Tag: openssl

Errbit + HTTPS: Setting up Errbit reporter (Airbrake v4 gem) to work with self-signed HTTPS Errbit

Warning: This post is outdated and this fix will work only with old Airbrake version (v4) - it does not work with the v4 version of Airbrake notifier. If you're looking for a solution for Airbrake v5, please refere to this post: Errbit + HTTPS: Setting up Errbit reporter (Airbrake v5 gem) to work with self-signed HTTPS certificate

Having an error catcher like Errbit behind SSL is generally a good idea. Especially when Errbit is hosted on a different server than you application (for example when you manage multiple apps with one Errbit instance). In many cases you will have a self-signed certificate (why would you pay for a cert for internal tool). If you try to use it with Airbrake, you will see following error:

2.1.0 :002 > Airbrake.notify Exception.new('test')
** [Airbrake] Unable to contact the Airbrake server. HTTP Error=SSL_connect 
   returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
** [Airbrake] Environment Info: [Ruby: 2.1.0] [Rails: 4.0.4] [Env: production]
** [Airbrake] Failure: NilClass
** [Airbrake] Environment Info: [Ruby: 2.1.0] [Rails: 4.0.4] [Env: production]
** [Airbrake] Notice details: 
  exception: test
  api_key: key
  backtrace: (irb):2:in `irb_binding'
/lib/ruby/2.1.0/irb/workspace.rb:86:in `eval'
/lib/ruby/2.1.0/irb/workspace.rb:86:in `evaluate'
/lib/ruby/2.1.0/irb/context.rb:380:in `evaluate'
/lib/ruby/2.1.0/irb.rb:492:in `block (2 levels) in eval_input'
/lib/ruby/2.1.0/irb.rb:624:in `signal_status'
/lib/ruby/2.1.0/irb.rb:489:in `block in eval_input'
/lib/ruby/2.1.0/irb/ruby-lex.rb:247:in `block (2 levels) in each_top_level_statement'
/lib/ruby/2.1.0/irb/ruby-lex.rb:233:in `loop'
/lib/ruby/2.1.0/irb/ruby-lex.rb:233:in `block in each_top_level_statement'
/lib/ruby/2.1.0/irb/ruby-lex.rb:232:in `catch'
/lib/ruby/2.1.0/irb/ruby-lex.rb:232:in `each_top_level_statement'
/lib/ruby/2.1.0/irb.rb:488:in `eval_input'
/lib/ruby/2.1.0/irb.rb:397:in `block in start'
/lib/ruby/2.1.0/irb.rb:396:in `catch'
/lib/ruby/2.1.0/irb.rb:396:in `start'
[GEM_ROOT]/gems/railties-4.0.4/lib/rails/commands/console.rb:90:in `start'
[GEM_ROOT]/gems/railties-4.0.4/lib/rails/commands/console.rb:9:in `start'
[GEM_ROOT]/gems/railties-4.0.4/lib/rails/commands.rb:62:in `<top (required)>'
bin/rails:4:in `require'
bin/rails:4:in `<main>'

In order to make it work you need to disable SSL verification for Ruby:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

Of course keep in mind, that it will disable SSL verification for all other libs as well.

Whole Errbit config should look like this:

Airbrake.configure do |config|
  config.api_key = 'api_key'
  config.host    = 'errbit.domain'
  config.port    = 443
  config.secure  = true
  config.ignore_only = ['ActiveRecord::RecordNotFound']
end if Rails.env.production?

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

Jenkins behind Apache with HTTPS – Proxy pass with SSL

Jenkins in an awesome integration server, that can be used for free. However, having it on a non-standard www port, without a SSL, might be a problem. Accessing it from a public network might create a security threat. If you've got a Apache in front of your server, you can easily provide a secured proxy to Jenkins.

To do so, you need to create a VirtualHost for Apache, which will contain both: Proxy and SSL. Also it would be wise, to redirect standard HTTP requests.

VirtualHost to redirect from HTTP to HTTPS

So, first lets create our HTTP VirtualHost and let's redirect it to HTTPS version:

<VirtualHost *:80>
  ServerName jenkins.my.domain
  ServerAlias www.jenkins.my.domain

  RewriteEngine on
  ReWriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

SSL keys

To get things started, we will need a key. To generate it, follow given steps (as root):

sudo su # or any other way to be a root
cd /etc/apache2/
mkdir ssl
cd ssl/
mkdir crt
mkdir key
openssl req -new -x509 -days 365 -keyout key/jenkins.key -out crt/jenkins.crt -nodes -subj  '/O=Jenkins/OU=Jenkins/CN=jenkins.my.domain'

Just remember to replace all the domain references from "jenkins.my.domain" to an appropriate one. After you execute the above commands, you should have a ssl key and ssl cert generated.

Installing Apache necessary mods

To create a SSL Proxy pass we need to install some Apache mods (still as a root):

a2enmod proxy
a2enmod proxy_http
a2enmod rewrite
a2enmod ssl

/etc/init.d/apache2 restart

HTTPS Jenkins Virtual Host

And finally, the virtual host for secured Jenkins proxy pass:

<VirtualHost *:443>
  ServerName jenkins.my.domain
  ServerAlias www.jenkins.my.domain

  SSLEngine On
  SSLCertificateFile    /etc/apache2/ssl/crt/jenkins.my.domain.crt
  SSLCertificateKeyFile /etc/apache2/ssl/key/jenkins.my.domain.key

  ProxyRequests     Off
  ProxyPass         /  http://localhost:8080/
  ProxyPassReverse  /  http://localhost:8080/
  ProxyPassReverse  /  http://my.jenkins.host/
  <Proxy http://localhost:8080/*>
    Order allow,deny
    Allow from all
  </Proxy>
  ProxyPreserveHost on
</VirtualHost>

Copyright © 2024 Closer to Code

Theme by Anders NorenUp ↑