How best to force SSL with application_php and apache2 cookbooks?

Chef Infra (archive)
1

What is the preferred method of configuring a Web application
deployed via the application_php cookbook to accept HTTP over
SSL connections on port 443 and to redirect requests on 80 to 443?

I’m using application_php with success, but it is hard-coded to
cause the http server to listen on 8080. I don’t find any
discussion of SSL or of alternative ports in documentation of the
application_php and application cookbooks or of the deploy
provider. The apache2 cookbook docs show how to install mod_ssl
and to specify some cipher configuration, but as far as I can
tell, none of that matters as long as application_php is
configuring Apache to do name-based virtual hosting on 8080. Web
searches for relevant keywords have turned up nothing relevant.

References:


Phil Mocek
http://mocek.org/

2

I use an attribute in my cookbook that allows me to set the ports for HTTP and HTTPS and then have a template file for http and https configuration that uses this attribute directly. Then, when I call mod_php_apache2 within the application resource, I give it the HTTP template using "webapp_template" (which could include the rewrites you want):

mod_php_apache2 do
  app_root "#{node['php_app']['public']}"
  webapp_template "app.conf.erb"
  server_aliases node["php_app"]["server_aliases"]
end

Then, outside of the application resource, I check to see if my deployment includes any SSL stuff and if so, I call the apache2 cookbook's web_app resource directly to create the SSL configuration file and again give it my own template that is specific to my app using "template":

if node["php_app"]["sslcert"] and node["php_app"]["sslkey"]
include_recipe "apache2::mod_ssl"

<some stuff that creates the SSL key and cert files, but is really long, so I'm omitting them>

web_app "#{node['php_app']['domain']}-ssl" do
  template "https_app.conf.erb"
  server_name node['domain']
  server_aliases node['php_app']['server_aliases']
  port node['php_app']['https_port']
  listen_ports [node['php_app']['http_port'], node['php_app']['https_port']]
  sslcert node["php_app"]["sslcert_file"]
  sslkey node["php_app"]["sslkey_file"]
  cacert ndoe["php_app"]["sslcacert_file"] if node["php_app"]["sslcacert_file"]
end

end

Inside the template files, I set the port with this:

HTTP:
<VirtualHost *:<%= node["php_app"]["http_port"] %>>
...

HTTPS:
<VirtualHost default:<%= node["php_app"]["https_port"] %>>

Might be a better way to do this, but this seems to work.

--
Ryan Walker

On Mar 14, 2013, at 12:55 PM, Phil Mocek phil-lists@mocek.org
wrote:

What is the preferred method of configuring a Web application
deployed via the application_php cookbook to accept HTTP over
SSL connections on port 443 and to redirect requests on 80 to 443?

I'm using application_php with success, but it is hard-coded to
cause the http server to listen on 8080. I don't find any
discussion of SSL or of alternative ports in documentation of the
application_php and application cookbooks or of the deploy
provider. The apache2 cookbook docs show how to install mod_ssl
and to specify some cipher configuration, but as far as I can
tell, none of that matters as long as application_php is
configuring Apache to do name-based virtual hosting on 8080. Web
searches for relevant keywords have turned up nothing relevant.

References:

--
Phil Mocek
http://mocek.org/