Open Stack

With the terminator, you would have apache (or whatever terminator you
choose) listen on the user facing interface / port.  And then it can pass
off the connection to the service over localhost or a unix socket or wsgi.

-bryan


On Thu, Nov 14, 2013 at 5:15 PM, Hassan Shaik <hshaik at gmail.com> wrote:

> Also, Can the SSL proxy terminator (based on Apache httpd) reside on the
> same controller box? I think, httpd wont be able to listen on same virtual
> host ports. In that case, it should be on different server. If someone have
> tried this in their setups, please share the details on how you set this up.
>
> Appreciate your help.
>
> Regards,
> Hassan
>
>
> On Thu, Nov 14, 2013 at 12:35 AM, Hassan Shaik <hshaik at gmail.com> wrote:
>
>> Thanks Bryan & Nathan for your replies.
>>
>> Bryan,
>> 1. does this mean SSL support is not present for nova/glance API
>> directly?
>> 2. Also, do we need to make use of SSL proxy terminator along with
>> enabling SSL in keystone service (which seems to have SSL functionality
>> implemented for this service)?
>> 3. From the given link, I see the virtual host entries for 80 (Dashboard)
>> and for 8447 (nova compute) ports. Do we need to add for other end point
>> URL (excluding keystone service) as well, right?
>>
>>
>>
>> Regards,
>> Hassan
>>
>>
>> On Wed, Nov 13, 2013 at 10:00 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>>
>>> Hassan,
>>>
>>> In a production setting, the preferred way to do this is with an SSL
>>> terminator.  There are some details in the OpenStack Security Guide:
>>>
>>>
>>> http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html
>>>
>>> Cheers,
>>> -bryan
>>>
>>>
>>>
>>>
>>> On Wed, Nov 13, 2013 at 5:59 PM, Hassan Shaik <hshaik at gmail.com> wrote:
>>>
>>>> Hello Openstack security experts,
>>>>
>>>> I am trying to enable SSL/HTTPS in openstack REST API for all services
>>>> (nova/glance endpoint URL). However, I see the documentation to enable SSL
>>>> on keystone service alone.
>>>>
>>>>
>>>> http://docs.openstack.org/grizzly/openstack-compute/admin/content//keystone-ssl.html
>>>> http://docs.openstack.org/developer/keystone/configuration.html
>>>>
>>>> 1. Am I missing something? Is SSL/HTTPS supported for nova/glance API
>>>> too?
>>>> 2. Also, when I try to enable SSL in keystone service, all nova/glance
>>>> CLI fail to work after the change. And, the debug shows it is trying to
>>>> make use of http even after enabling SSL.
>>>>
>>>> # nova --debug list
>>>>
>>>> REQ: curl -i *http*://openstack-ip:5000/v2.0/tokens -X POST -H
>>>> "Content-Type: application/json" -H "Accept: application/json" -H
>>>> "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin",
>>>> "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}'
>>>>
>>>> Appreciate your help.
>>>>
>>>> Thanks,
>>>> Hassan
>>>>
>>>> _______________________________________________
>>>> Openstack-security mailing list
>>>> Openstack-security at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131114/35f3e5e4/attachment.html>