Chef server to manage EC2 instances

Sam_Darwin1 · January 23, 2013, 2:56pm

Hi,

I have setup a chef server on EC2, to manage EC2 instances. I have assigned
the DNS entry for chef.example.com to the public IP, so the web gui is
reachable from anywhere on the internet. When it comes to bootstrapping
clients, I can create an entry in /etc/hosts , which points chef.example.com to
the private IP, which seems more secure , or I can open port 4000 in the
firewall, and use the public IP address. Each has pros and cons.

The problem with adding the private IP into the hosts file, is that it’s
pre-bootstrap manual labor every time, and in the event of an IP change, it
will be a lot of fixing.

The problem with using the public IP, is that port 4000 is open to the world.
Is that dangerous?

Any general comments or suggestions?

Thanks.

Vladimir_Girnet · January 23, 2013, 3:05pm

You can set an additional protection layer by using httpd in fron of Chef Server
http://wiki.opscode.com/display/chef/How+to+Proxy+Chef+Server+with+Apache

On Jan 23, 2013, at 4:56 PM, samuel.d.darwin@gmail.com samuel.d.darwin@gmail.com wrote:

Hi,

I have setup a chef server on EC2, to manage EC2 instances. I have assigned
the DNS entry for chef.example.com to the public IP, so the web gui is
reachable from anywhere on the internet. When it comes to bootstrapping
clients, I can create an entry in /etc/hosts , which points chef.example.com to
the private IP, which seems more secure , or I can open port 4000 in the
firewall, and use the public IP address. Each has pros and cons.

The problem with adding the private IP into the hosts file, is that it's
pre-bootstrap manual labor every time, and in the event of an IP change, it
will be a lot of fixing.

The problem with using the public IP, is that port 4000 is open to the world.
Is that dangerous?

Any general comments or suggestions?

Thanks.

--
Vladimir Girnet
Senior Infrastructure Engineer
Tacit Knowledge

Bryan_Horstmann_Alle · January 23, 2013, 3:07pm

±-----------------------------------------------------------------------------
| On 2013-01-23 06:56:08, samuel.d.darwin@gmail.com wrote:
|
| Any general comments or suggestions?

Set the record for “chef.example.com” to CNAME for the public EC2 DNS for that
instance. EC2 does split horizon so within EC2, the public name will resolve to
the private IP.

You probably don’t want to open :4000 to the world, no.

bdha
cyberpunk is dead. long live cyberpunk.

Topic		Replies	Views
Private IP node to server, Public IP server to workstation? Chef Infra (archive)	3	1329	July 4, 2018
Any security issues with creating EC2 ami with Chef Server installed? Chef Infra (archive)	2	267	December 20, 2013
Chef server outside firewall Chef Infra (archive)	2	336	October 11, 2012
Chef Provisioning AWS without bootstrapping Chef Infra (archive)	11	2694	December 2, 2016
Question regarding dynamic DNS and IP addresses Chef Infra (archive)	2	373	January 25, 2014

Chef server to manage EC2 instances

You probably don’t want to open :4000 to the world, no.

Related Topics