#1

Hi all,

I’ve just inherited an old open source Chef server 0.10.8. It’s left
exposed to the world poor thing and I fear for it’s safety. It would be a
very good idea to put Nginx in front of it I think.

Does anyone have any howtos? I’d like to do it soon rather than later!

Cheers,

Andy


Andy Gale
M: +447825661580
http://andy-gale.com
http://twitter.com/andygale


#2

On 08/01, Andy Gale wrote:

Hi all,

I’ve just inherited an old open source Chef server 0.10.8. It’s left
exposed to the world poor thing and I fear for it’s safety. It would be a
very good idea to put Nginx in front of it I think.

Does anyone have any howtos? I’d like to do it soon rather than later!

Hi Andy,

Yes, you definitely want to protect the webui. You can configure nginx
to proxy to it like any other upstream app.

There’s an example at https://github.com/opscode-cookbooks/chef-server/blob/0.99.12/templates/default/chef_server.nginx.conf.erb

The API calls are all signed and (AFAIK) encrypted so leaving that
"exposed" isn’t a huge issue, though if you can limit access to certain
IPs that’s of course prefered.

Regards,
Matt


Matt Rohrer // matt@prognostikos.com
http://finitesoup.com


#3

Hi,

The API calls are all signed and (AFAIK) encrypted
AFAIK (very sure) they’re NOT encrypted, that’s why you’re advised to
setup an HTTPS proxy in front of the chef server.
Chef 11 ships an nginx that does the SSL termination.

Yours
Steffen

On 8/1/13 10:13 AM, Matt Rohrer wrote:

On 08/01, Andy Gale wrote:

Hi all,

I’ve just inherited an old open source Chef server 0.10.8. It’s left
exposed to the world poor thing and I fear for it’s safety. It would be a
very good idea to put Nginx in front of it I think.

Does anyone have any howtos? I’d like to do it soon rather than later!

Hi Andy,

Yes, you definitely want to protect the webui. You can configure nginx
to proxy to it like any other upstream app.

There’s an example at https://github.com/opscode-cookbooks/chef-server/blob/0.99.12/templates/default/chef_server.nginx.conf.erb

The API calls are all signed and (AFAIK) encrypted so leaving that
"exposed" isn’t a huge issue, though if you can limit access to certain
IPs that’s of course prefered.

Regards,
Matt


Matt Rohrer // matt@prognostikos.com
http://finitesoup.com


#4

If I were you, I’d use a knife download tool to extract all the everything
from that server, install chef 11, and upload everything back in.

On Thu, Aug 1, 2013 at 5:51 AM, Steffen Gebert st+gmane@st-g.de wrote:

Hi,

The API calls are all signed and (AFAIK) encrypted
AFAIK (very sure) they’re NOT encrypted, that’s why you’re advised to
setup an HTTPS proxy in front of the chef server.
Chef 11 ships an nginx that does the SSL termination.

Yours
Steffen

On 8/1/13 10:13 AM, Matt Rohrer wrote:

On 08/01, Andy Gale wrote:

Hi all,

I’ve just inherited an old open source Chef server 0.10.8. It’s left
exposed to the world poor thing and I fear for it’s safety. It would be
a

very good idea to put Nginx in front of it I think.

Does anyone have any howtos? I’d like to do it soon rather than later!

Hi Andy,

Yes, you definitely want to protect the webui. You can configure nginx
to proxy to it like any other upstream app.

There’s an example at
https://github.com/opscode-cookbooks/chef-server/blob/0.99.12/templates/default/chef_server.nginx.conf.erb

The API calls are all signed and (AFAIK) encrypted so leaving that
"exposed" isn’t a huge issue, though if you can limit access to certain
IPs that’s of course prefered.

Regards,
Matt


Matt Rohrer // matt@prognostikos.com
http://finitesoup.com


#5

Jesse + all,

Thanks, yes once I learnt how to put subjects in my emails (oops),
converting it all to Chef Server 11 seemed the only sensible way to go.
Looks like I can rescue the immediate situation with Rackspace’s isolated
cloud networks feature.

Cheers,

Andy

On Thu, Aug 1, 2013 at 2:15 PM, Jesse Campbell hikeit@gmail.com wrote:

If I were you, I’d use a knife download tool to extract all the everything
from that server, install chef 11, and upload everything back in.

On Thu, Aug 1, 2013 at 5:51 AM, Steffen Gebert st+gmane@st-g.de wrote:

Hi,

The API calls are all signed and (AFAIK) encrypted
AFAIK (very sure) they’re NOT encrypted, that’s why you’re advised to
setup an HTTPS proxy in front of the chef server.
Chef 11 ships an nginx that does the SSL termination.

Yours
Steffen

On 8/1/13 10:13 AM, Matt Rohrer wrote:

On 08/01, Andy Gale wrote:

Hi all,

I’ve just inherited an old open source Chef server 0.10.8. It’s left
exposed to the world poor thing and I fear for it’s safety. It would
be a

very good idea to put Nginx in front of it I think.

Does anyone have any howtos? I’d like to do it soon rather than later!

Hi Andy,

Yes, you definitely want to protect the webui. You can configure nginx
to proxy to it like any other upstream app.

There’s an example at
https://github.com/opscode-cookbooks/chef-server/blob/0.99.12/templates/default/chef_server.nginx.conf.erb

The API calls are all signed and (AFAIK) encrypted so leaving that
"exposed" isn’t a huge issue, though if you can limit access to certain
IPs that’s of course prefered.

Regards,
Matt


Matt Rohrer // matt@prognostikos.com
http://finitesoup.com


Andy Gale
http://andy-gale.com
http://twitter.com/andygale