Hello,
following the official guide [1] and few others webites I finally installed my first Ruby on Rails/Puma web app... and it passed the local test by curl (bundle exec rails server webrick -e production) - relayd wasn't configured yet.
Then, I ran my app with puma server. I can't figure out how to make it work with FQDN and LetsEncrypt cert.
My configs seems to be fine. It's 7.0/amd64. I've read [2], [3].
I started with simple httpd configuration to get certs with acme-clinet and then https://redmine.MY.DOMAIN.COM showed my testing index.html properly.
Now /etc/httpd.conf has changed but I assume my certs are still OK.
Remote firefox is giving me a "Redirect Loop" error when trying to access https://redmine.MY.DOMAIN.COM
Could someone please shed some light on this puzzle?
1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall
2. https://github.com/basicfeatures/openbsd-rails
3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103
$ openssl s_client -connect redmine.MY.DOMAIN.COM:443
CONNECTED(00000003)
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = redmine.MY.DOMAIN.COM
verify error:num=21:unable to verify the first certificate
verify return:1
write W BLOCK
---
Certificate chain
0 s:/CN=redmine.MY.DOMAIN.COM
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=redmine.MY.DOMAIN.COM
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2403 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : AEAD-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1638116582
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
[redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file config/puma.rb start
Puma starting in single mode...
* Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi")
* Min threads: 0
* Max threads: 5
* Environment: production
* PID: 85983
* Listening on ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt&key=/etc/ssl/private/redmine.MY.DOMAIN.COM.key&verify_mode=none
* Listening on http://127.0.0.1:3001
Use Ctrl-C to stop
# /home/redminepk/redminepk/config/puma.rb
#!/usr/bin/env puma
app = "redminepk"
ssl_bind "127.0.0.1", "3000", {
key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key",
cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt"
}
bind "tcp://127.0.0.1:3001"
pidfile "/home/#{app}/#{app}/tmp/puma.pid"
state_path "/home/#{app}/#{app}/tmp/puma.state"
stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", "/home/#{app}/#{app}/log/puma_errors.log"
environment "production"
# /home/redminepk/redminepk/config/environments/production.rb
Rails.application.configure do
config.cache_classes = true
config.eager_load = true
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
config.action_mailer.raise_delivery_errors = false
config.action_mailer.logger = nil
config.active_support.deprecation = :log
config.force_ssl = true
end
# /etc/httpd.conf
ext_if="vmx0"
types { include "/usr/share/misc/mime.types" }
server "redmine.MY.DOMAIN.COM" {
listen on $ext_if port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*" {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
# /etc/relayd.conf
egress="A.B.C.D"
table <redminepk> { 127.0.0.1 }
redminepk_port="3001"
table <httpd> { 127.0.0.1 }
httpd_port="80"
http protocol "http" {
match request header set "Connection" value "close"
match response header remove "Server"
}
http protocol "https" {
pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to <redminepk>
tls keypair "redmine.MY.DOMAIN.COM"
# Preserve address headers
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-Port" value "$REMOTE_PORT"
match request header append "X-Forwaded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match response header remove "Server"
}
relay "http" {
listen on $egress port http
protocol "http"
forward to <httpd> port $httpd_port
}
relay "https" {
listen on $egress port https tls
protocol "https"
forward to <httpd> port $httpd_port
forward to <redminepk> port $redminepk_port
}
$ grep relayd /etc/pf.conf
# Allow relayd(8) redirects
anchor "relayd/*"
On Fri, 12 Nov 2021 20:35:45 +0100
Radek <rdk@int.pl> wrote:
> Hello Werner,
> thank you for your installation details. I'll give it a try in a few days.
>
> On Thu, 11 Nov 2021 23:57:02 +0800
> Werner Boninsegna <werner@dewrico.com> wrote:
>
> > Hello Radek,
> >
> > I am running Redmine on OpenBSD 6.8 and I just followed the installation
> > instructions posted on the Redmine page which are quite complete:
> >
> > https://www.redmine.org/projects/redmine/wiki/Installation_Guide
> >
> > I installed Postgres and Ruby+Dependencies from the OpenBSD packages.
> >
> > Werner
> >
> > On 11/10/21 00:56, Radek wrote:
> >
> > Hi @misc,
> > Does anyone successfully run redmine[1] on OpenBSD?
> > I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've never done it before so any advices and hints would be appreciated.
> > There isn't much up to date info in google about it[2][3].
> >
> > 1. https://www.redmine.org/ 2. https://www.redmine.org/boards/2/topics/496 3. https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229
> > Thank you!
>
>
> --
> Radek
>
--
Radek
No comments:
Post a Comment