Follow

How To Configure Zenoss 4.1.1 for HTTPS / SSL

Pre-Requisites

  • Zenoss 4.1.1 (this document applies to no other version of Zenoss)
  • The WebScale zenpack (included with Resource Manager)
  • Optional: A signed SSL certificate from a trusted certificate authority (CA)

Applies To

  • Zenoss 4.1.1 ONLY

Summary

The Nginx load balancer installed with Zenoss can be configured to encrypt connections to and from user browser sessions using Hypertext Transfer Protocol Secure (HTTPS), which consists of the Hypertext Transfer Protocol (HTTP) running on top of the Secure Sockets Layer (SSL).

Follow these instructions to enable HTTPS connections to your Zenoss instance.

Note: These instructions result in a self-signed certificate; modify them as appropriate to use an SSL certificate signed by a certificate authority (CA).

Procedure

  1. Switch to the zenoss user (from root):
    su - zenoss

    Note: Run all of the following commands as the zenoss user.

  2. Begin by creating a directory in which to store certificate and key files:
    mkdir /opt/zenoss/etc/ssl
  3. Change into the new directory:
    cd /opt/zenoss/etc/ssl
  4. Create the server private key:
    openssl genrsa -des3 -out zenoss.key 1024
  5. Create the signing request:
    openssl req -new -key zenoss.key -out zenoss.csr
  6. Remove the pass phrase requirement:
     cp zenoss.key zenoss.key.orig
     openssl rsa -in zenoss.key.orig -out zenoss.key
  7. Sign the certificate:
     openssl x509 -req -days 365 -in zenoss.csr -signkey zenoss.key -out zenoss.crt
  8. Stop zenwebserver:
    zenwebserver stop
  9. Change directory:
    cd $ZENHOME/etc
  10. Copy nginx.conf to a backup:
    cp nginx.conf enginx.conf.non-ssl
  11. Edit $ZENHOME/etc/nginx.conf
    Add the following lines to the top of the file:
     # effective user when nginx is run as root
     user zenoss zenoss;
  12. Within the http{ } section, add the following, which will redirect requests to ports 8080 and 80 to port 443, so existing bookmarks will work:
     server {
    
                listen 8080;
    
                rewrite ^(.*) https://$host:443$1 permanent;
    
                access_log /opt/zenoss/log/nginx/access.log;
    
            }
    
            server {
    
                listen 80;
    
                rewrite ^(.*) https://$host:443$1 permanent;
    
                access_log /opt/zenoss/log/nginx/access.log;
    
            }
  13. Within the existing server{ } section, make the following changes:
    • Change listen 8080 to listen 443
    • Add the following lines:
      ssl on;
      
      ssl_certificate /opt/zenoss/etc/ssl/zenoss.crt;
      
      ssl_certificate_key /opt/zenoss/etc/ssl/zenoss.key;
    • At the top of the location / { } section, add:
      rewrite ^(.*)$ /VirtualHostBase/https/$host:443$1 break;
    • Save and close nginx.conf

  14. Copy the edited file:
    cp nginx.conf nginx.conf.ssl
  15. If your Zenoss user is in the sudoers file and you have established a password for the Zenosss user, complete the following:
     $ sudo chown root:zenoss $(readlink $ZENHOME/bin/nginx)
    
     $ sudo chmod 04750 $(readlink $ZENHOME/bin/nginx)

    If not, run the following as root, editing as appropriate if your server has a different path to the Zenoss binaries:

    chown root:zenoss $(readlink /opt/zenoss/bin/nginx)
    
    chmod 04750 $(readlink /opt/zenoss/bin/nginx)
  16. As the zenoss user, start zenwebserver:
    zenwebserver start

Note: depending on browser security settings, users connecting to your Zenoss instance may encounter warning messages stating that the site's identity cannot be verified. These errors are generated by some browsers when a web server presents a self-signed certificate. They can be eliminated by obtaining a signed certificate from a trusted certificate authority.

Appendix: zenwebserver.conf example

    # effective user when nginx is run as root

    user zenoss zenoss;

    worker_processes 4;

    pid /opt/zenoss/var/nginx.pid;

    # error_log /opt/zenoss/log/nginx/error.log debug;

    error_log /opt/zenoss/log/nginx/error.log notice;

    # error_log /opt/zenoss/log/nginx/error.log info;

    events {

        worker_connections 1024;

    }

    http {

        include /opt/zenoss/etc/mime.types;

        default_type application/octet-stream;

        proxy_cache_path /opt/zenoss/var/nginx-cache levels=1:2 keys_zone=zenoss-cache:8m max_size=1000m inactive=600m;

        proxy_temp_path /opt/zenoss/var/nginx-cache/tmp;

        sendfile on;

        tcp_nopush on;

        keepalive_timeout 5;

        tcp_nodelay on;

        gzip on;

        gzip_min_length 1000;

        gzip_proxied any;

        gzip_types text/css text/plain application/atom+xml application/x-javascript;

        gzip_disable "MSIE [1-6]\.(?!.*SV1)";

        include /opt/zenoss/etc/nginx-zope.conf;

        rewrite_log on;

        server {

            listen 443;

            access_log /opt/zenoss/log/nginx/access.log;

            client_body_temp_path /opt/zenoss/var/nginx_temp;

            ssl on;

            ssl_certificate /opt/zenoss/etc/ssl/fielding.cert;

            ssl_certificate_key /opt/zenoss/etc/ssl/fielding.key;

            location / {

                rewrite ^(.*)$ /VirtualHostBase/https/$host:443$1 break;

                proxy_pass http://zopectls;

                proxy_set_header Host $http_host;

                proxy_set_header X-Real-IP $remote_addr ;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;

                proxy_set_header X-Url-Scheme $scheme;

    }

    location /nginx_status {

        stub_status on;

        access_log off;

    }

    location ~* \.(jpg|png|gif|jpeg|css|js|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {

        proxy_pass http://zopectls;

        expires max;

        proxy_cache zenoss-cache;

        proxy_cache_valid 200 302 60m;

        proxy_cache_valid 404 1m;

        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr ;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;

        proxy_set_header X-Url-Scheme $scheme;

     }

    }

    server {

        listen 8080;

        rewrite ^(.*) https://$host:443$1 permanent;

        access_log /opt/zenoss/log/nginx/access.log;

    }

    server {

        listen 80;

        rewrite ^(.*) https://$host:443$1 permanent;

        access_log /opt/zenoss/log/nginx/access.log;

      }

    }

     
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk