Best setup for redmine using ssl

Added by Stephen Womack over 10 years ago

My company will be setting up redmine so external contractors can access the site through the internet. Because of this, i would like to setup redmine using SSL.

After doing some research i found that there is some issues with ssl, fastcgi, and apache. I have also read that Fastcgi is not very secure. I keep reading about mongrel in the forums, and i wonder if this would be a better solution for using SSL with redmine.

Does anyone have any suggestions on what setup i should have when using SSL with redmine?

Also does anyone know any good how-to guides that would help me? i have googled it, but i have not found very many that help me setup redmine with SSL.

My current setup is:

CentOS 5.4
MySQL 5.1.44
FastCGI
Ruby 1.8.6
Rails 2.3.5
Apache 2.2.3

Replies (7)

RE: Best setup for redmine using ssl - Added by Felix Schäfer over 10 years ago

I'd strongly recommend using passenger if you are using apache. Passenger is a mod_rails of sorts, with good performance, quite easy to configure, and you can do whatever SSL configuration you'd like in Apache, the passenger-served redmine behind it won't care.

RE: Best setup for redmine using ssl - Added by Stephen Womack over 10 years ago

I am trying out passenger right now and really like it.

There seems to be one issue though. When i go to upload a file in redmine i receive an error page. upon checking my error log i find this bit of code

Errno::EACCES (Permission denied - /opt/app/redmine-0.9.3/files/100329145028_putty.log):
app/models/attachment.rb:79:in `initialize'
app/models/attachment.rb:79:in `open'
app/models/attachment.rb:79:in `before_save'
app/controllers/application_controller.rb:240:in `attach_files'
app/controllers/application_controller.rb:237:in `each_value'
app/controllers/application_controller.rb:237:in `attach_files'
app/controllers/projects_controller.rb:270:in `add_file'
passenger (2.2.11) lib/phusion_passenger/rack/request_handler.rb:92:in `process_request'
passenger (2.2.11) lib/phusion_passenger/abstract_request_handler.rb:207:in `main_loop'
passenger (2.2.11) lib/phusion_passenger/railz/application_spawner.rb:418:in `start_request_handler'
passenger (2.2.11) lib/phusion_passenger/railz/application_spawner.rb:358:in `handle_spawn_application'
passenger (2.2.11) lib/phusion_passenger/utils.rb:184:in `safe_fork'
passenger (2.2.11) lib/phusion_passenger/railz/application_spawner.rb:354:in `handle_spawn_application'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:352:in `__send__'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:352:in `main_loop'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:196:in `start_synchronously'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:163:in `start'
passenger (2.2.11) lib/phusion_passenger/railz/application_spawner.rb:213:in `start'
passenger (2.2.11) lib/phusion_passenger/spawn_manager.rb:262:in `spawn_rails_application'
passenger (2.2.11) lib/phusion_passenger/abstract_server_collection.rb:126:in `lookup_or_add'
passenger (2.2.11) lib/phusion_passenger/spawn_manager.rb:256:in `spawn_rails_application'
passenger (2.2.11) lib/phusion_passenger/abstract_server_collection.rb:80:in `synchronize'
passenger (2.2.11) lib/phusion_passenger/abstract_server_collection.rb:79:in `synchronize'
passenger (2.2.11) lib/phusion_passenger/spawn_manager.rb:255:in `spawn_rails_application'
passenger (2.2.11) lib/phusion_passenger/spawn_manager.rb:154:in `spawn_application'
passenger (2.2.11) lib/phusion_passenger/spawn_manager.rb:287:in `handle_spawn_application'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:352:in `__send__'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:352:in `main_loop'
passenger (2.2.11) lib/phusion_passenger/abstract_server.rb:196:in `start_synchronously'

When i google the error message i find that it is a permissions issue, but i have not been able to locate the folder that has the permission issue. can anyone point me in the right direction?

RE: Best setup for redmine using ssl - Added by Felix Schäfer over 10 years ago

The user redmine runs as needs write access to several directories and everything under it: PASSENGER_DIR/files, PASSENGER_DIR/tmp, PASSENGER_DIR/log and PASSENGER_DIR/public/plugin_assets. In your case, the PASSENGER_DIR seems to be /opt/app/redmine-0.9.3. Please be aware that passenger might run redmine as the same user as apache is run under, or some other user depending on configuration (see http://modrails.com/documentation/Users%20guide%20Apache.html#user_switching for more info). Opening a random redmine page and running ps aux | grep -i passenger on the server might give you some more clues.

RE: Best setup for redmine using ssl - Added by Stephen Womack over 10 years ago

Thanks for the help.

I did not realize that passenger runs as nobody by default. after changing the file permissions in my redmine directory using the command:

chown -R nobody:nobody files log tmp public/plugin_assets vendor

I was able to upload word, pdf, and jpg images. I did find that text files and bmp files are no longer able to load. Under fastcgi i was able to upload these files. it gives me the following error in redmine:

1 file(s) could not be saved.

I have looked in the production log and find that the process was completed without any errors in the log. I tried to google this error and only found an article about a person trying to modify their redmine code to save it to a database instead of the file folder.

2 more questions know come up.

1. Is it okay for passenger to run as nobody or is this a big security whole?
2. Does redmine/passenger only allow certain file types and it is not just stating this in the error message?

Thanks again for all the help. I am always nervous about posting on forums seems many times it turns into a bash session. I find the redmine help forum always very helpful and knowledgeable.

RE: Best setup for redmine using ssl - Added by Felix Schäfer over 10 years ago

There is no inherent risk with running passenger as nobody and give access to the folders as you did, but there might be a risk because nobody might be the default other programs default to. I'd suggest either making a new user for redmine and passenger, or make it run as the same user as apache is (mitigated security there too, but it affects "only" the webserver stack).

Regarding the filetypes you can upload: no filtering, so the problem is somewhere else, but I can't tell you where without any better error message than what you have, sorry.

RE: Best setup for redmine using ssl - Added by Stephen Womack over 10 years ago

After i got SSL setup everything started working properlly.

Thank you Felix!

As usual your advice worked :)

RE: Best setup for redmine using ssl - Added by Felix Schäfer over 10 years ago

And as always, I'm glad it works :-) Have fun with redmine.

(1-7/7)