Rundeck – Nginx as SSL reverse proxy

Posted: December 14, 2018 in RunDeck

In this post we installed Rundeck, in this one we’ll access to Rundeck by typing https://FQDN, without specifying port number

rundeck.test.com is specified as name in rundeck properties before start nginx is installed.

Install nginx:

yum install nginx

Creating Self signed SSL certificate:

cd /etc/nginx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/rundeck.key -out /etc/nginx/rundeck.crt

Generating a 2048 bit RSA private key
.....................................+++
.........................................................+++
writing new private key to '/etc/nginx/rundeck.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Zemoon
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rundeck.test.com
Email Address []:

Make sure Rundeck FQDN (submitted during SSL certificate creation) is resolvable

Capture.PNG

cat /etc/nginx/conf.d/rundeck.conf
server {
listen 443 ssl;
server_name rundeck.test.com; # Replace it with your Subdomain

access_log /var/log/nginx/rundeck.yallalabs.local.access.log;

ssl_certificate /etc/nginx/rundeck.crt;
ssl_certificate_key /etc/nginx/rundeck.key;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

location / {
#add_header Front-End-Https on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://rundeck.test.com:4440;
proxy_read_timeout 90;

proxy_redirect http://rundeck.test.com:4440 https://rundeck.test.com; # Replace it with your Subdomain
}

}

server {
listen 80;
server_name rundeck.test.com; # Replace it with your Subdomain
return 301 https://$host$request_uri;
}
cat /etc/rundeck/framework.properties
# framework.properties -
#

# ----------------------------------------------------------------
# Rundeck server connection information
# ----------------------------------------------------------------

framework.server.name = rundeck.test.com
framework.server.hostname = rundeck.test.com
framework.server.port = 4440
framework.server.url = https://rundeck.test.com

# ----------------------------------------------------------------
# Installation locations
# ----------------------------------------------------------------

rdeck.base=/var/lib/rundeck

framework.projects.dir=/var/rundeck/projects
framework.etc.dir=/etc/rundeck
framework.var.dir=/var/lib/rundeck/var
framework.tmp.dir=/var/lib/rundeck/var/tmp
framework.logs.dir=/var/lib/rundeck/logs
framework.libext.dir=/var/lib/rundeck/libext

# ----------------------------------------------------------------
# SSH defaults for node executor and file copier
# ----------------------------------------------------------------

framework.ssh.keypath = /var/lib/rundeck/.ssh/id_rsa
framework.ssh.user = rundeck

# ssh connection timeout after a specified number of milliseconds.
# "0" value means wait forever.
framework.ssh.timeout = 0
# ----------------------------------------------------------------
# Auto generated server UUID: 391d3428-9a67-44d9-9d55-9427b52387c0
# ----------------------------------------------------------------
rundeck.server.uuid = 391d3428-9a67-44d9-9d55-9427b52387c0
cat /etc/rundeck/rundeck-config.properties
#loglevel.default is the default log level for jobs: ERROR,WARN,INFO,VERBOSE,DEBUG
loglevel.default=INFO
rdeck.base=/var/lib/rundeck

#rss.enabled if set to true enables RSS feeds that are public (non-authenticated)
rss.enabled=false
# change hostname here
grails.serverURL=https://rundeck.test.com
dataSource.dbCreate = update
dataSource.url = jdbc:h2:file:/var/lib/rundeck/data/rundeckdb;MVCC=true
rundeck.log4j.config.file = /etc/rundeck/log4j.properties

Restart nginx and rundeckd

systemctl restart nginx && systemctl restart rundeckd

If all is fine, rundecl should be accessible from https//rundeck.test.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s