Changes between Version 7 and Version 8 of ipmi


Ignore:
Timestamp:
Jun 28, 2019, 11:26:11 AM (3 months ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ipmi

    v7 v8  
    5252== Enable http redirections ==
    5353
    54 On robideau, we have the following nginx configuration to allow web-based proxying:
     54On robideau, we have the following nginx configuration name <server>.conf to allow lets encrypt to find and validate https certificates:
    5555
    5656{{{
    57 #server {
    58 #  listen 80;
    59 #  server_name ipmi.john.mayfirst.org;
    60 #  root /var/www/html;
    61 #  location /.well-known/acme-challenge {
    62 #    try_files $uri $uri/ =404;
    63 #  }
    64 #  location / {
    65 #    return 301 https://$host$request_uri;
    66 #  }
    67 #}
     57server {
     58  listen 80;
     59  server_name ipmi.john.mayfirst.org;
     60  root /var/www/html;
     61  location /.well-known/acme-challenge {
     62    try_files $uri $uri/ =404;
     63  }
     64  location / {
     65    return 301 https://$host$request_uri;
     66  }
     67}
     68}}}
    6869
     70In addition, we have this <server.ssl.conf version to actually proxy to the IPMI server:
     71
     72{{{
    6973server {
    7074  listen 443;
     
    9599  ssl_dhparam /etc/ssl/dhparam.pem;
    96100
    97   add_header Strict-Transport-Security max-age=63072000;
     101  # Don't use strict transport or it may mess up lets encrypt.
     102  #add_header Strict-Transport-Security max-age=63072000;
    98103  add_header X-Content-Type-Options nosniff;
    99104}
    100105}}}
    101106
    102 The commented out section must be un-commented initially to allow lets encrypt to create a proper initial certificate.
     107The ssl section must be disable initially until lets encrypt can be run to generate the cert.
    103108
    104109Also, you need to create dlparams with:
     
    109114
    110115And, of course, you need to create a DNS record so that a domain (e.g. `ipmi.john.mayfirst.org`) points to robideau's IP address.
    111 
    112 
    113116
    114117== So-called Serial access ==
     
    144147== Disable web config ==
    145148
    146 Once you have working serial access, be sure to turn off nginx on robideau. We don't need to leave that open to the world. But it's handy to have in case you want to restart the physical server or something goes wrong with console access.
     149Once you have working serial access, be sure to delete the link to the <server>.ssl.conf file in site-enabled so it is no accessible (but keep the <server>.conf file so letsencrypt can do it's job.