Re: [rt-users] RT 3.8.11 with nginx+SSL
Stab in the dark: have you changed $WebBaseURL ? Gerard On 2012-03-02 15:35, k...@rice.edu wrote: Hi RT Community, I am trying to setup RT 3.8.11 to use nginx and FastCGI and an encrypted HTTPS connection instead of the unencrypted HTTP connection. I took a look at the RT-Extension-Nginx-0.02 module but it only works with RT4, so I used it as a template and manually generated the following configuration files: fastcgi.include.conf: fastcgi_pass unix:/etc/nginx/fcgi.sock; fastcgi_param SCRIPT_NAME ; fastcgi_param PATH_INFO$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param REQUEST_URI $request_uri; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; rt.server.conf server { server_name rt2.rice.edu; listen 8443; ssl on; ssl_certificate /etc/pki/tls/certs/help_rice_edu_all.cer; ssl_certificate_key /etc/pki/tls/private/help_rice_edu.key; root /usr/site/rt/var/mason_data; access_log /var/log/nginx/nginx.access.log; gzip on; gzip_min_length 500; gzip_proxied any; gzip_types text/plain text/css application/x-javascript application/javascript ; gzip_disable MSIE [1-6]\.; location /NoAuth/images/ { root /usr/site/rt; try_files local/html$uri #% join ' ', map $_\$uri, map File::Spec-abs2rel($_, $RT::BasePath), RT-PluginDirs('html') % local/plugins/RT-Extension-CloneTicket-WithData/html$uri local/plugins/RT-IR/html$uri local/plugins/RT-Authen-ExternalAuth/html$uri local/plugins/RT-Extension-MobileUI/html$uri local/plugins/RTx-Calendar/html$uri local/plugins/RTx-EmailCompletion/html$uri local/plugins/RT-FM/html$uri local/plugins/RT-Extension-ToggleSuperUser/html$uri local/plugins/RT-Extension-SpawnLinkedTicketInQueue/html$uri local/plugins/RT-Extension-SearchResults-XLS/html$uri local/plugins/RTx-AssetTracker/html$uri local/plugins/RT-Extension-SummaryByUser/html$uri local/plugins/RT-Extension-MandatorySubject/html$uri #% join ' ', map $_\$uri, map File::Spec-abs2rel($_, $RT::BasePath), RT-PluginDirs('html') % share/html$uri @main ; expires 1M; } location /NoAuth/css/ { root /var/opt/fcgi_storage; gzip_comp_level 9; expires 1M; location ~ squished { expires max; } error_page 404 = @fetch_and_store; } location /NoAuth/js/ { root /var/opt/fcgi_storage; gzip_comp_level 9; expires 1M; location ~ squished { expires max; } error_page 404 = @fetch_and_store; } location /NoAuth/RichText/ { root /var/opt/fcgi_storage; gzip_comp_level 9; error_page 404 = @fetch_and_store; expires 1M; } location / { include /etc/nginx/fcgi.include.conf; } location @main { include /etc/nginx/fcgi.include.conf; } location @fetch_and_store { include /etc/nginx/fcgi.include.conf; root /var/opt/fcgi_storage; fastcgi_store on; fastcgi_store_access user:rw group:rw all:r; fastcgi_temp_path /var/opt/fcgi_temp; } } nginx.conf: user rt rt; pid /var/run/nginx.pid; error_log /var/log/nginx/nginx.error.log debug; worker_processes 1; events { worker_connections 128; } http { include /etc/nginx/mime.types; include /etc/nginx/rt.server.conf; } It all works using normal HTTP on port 8080 without the ssl* options. When I add the ssl* options, the login screen comes up correctly, but after I login I get the following error: 400 Bad Request The plain HTTP request was sent to HTTPS port and the URL is http://rt2.rice.edu:8443 and not the https version. If I change the URL manually from http to https I have logged in. If I try to reply to a ticket, after I click update, it again goes to the http version of the URL and not the https version. Does anyone have any idea about what I am missing? Regards, Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
Gerard FENELON wrote: Stab in the dark: have you changed $WebBaseURL ? Ken @ rice.edu wrote: and the URL is http://rt2.rice.edu:8443 and not the https version. If I change the URL manually from http to https I have logged in. If I try to reply to a ticket, after I click update, it again goes to the http version of the URL and not the https version. Gerard nailed it. :) Normally you shouldn't set WebBaseURL yourself, but when running SSL on a non-standard (not 443) port, you need to. For reference, quoting from RT_Config.pm: =item C$WebBaseURL, C$WebURL Usually you don't want to set these options. The only obvious reason is if RT is accessible via https protocol on a non standard port, e.g. 'https://rt.example.com:'. In all other cases these options are computed using C$WebDomain, C$WebPort and C$WebPath. You probably want something like: Set($WebDomain, 'rt2.rice.edu'); Set($WebPort, 8443); Set($WebBaseURL, 'https://rt2.rice.edu:8443'); Alternatively, you could be slightly more clever: Set($WebBaseURL, sprintf('https://%s:%d', map { RT-Config-Get(Web$_) } qw(Domain Port))); RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On Fri, Mar 02, 2012 at 03:43:45PM +0100, Gerard FENELON wrote: Stab in the dark: have you changed $WebBaseURL ? Gerard Yes, the $WebBaseURL is set to https://rt2.rice.edu. Cheers, Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On 03/02/2012 10:06 AM, k...@rice.edu wrote: On Fri, Mar 02, 2012 at 03:43:45PM +0100, Gerard FENELON wrote: Stab in the dark: have you changed $WebBaseURL ? Gerard Yes, the $WebBaseURL is set to https://rt2.rice.edu. Are you reverse proxying to nginx? RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On Fri, Mar 02, 2012 at 10:00:50AM -0500, Thomas Sibley wrote: Gerard FENELON wrote: Stab in the dark: have you changed $WebBaseURL ? Ken @ rice.edu wrote: and the URL is http://rt2.rice.edu:8443 and not the https version. If I change the URL manually from http to https I have logged in. If I try to reply to a ticket, after I click update, it again goes to the http version of the URL and not the https version. Gerard nailed it. :) Normally you shouldn't set WebBaseURL yourself, but when running SSL on a non-standard (not 443) port, you need to. For reference, quoting from RT_Config.pm: =item C$WebBaseURL, C$WebURL Usually you don't want to set these options. The only obvious reason is if RT is accessible via https protocol on a non standard port, e.g. 'https://rt.example.com:'. In all other cases these options are computed using C$WebDomain, C$WebPort and C$WebPath. You probably want something like: Set($WebDomain, 'rt2.rice.edu'); Set($WebPort, 8443); Set($WebBaseURL, 'https://rt2.rice.edu:8443'); Alternatively, you could be slightly more clever: Set($WebBaseURL, sprintf('https://%s:%d', map { RT-Config-Get(Web$_) } qw(Domain Port))); I am trying to get the nginx+fastcgi+SSL on a non-standard port running at the same time as the currently installed Apache+mod_perl2+SSL on the standard ports (80, 443). I used the WebBaseURL above and the Apache instance works but the nginx still has the http problem. Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On 03/02/2012 10:15 AM, k...@rice.edu wrote: You probably want something like: Set($WebDomain, 'rt2.rice.edu'); Set($WebPort, 8443); Set($WebBaseURL, 'https://rt2.rice.edu:8443'); Alternatively, you could be slightly more clever: Set($WebBaseURL, sprintf('https://%s:%d', map { RT-Config-Get(Web$_) } qw(Domain Port))); I am trying to get the nginx+fastcgi+SSL on a non-standard port running at the same time as the currently installed Apache+mod_perl2+SSL on the standard ports (80, 443). I used the WebBaseURL above and the Apache instance works but the nginx still has the http problem. Just so we're on the same page, what's your RT_SiteConfig.pm for the nginx RT? RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On 03/02/2012 10:16 AM, k...@rice.edu wrote: Yes, the $WebBaseURL is set to https://rt2.rice.edu. Are you reverse proxying to nginx? I do not think so. The only configs are the ones I included in my first post. Then that WebBaseURL is wrong for your nginx setup (https without a port implies 443). My clever WebBaseURL line from my first mail still requires you set WebDomain and WebPort as in the non-clever example config right above it. RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On Fri, Mar 02, 2012 at 10:27:19AM -0500, Thomas Sibley wrote: On 03/02/2012 10:15 AM, k...@rice.edu wrote: You probably want something like: Set($WebDomain, 'rt2.rice.edu'); Set($WebPort, 8443); Set($WebBaseURL, 'https://rt2.rice.edu:8443'); Alternatively, you could be slightly more clever: Set($WebBaseURL, sprintf('https://%s:%d', map { RT-Config-Get(Web$_) } qw(Domain Port))); I am trying to get the nginx+fastcgi+SSL on a non-standard port running at the same time as the currently installed Apache+mod_perl2+SSL on the standard ports (80, 443). I used the WebBaseURL above and the Apache instance works but the nginx still has the http problem. Just so we're on the same page, what's your RT_SiteConfig.pm for the nginx RT? I am using the same one as the Apache+modper2+SSL instance and just starting the mason_handler.fcgi with nginx. Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On Fri, Mar 02, 2012 at 10:27:19AM -0500, Thomas Sibley wrote: On 03/02/2012 10:15 AM, k...@rice.edu wrote: You probably want something like: Set($WebDomain, 'rt2.rice.edu'); Set($WebPort, 8443); Set($WebBaseURL, 'https://rt2.rice.edu:8443'); Alternatively, you could be slightly more clever: Set($WebBaseURL, sprintf('https://%s:%d', map { RT-Config-Get(Web$_) } qw(Domain Port))); I am trying to get the nginx+fastcgi+SSL on a non-standard port running at the same time as the currently installed Apache+mod_perl2+SSL on the standard ports (80, 443). I used the WebBaseURL above and the Apache instance works but the nginx still has the http problem. Just so we're on the same page, what's your RT_SiteConfig.pm for the nginx RT? Is there a way to specify a FCGI specific RT_SiteConfig.pm, to use when starting the FCGI processes? Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On 03/02/2012 10:30 AM, k...@rice.edu wrote: I am using the same one as the Apache+modper2+SSL instance and just starting the mason_handler.fcgi with nginx. Er, that's not going to work sometimes because you're running on different ports under nginx. RT will try to use the host and port it's being accessed at, but it can't always get it right. This may help fix it without using a separate config: fastcgi_param HTTPS on; Add that to your other fastcgi_param lines. RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT 3.8.11 with nginx+SSL
On Fri, Mar 02, 2012 at 10:41:42AM -0500, Thomas Sibley wrote: On 03/02/2012 10:30 AM, k...@rice.edu wrote: I am using the same one as the Apache+modper2+SSL instance and just starting the mason_handler.fcgi with nginx. Er, that's not going to work sometimes because you're running on different ports under nginx. RT will try to use the host and port it's being accessed at, but it can't always get it right. This may help fix it without using a separate config: fastcgi_param HTTPS on; Add that to your other fastcgi_param lines. That did it! Thank you. Cheers, Ken RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012