RT 3.8.11 with nginx+SSL

Kenneth_Marshall · March 2, 2012, 2:35pm

Hi RT Community,

I am trying to setup RT 3.8.11 to use nginx and FastCGI and
an encrypted HTTPS connection instead of the unencrypted HTTP
connection. I took a look at the RT-Extension-Nginx-0.02
module but it only works with RT4, so I used it as a template
and manually generated the following configuration files:

fastcgi.include.conf:
fastcgi_pass unix:/etc/nginx/fcgi.sock;
fastcgi_param SCRIPT_NAME “”;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

rt.server.conf
server {
server_name rt2.rice.edu;
listen 8443;
ssl on;
ssl_certificate /etc/pki/tls/certs/help_rice_edu_all.cer;
ssl_certificate_key /etc/pki/tls/private/help_rice_edu.key;

root         /usr/site/rt/var/mason_data;

access_log /var/log/nginx/nginx.access.log;

gzip             on;
gzip_min_length  500;
gzip_proxied     any;
gzip_types
    text/plain text/css
    application/x-javascript application/javascript
;
gzip_disable     "MSIE [1-6]\.";

location /NoAuth/images/ {
    root /usr/site/rt;
    try_files
        local/html$uri
        #<% join ' ', map "$_\$uri", map File::Spec->abs2rel($_, $RT::BasePath), RT->PluginDirs('html') %>
        local/plugins/RT-Extension-CloneTicket-WithData/html$uri
        local/plugins/RT-IR/html$uri
        local/plugins/RT-Authen-ExternalAuth/html$uri
        local/plugins/RT-Extension-MobileUI/html$uri
        local/plugins/RTx-Calendar/html$uri
        local/plugins/RTx-EmailCompletion/html$uri
        local/plugins/RT-FM/html$uri
        local/plugins/RT-Extension-ToggleSuperUser/html$uri
        local/plugins/RT-Extension-SpawnLinkedTicketInQueue/html$uri
        local/plugins/RT-Extension-SearchResults-XLS/html$uri
        local/plugins/RTx-AssetTracker/html$uri
        local/plugins/RT-Extension-SummaryByUser/html$uri
        local/plugins/RT-Extension-MandatorySubject/html$uri
        #<% join ' ', map "$_\$uri", map File::Spec->abs2rel($_, $RT::BasePath), RT->PluginDirs('html') %>
        share/html$uri
        @main
    ;
    expires 1M;
}
location /NoAuth/css/ {
    root /var/opt/fcgi_storage;
    gzip_comp_level 9;
    expires 1M;
    location ~ squished {
        expires max;
    }
    error_page 404 = @fetch_and_store;
}
location /NoAuth/js/ {
    root /var/opt/fcgi_storage;
    gzip_comp_level 9;
    expires 1M;
    location ~ squished {
        expires max;
    }
    error_page 404 = @fetch_and_store;
}
location /NoAuth/RichText/ {
    root /var/opt/fcgi_storage;
    gzip_comp_level 9;
    error_page 404 = @fetch_and_store;
    expires 1M;
}
location / {
    include /etc/nginx/fcgi.include.conf;
}

location @main {
    include /etc/nginx/fcgi.include.conf;
}
location @fetch_and_store {
    include /etc/nginx/fcgi.include.conf;

    root /var/opt/fcgi_storage;
    fastcgi_store          on;
    fastcgi_store_access   user:rw  group:rw  all:r;
    fastcgi_temp_path      /var/opt/fcgi_temp;
}

}

nginx.conf:
user rt rt;

pid /var/run/nginx.pid;
error_log /var/log/nginx/nginx.error.log debug;

worker_processes 1;
events {
worker_connections 128;
}

http {
include /etc/nginx/mime.types;
include /etc/nginx/rt.server.conf;
}

It all works using normal HTTP on port 8080 without the ssl*
options. When I add the ssl* options, the login screen comes
up correctly, but after I login I get the following error:

400 Bad Request
The plain HTTP request was sent to HTTPS port

and the URL is http://rt2.rice.edu:8443 and not the https
version. If I change the URL manually from http to https
I have logged in. If I try to reply to a ticket, after I click
update, it again goes to the http version of the URL and not
the https version.

Does anyone have any idea about what I am missing?

Regards,
Ken

Gerard_FENELON · March 2, 2012, 2:43pm

Stab in the dark: have you changed $WebBaseURL ?
GerardOn 2012-03-02 15:35, ktm@rice.edu wrote:

Hi RT Community,

I am trying to setup RT 3.8.11 to use nginx and FastCGI and
an encrypted HTTPS connection instead of the unencrypted HTTP
connection. I took a look at the RT-Extension-Nginx-0.02
module but it only works with RT4, so I used it as a template
and manually generated the following configuration files:

fastcgi.include.conf:

fastcgi_pass unix:/etc/nginx/fcgi.sock;
fastcgi_param SCRIPT_NAME “”;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

rt.server.conf

server {
server_name rt2.rice.edu;
listen 8443;
ssl on;
ssl_certificate /etc/pki/tls/certs/help_rice_edu_all.cer;
ssl_certificate_key /etc/pki/tls/private/help_rice_edu.key;
 root         /usr/site/rt/var/mason_data;

 access_log /var/log/nginx/nginx.access.log;

 gzip             on;
 gzip_min_length  500;
 gzip_proxied     any;
 gzip_types
     text/plain text/css
     application/x-javascript application/javascript
 ;
 gzip_disable     "MSIE [1-6]\.";

 location /NoAuth/images/ {
     root /usr/site/rt;
     try_files
         local/html$uri
         #<% join ' ', map "$_\$uri", map File::Spec->abs2rel($_, $RT::BasePath), RT->PluginDirs('html') %>
         local/plugins/RT-Extension-CloneTicket-WithData/html$uri
         local/plugins/RT-IR/html$uri
         local/plugins/RT-Authen-ExternalAuth/html$uri
         local/plugins/RT-Extension-MobileUI/html$uri
         local/plugins/RTx-Calendar/html$uri
         local/plugins/RTx-EmailCompletion/html$uri
         local/plugins/RT-FM/html$uri
         local/plugins/RT-Extension-ToggleSuperUser/html$uri
         local/plugins/RT-Extension-SpawnLinkedTicketInQueue/html$uri
         local/plugins/RT-Extension-SearchResults-XLS/html$uri
         local/plugins/RTx-AssetTracker/html$uri
         local/plugins/RT-Extension-SummaryByUser/html$uri
         local/plugins/RT-Extension-MandatorySubject/html$uri
         #<% join ' ', map "$_\$uri", map File::Spec->abs2rel($_, $RT::BasePath), RT->PluginDirs('html') %>
         share/html$uri
         @main
     ;
     expires 1M;
 }
 location /NoAuth/css/ {
     root /var/opt/fcgi_storage;
     gzip_comp_level 9;
     expires 1M;
     location ~ squished {
         expires max;
     }
     error_page 404 = @fetch_and_store;
 }
 location /NoAuth/js/ {
     root /var/opt/fcgi_storage;
     gzip_comp_level 9;
     expires 1M;
     location ~ squished {
         expires max;
     }
     error_page 404 = @fetch_and_store;
 }
 location /NoAuth/RichText/ {
     root /var/opt/fcgi_storage;
     gzip_comp_level 9;
     error_page 404 = @fetch_and_store;
     expires 1M;
 }
 location / {
     include /etc/nginx/fcgi.include.conf;
 }

 location @main {
     include /etc/nginx/fcgi.include.conf;
 }
 location @fetch_and_store {
     include /etc/nginx/fcgi.include.conf;

     root /var/opt/fcgi_storage;
     fastcgi_store          on;
     fastcgi_store_access   user:rw  group:rw  all:r;
     fastcgi_temp_path      /var/opt/fcgi_temp;
 }
}

nginx.conf:

user rt rt;

pid /var/run/nginx.pid;
error_log /var/log/nginx/nginx.error.log debug;

worker_processes 1;
events {
worker_connections 128;
}

http {
include /etc/nginx/mime.types;
include /etc/nginx/rt.server.conf;
}

It all works using normal HTTP on port 8080 without the ssl*
options. When I add the ssl* options, the login screen comes
up correctly, but after I login I get the following error:

400 Bad Request
The plain HTTP request was sent to HTTPS port

and the URL is http://rt2.rice.edu:8443 and not the https
version. If I change the URL manually from http to https
I have logged in. If I try to reply to a ticket, after I click
update, it again goes to the http version of the URL and not
the https version.

Does anyone have any idea about what I am missing?

Regards,
Ken

Thomas_Sibley · March 2, 2012, 3:00pm

Gerard FENELON wrote:

Stab in the dark: have you changed $WebBaseURL ?

Ken @ rice.edu wrote:

and the URL is http://rt2.rice.edu:8443 and not the https
version. If I change the URL manually from http to https
I have logged in. If I try to reply to a ticket, after I click
update, it again goes to the http version of the URL and not
the https version.

Gerard nailed it. Normally you shouldn’t set WebBaseURL yourself,
but when running SSL on a non-standard (not 443) port, you need to.

For reference, quoting from RT_Config.pm:

=item C<$WebBaseURL>, C<$WebURL>

Usually you don’t want to set these options. The only obvious reason
is if RT is accessible via https protocol on a non standard port, e.g.
‘https://rt.example.com:9999’. In all other cases these options are
computed using C<$WebDomain>, C<$WebPort> and C<$WebPath>.

You probably want something like:

Set($WebDomain, ‘rt2.rice.edu’);
Set($WebPort, 8443);
Set($WebBaseURL, ‘https://rt2.rice.edu:8443’);

Alternatively, you could be slightly more clever:

Set($WebBaseURL,
sprintf(‘https://%s:%d’,
map { RT->Config->Get(“Web$_”) } qw(Domain Port)));

Kenneth_Marshall · March 2, 2012, 3:06pm

Stab in the dark: have you changed $WebBaseURL ?
Gerard

Yes, the $WebBaseURL is set to https://rt2.rice.edu.

Cheers,
Ken

Thomas_Sibley · March 2, 2012, 3:08pm

Stab in the dark: have you changed $WebBaseURL ?
Gerard

Yes, the $WebBaseURL is set to https://rt2.rice.edu.

Are you reverse proxying to nginx?

Kenneth_Marshall · March 2, 2012, 3:15pm

Gerard FENELON wrote:

Stab in the dark: have you changed $WebBaseURL ?

Ken @ rice.edu wrote:

and the URL is http://rt2.rice.edu:8443 and not the https
version. If I change the URL manually from http to https
I have logged in. If I try to reply to a ticket, after I click
update, it again goes to the http version of the URL and not
the https version.

Gerard nailed it. Normally you shouldn’t set WebBaseURL yourself,
but when running SSL on a non-standard (not 443) port, you need to.

For reference, quoting from RT_Config.pm:

=item C<$WebBaseURL>, C<$WebURL>

Usually you don’t want to set these options. The only obvious reason
is if RT is accessible via https protocol on a non standard port, e.g.
‘https://rt.example.com:9999’. In all other cases these options are
computed using C<$WebDomain>, C<$WebPort> and C<$WebPath>.

You probably want something like:

Set($WebDomain, ‘rt2.rice.edu’);
Set($WebPort, 8443);
Set($WebBaseURL, ‘https://rt2.rice.edu:8443’);

Alternatively, you could be slightly more clever:

Set($WebBaseURL,
sprintf(‘https://%s:%d’,
map { RT->Config->Get(“Web$_”) } qw(Domain Port)));

I am trying to get the nginx+fastcgi+SSL on a non-standard port running
at the same time as the currently installed Apache+mod_perl2+SSL on the
standard ports (80, 443). I used the WebBaseURL above and the Apache
instance works but the nginx still has the http problem.

Ken

Thomas_Sibley · March 2, 2012, 3:27pm

You probably want something like:

Set($WebDomain, ‘rt2.rice.edu’);
Set($WebPort, 8443);
Set($WebBaseURL, ‘https://rt2.rice.edu:8443’);

Alternatively, you could be slightly more clever:

Set($WebBaseURL,
sprintf(‘https://%s:%d’,
map { RT->Config->Get(“Web$_”) } qw(Domain Port)));

I am trying to get the nginx+fastcgi+SSL on a non-standard port running
at the same time as the currently installed Apache+mod_perl2+SSL on the
standard ports (80, 443). I used the WebBaseURL above and the Apache
instance works but the nginx still has the http problem.

Just so we’re on the same page, what’s your RT_SiteConfig.pm for the
nginx RT?

Thomas_Sibley · March 2, 2012, 3:29pm

Yes, the $WebBaseURL is set to https://rt2.rice.edu.

Are you reverse proxying to nginx?

I do not think so. The only configs are the ones I included in my
first post.

Then that WebBaseURL is wrong for your nginx setup (https without a port
implies 443).

My “clever” WebBaseURL line from my first mail still requires you set
WebDomain and WebPort as in the “non-clever” example config right above it.

Kenneth_Marshall · March 2, 2012, 3:30pm

You probably want something like:

Set($WebDomain, ‘rt2.rice.edu’);
Set($WebPort, 8443);
Set($WebBaseURL, ‘https://rt2.rice.edu:8443’);

Alternatively, you could be slightly more clever:

Set($WebBaseURL,
sprintf(‘https://%s:%d’,
map { RT->Config->Get(“Web$_”) } qw(Domain Port)));

I am trying to get the nginx+fastcgi+SSL on a non-standard port running
at the same time as the currently installed Apache+mod_perl2+SSL on the
standard ports (80, 443). I used the WebBaseURL above and the Apache
instance works but the nginx still has the http problem.

Just so we’re on the same page, what’s your RT_SiteConfig.pm for the
nginx RT?

I am using the same one as the Apache+modper2+SSL instance and just
starting the mason_handler.fcgi with nginx.

Ken

Kenneth_Marshall · March 2, 2012, 3:33pm

You probably want something like:

Set($WebDomain, ‘rt2.rice.edu’);
Set($WebPort, 8443);
Set($WebBaseURL, ‘https://rt2.rice.edu:8443’);

Alternatively, you could be slightly more clever:

Set($WebBaseURL,
sprintf(‘https://%s:%d’,
map { RT->Config->Get(“Web$_”) } qw(Domain Port)));

I am trying to get the nginx+fastcgi+SSL on a non-standard port running
at the same time as the currently installed Apache+mod_perl2+SSL on the
standard ports (80, 443). I used the WebBaseURL above and the Apache
instance works but the nginx still has the http problem.

Just so we’re on the same page, what’s your RT_SiteConfig.pm for the
nginx RT?

Is there a way to specify a FCGI specific RT_SiteConfig.pm, to use when
starting the FCGI processes?

Ken

Thomas_Sibley · March 2, 2012, 3:41pm

I am using the same one as the Apache+modper2+SSL instance and just
starting the mason_handler.fcgi with nginx.

Er, that’s not going to work sometimes because you’re running on
different ports under nginx. RT will try to use the host and port it’s
being accessed at, but it can’t always get it right. This may help fix
it without using a separate config:

fastcgi_param HTTPS on;

Add that to your other fastcgi_param lines.

Kenneth_Marshall · March 2, 2012, 4:49pm

I am using the same one as the Apache+modper2+SSL instance and just
starting the mason_handler.fcgi with nginx.

Er, that’s not going to work sometimes because you’re running on
different ports under nginx. RT will try to use the host and port it’s
being accessed at, but it can’t always get it right. This may help fix
it without using a separate config:
fastcgi_param HTTPS on;
Add that to your other fastcgi_param lines.

That did it! Thank you.

Cheers,
Ken

RT 3.8.11 with nginx+SSL

fastcgi.include.conf:

rt.server.conf

}

nginx.conf:

http { include /etc/nginx/mime.types; include /etc/nginx/rt.server.conf; }

http {
include /etc/nginx/mime.types;
include /etc/nginx/rt.server.conf;
}