Goal:
get ssl working in development mode (ssl works fine in production on heroku)
My setup:
Ubuntu 16.04
Rails 5.0.1
Puma 3.6.2
config/environments/development.rb
config.force_ssl = true
I tried following along with this puma ssl how-to:
https://gist.github.com/tadast/9932075
(I am not sure what github procol is regarding pasting above link content here vs referencing it)
if I then use the command line method to run puma
puma -b 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'
I am getting Chrome's 'Not Secure' error when trying to access via the browser after attempting to add certificate to ubuntu.
sudo cp server.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Should I see 1 added here? I also tried copying server.crt to /etc/ssl/certs
If I proceed past chrome block I get console error:
SSL error, peer: 127.0.0.1, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request - 336027804>
Instead of using puma on command line I tried adding to config/initializers/puma.rb
bind 'ssl://127.0.0.1:3000?key=/home/sean/.ssh/server.key&cert=/home/sean/.ssh/server.crt'
and starting:
rails s
I do not get any page load but console shows:
HTTP parse error, malformed request (): #
2017-01-23 10:04:43 -0500: ENV: {"rack.version"=>[1, 3], "rack.errors"=>#>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.6.2 Sleepy Sunday Serenity", "GATEWAY_INTERFACE"=>"CGI/1.2"}
I also tried downgrading puma to 3.5.2
Where am I going wrong?
I solved this problem by enabling mod_ssl in Apache server, and adding some configuration for Apache to listen on 443 port. You can use Nginx too in the front of Puma to communicate with sockets. There is also way to solve this problem by installing Puma-dev, which automatically makes the apps available via SSL. I will describe the way I did it, it may help you/someone:
I made self-signed certificate first, and after that new virtual host for my project, for example: site1.local. Then I enabled mod_ssl and default-ssl.conf. I added in my virtualhost port 443 and forward secrecy something like:
<VirtualHost *:443>
ServerName site1.local
SSLEngine on
SSLCertificateFile "/home/user/.ssh/server.crt"
SSLCertificateKeyFile "/home/user/.ssh/server.key"
DocumentRoot /var/www/site1.local/public
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
</VirtualHost>
When I restarted Apache server, I was still getting google chrome's unsafe website warning. I needed to add manually Root certificate in chrome: chrome://settings/certificates, then menu tab Authorities and import button. I checked all 3 checkboxes before importing server.crt file. Once I finished with importing , I restarted google chrome and I got green https lock in chrome's search bar.
Some refs:
https://leehblue.com/add-self-signed-ssl-google-chrome-ubuntu-16-04/
Getting Chrome to accept self-signed localhost certificate
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-puma-and-nginx-on-ubuntu-14-04
I hope it helps
Related
I have a Rails project up on an EC2 server at AWS. To deploy it, I followed this Passenger tutorial to the letter:
https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/standalone/oss/deploy_app_main.html
Everything worked fine. Then I followed this Passenger tutorial to get SSL working:
https://www.phusionpassenger.com/library/deploy/standalone/prod_ssl.html
My Passengerfile and nginx conf file look the same as the ones in the link (with the paths replaced to point to the correct files). But now, best I can gather, the nginx server isn't starting when I use the command sudo bundle exec passenger start.
I found this on the nginx log:
May 29 18:46:20 ip-172-31-38-233 systemd[18230]: nginx.service: Failed to execute command: No such file or directory
May 29 18:46:20 ip-172-31-38-233 systemd[18230]: nginx.service: Failed at step EXEC spawning /usr/sbin/nginx: No such file or directory
Which doesn't make sense to me as nginx was working fine before the SSL certificates. Note I'm using Passenger standalone, so I'm not managing nginx myself.
So my app in production has totally crashed with this message:
Filter chain halted as #<Proc:0x007f766547ea18#/app/vendor/bundle/ruby/2.1.0/gems/actionpack-4.1.1/lib/action_controller/metal/force_ssl.rb:65> rendered or redirected
I've done some research online and so far this seems to happen mostly in local dev mode when the port is lost. But I'm not sure why this would be happening in my Heroku app... for context the code has not changed, and it was working fine as of 30 minutes ago. I'm using CloudFlare, but I checked that the bare your-app-name.herokuapp.com is also broken with the same error.
Any help appreciated!
I got this same error but on my development environment in rails 4.0 (because of an controller with force_ssl on it).
I solved this using the thin web server with ssl support, like so:
Add the thin gem to my Gemfile on the development group:
group :development do
gem 'thin'
end
Run bundle install on your termnal:
bundle install
Start thin with ssl support on terminal:
bundle exec thin start --ssl
Access the page via https on your web browser:
The protocol need to be https at the beginning, otherwise you can get an empty response. (ERR_EMPTY_RESPONSE)
https://localhost:3000/
If you get your connection refused (ERR_CONNECTION_REFUSED) you'll need to define the loopback ip address on the server params:
bundle exec thin start --ssl -a 127.0.0.1
You'll get an privacy error, jus click on Advanced and on Go to localhost (not safe)
Sorry my image is in pt-br:
It's done! You'll get an self-signed https connection on localhost in development mode ;)
The deployment was successful and everything is green. But when we try to access the application URL, it gives 502 Bad Gateway error.
Checking for puma process with ps -aux | grep puma doesn't return any process attached to puma server but pgrep returns following.
$pgrep -fl puma
18009 su -s /bin/bash -c bundle exec puma -C /opt/elasticbeanstalk/support/conf/pumaconf.rb webapp
18031 ruby /opt/rubies/ruby-2.0.0-p598/bin/puma -C /opt/elasticbeanstalk/support/conf/pumaconf.rb
I have tried all possible combinations, as shown in every other forum/blog OR support sites of nginx/puma. Following is the status.
Default configuration - Where we have UNIX:// sock file used in the UPSTREAM option of nginx.conf and pumaconf.rb - This gives 502 bad gatway. When checked, puma is not running and it is rebooting every 3rd minute.
As we have used it in DigitalOcean - Change the above UPSTREAM conf URL to tcp://127.0.0.1:3000 in pumaconf.rb and 127.0.0.1:3000 in conf.d/webapp.conf file. - This is also not working, puma is not able to run properly same as above.
My question is,
Why there is no control over running puma with diff. configurations? And why we have to always use the UI, which is not able to run the services properly as per other standard configuration options?
There is no configuration options from UI, to change/verify from the UI. So we have to do it from SSH. But, we have no control over rebooting PUMA from console.
Whenever puma is not running, we are not able to see any logs of what error it is facing. This is really not helpful at all.
Puma is not able to run even with default configurations, so it nginx is not able to talk to Puma and so the EC2 does not really make sense!
Please let us know, how we can resolve this issue, if you have any idea on this.
See this - https://forums.aws.amazon.com/thread.jspa?messageID=608148򔞔
Still no answers on this one, this is like our hands are cuffed and not able to change any configurations!
UPDATE
AWS is somehow stopping and starting PUMA, because i can see the process IDs changing when checking with ps -ef|grep puma. So, I started the puma to work on another port and tried to check if it runs or not.
Started on another port, and then from another console accessing the URL using wget http://127.0.0.1:3000. It prints the following log.
current]$ bundle exec puma -b tcp://127.0.0.1:3001
Puma 2.0.1 starting...
* Min threads: 0, max threads: 16
* Environment: production
* Listening on tcp://127.0.0.1:3001
Rails Error: Unable to access log file. Please ensure that /var/app/current/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
Use Ctrl-C to stop
2015-03-16 13:19:35 +0000: HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
2015-03-16 13:19:35 +0000: ENV: {"rack.version"=>[1, 1], "rack.errors"=>#<IO:<STDERR>>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "CONTENT_TYPE"=>"text/plain", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"2.0.1", "GATEWAY_INTERFACE"=>"CGI/1.2"}
So, is it compulsory to use SSL? Because I think by default, it is not enabled.
I had this issue after uploading my rails app, I found this line (auto generated) on secrets.yml (config > secrets.yml) :secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
so you have to add it as an environment variable to your environment.
In the environment dashboard go to Configuration > Software > Environment properties and add a new variable with name SECRET_KEY_BASE.
You can set any value but make sure it is a safe key.
This resolved the issue for me, I hope it helps.
I could not fix this problem. Also we supposed to use EC2 free instance only instead of BeanStalk.
We have now moved to Free EC2 instance with RDS and deployed the rails application using Capistrano with Nginx + Unicorn. Though it was not easy[1][2] but finally we got it working.
I've already installed the needed tools, and followed several tutorials trying to make passenger respond.
I can access static files in public folder (public/500.html or 422.hml). Yesterday I entered through a vhost, and found some passenger errors. But some time later the hosting restarted the service, and since then I have not been able to access the rails app again.
link
link
link
These are some of the links I used to configure the server. I've also read that could be a permission issue; I've checked that, but I'm not sure it's fine.
First of all check your error log. By default, it placed at /var/log/apache2/.
If you have client denied by server configuration issue, check your site conf file at /etc/apache2/sites-available/your-site.conf. It must be in compliance with Phusion Passenger User Guide. Take a look on Require all granted.
<Directory "/home/user/folder">
Require all granted
Options FollowSymLinks
# This relaxes Apache security settings.
AllowOverride None
# MultiViews must be turned off.
Order allow,deny
Allow from all
</Directory>
OK for me this meant I was running rails 2.3 and using Phusion Passenger 5.x
Apparently 5.x doesn't work with 2.2 at all, and with 2.3 requires you to copy in a config.ru file first (so that rails will use rack for the backend).
example config.ru file for 2.3:
# Rack Dispatcher
# Require your environment file to bootstrap Rails
require File.dirname(__FILE__) + '/config/environment'
# Dispatch the request
run ActionController::Dispatcher.new
I could not figure out why no incantations seemed to work, it was like Passenger was ignoring my rails app.
In my /var/log/apache2/error.log file, I had this:
[Mon May 11 15:47:00.397891 2015] [autoindex:error] [pid 17490:tid 3058694976] [client 216.49.181.251:49248] AH01276: Cannot serve directory /home/x/y/railsapp/public/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://www.google.com/
Which confused the heck out of me an apparently meant "passenger isn't running on that virtual host".
If I created a public/index.html file, apache served that fine so it wasn't a permissions issue.
I also saw this, which meant passenger was starting up ok:
[ 2015-05-11 18:23:53.9594 4964/b7415700 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
See also https://www.phusionpassenger.com/documentation/Users%20guide%20Apache%204.0.html#_i_get_a_403_forbidden_error
So basically with passenger 5.x (in the release notes it says that rails 2.2 isn't supported, 2.3 is only supported if you create a "config.ru" file in the root of your rails app. It works with old versions of rack like rails 2.3 requires, just remove your newer rack gem and install 1.1.6 or what not, remove vendored rack gems if any. GL!
Also as a side note, this message:
[Mon May 11 18:25:10.235574 2015] [core:alert] [pid 5263:tid 3017780032] [client 127.0.0.1:56737] /home/rdp/dev/prod_flds/public/.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
meant "remove your public/.htaccess file it's not needed typically by passenger"
I also got an 403 error using passenger for rails in apache on my Mac OS 10.9 (an Unix-like system).
Here's some tips:
You can check apache log directory and see the what happened.
The directory: /var/log/apache2/error_log.
Issue: Permission denied: access to / denied ( filesystem path 'path_apache_access' ) because search permissions are missing on a component of the path.
Check 'path_apache_access' by CLI: ls -ld 'path_apache_access' and use chmod +x to change the path privilege.
Also, note this: Httpd Wiki - (13) Permission Denied-.
Issue: configuration error: couldn't perform authentication. AuthType not set!.
Issue: client denied by server configuration.
Go to /etc/apache2/httpd.conf and take a look on <Directory> tag.
Check apache version by CLI: apachectl -v, if Apache < 2.4, do NOT uncomment "Require all granted".
<Directory "rails_app_directory/public">
# This relaxes Apache security settings.
AllowOverride all
# MultiViews must be turned off.
Options -MultiViews
# Uncomment this if you're on Apache >= 2.4:
# Require all granted
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
Answer was that passenger gave me 403 because i had to set environment variable "RackEnv" on apache configuration to "development" (on my case).
Rather a simple question I believe, is it possible to install passenger when nginx is already installed on your webserver?
If the answer is Yes, I already performed these actions:
At this very moment I already have nginx installed (for my PHP applications) and next I did a checkout of the passenger's git repository:
mkdir /repositories
cd /repositories/
git clone https://github.com/FooBarWidget/passenger.git
cd passenger/
and then add this snippet to /etc/nginx/conf/nginx.conf
http {
...
passenger_root /repositories/passenger;
passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.2-p290/ruby;
...
}
However when I want to restart nginx I get the following error:
* Starting Web Server nginx
nginx: [emerg] unknown directive "passenger_root" in /etc/nginx/nginx.conf:19
Which concludes me to say that there is still some config I need to set, for nginx to be aware that we're using passenger.
My server block
server {
listen 80;
server_name rails.kreatude.com;
root /srv/www/my_test_app;
passenger_enabled on;
}
I think your problem is that the passenger module is not present in nginx.
All the passenger dependent directives you've described (passenger_root, passenger_ruby, passenger_enabled) are available only when the passenger module is attached to nginx. This is why you have to compile nginx with --add-module='/path/to/passenger-3.0.9/ext/nginx'.
Unfortunately, I don't know of any method to enable passenger module without re-installing nginx. But, according to http://wiki.nginx.org/Modules, "Nginx modules must be selected at compile-time.", so there could be a chance that there isn't a way to do that.
In Passenger docs the chapter "Generic installation, upgrade and downgrade method: via RubyGems" discusses this. Basically, once the Passenger gem is installed, nginx needs to be recompiled (and then used instead of the yum/apt-get-installed nginx if one exists). Passenger's compilation/configuration utility "passenger-install-nginx-module" does it for you (it's part of the Passenger gem), and it automatically includes the necessary switches for Passenger. It also gives you the option to add your own switches (such as for extra modules, or to enable/disable NGiNX's built-in features).
With rvm, you could do this simply by running rvmsudo passenger-install-nginx-module.
For more detail: https://www.digitalocean.com/community/tutorials/how-to-install-rails-and-nginx-with-passenger-on-ubuntu.
I confirm ion-br's answer, I'm facing the same kind of problems and PhusionPassenger's site states:
Before you begin, you should know that installing Passenger in its Nginx integration mode involves extending Nginx with code from Passenger. However, Nginx does not support loadable modules. This means that in order to install Passenger's Nginx integration mode, it is necessary to recompile Nginx from source.
The only solution is thus to properly reinstall Nginx, if your machine is an AWS AMI instance the solution lies here.
There is a way install nginx passenger module without reinstalling/recompiling nginx
https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/bionic/install_passenger.html
passenger_enabled on; in server, http, or location block.
http://modrails.com/documentation/Users%20guide%20Nginx.html#_important_deployment_options