outside firewall


#1

Hi everyone,

I am fairly new to chef and I am trying to figure out where to place my chef server.

I am using opensource chef and I am wondering if there is an issue with my chef server being outside of my firewall so my AWS servers can contact it and my servers inside my firewall will be able to access it. My chef workstations will also be inside the firewall. Would this cause any problems with my nodes contacting the chef server? Are there any advantages or disadvantages to putting my chef server in AWS?

Thanks in advance,

Bridger Larson


#2

On Thu, Oct 11, 2012 at 12:33 PM, Bridger Larson
Bridger.Larson@sirsidynix.com wrote:

Hi everyone,

I am fairly new to chef and I am trying to figure out where to place my chef
server.

I am using opensource chef and I am wondering if there is an issue with my
chef server being outside of my firewall so my AWS servers can contact it
and my servers inside my firewall will be able to access it. My chef
workstations will also be inside the firewall. Would this cause any
problems with my nodes contacting the chef server? Are there any advantages
or disadvantages to putting my chef server in AWS?

Our open source chef server is in AWS, we have set it up so that ports
4000 and 4040 are open (in addition to 22 to server management)

We can talk to chef server because our firewall allows us to open any
remote port.

Some companies (Sony, many Financial companies) do not allow any
traffic except HTTP over port 80, is that is the case with your
company’s firewall, then you are out of luck.

All the best.


#3

Be aware that although Chef uses RSA asymetric keys for client
authentication, the chef-client / knife traffic is unencrypted.

I strongly recommend that you put something (ELB, Apache, Nginx, HAProxy >
1.5, etc) in front of your chef server with SSL to proxy your API/WebUI
connections.

Doing this also enables you to control what port your chef-server-api
process is available to the outside world on. You’ll almost certainly want
to run more than one chef-server-api process, and putting a load-balancer
type proxy in front of your API processes will also ease scaling.

Brian

On Thu, Oct 11, 2012 at 4:20 PM, Autif Khan autif.mlist@gmail.com wrote:

On Thu, Oct 11, 2012 at 12:33 PM, Bridger Larson
Bridger.Larson@sirsidynix.com wrote:

Hi everyone,

I am fairly new to chef and I am trying to figure out where to place my
chef
server.

I am using opensource chef and I am wondering if there is an issue with
my
chef server being outside of my firewall so my AWS servers can contact it
and my servers inside my firewall will be able to access it. My chef
workstations will also be inside the firewall. Would this cause any
problems with my nodes contacting the chef server? Are there any
advantages
or disadvantages to putting my chef server in AWS?

Our open source chef server is in AWS, we have set it up so that ports
4000 and 4040 are open (in addition to 22 to server management)

We can talk to chef server because our firewall allows us to open any
remote port.

Some companies (Sony, many Financial companies) do not allow any
traffic except HTTP over port 80, is that is the case with your
company’s firewall, then you are out of luck.

All the best.