<div dir="ltr">Also, Can the SSL proxy terminator (based on Apache httpd) reside on the same controller box? I think, httpd wont be able to listen on same virtual host ports. In that case, it should be on different server. If someone have tried this in their setups, please share the details on how you set this up.<div>
<br></div><div>Appreciate your help.</div></div><div class="gmail_extra"><br clear="all"><div>Regards,<br>Hassan</div>
<br><br><div class="gmail_quote">On Thu, Nov 14, 2013 at 12:35 AM, Hassan Shaik <span dir="ltr"><<a href="mailto:hshaik@gmail.com" target="_blank">hshaik@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Bryan & Nathan for your replies.<div><br></div><div>Bryan, </div><div>1. does this mean SSL support is not present for nova/glance API directly? </div><div>2. Also, do we need to make use of SSL proxy terminator along with enabling SSL in keystone service (which seems to have SSL functionality implemented for this service)?</div>
<div>3. From the given link, I see the virtual host entries for 80 (Dashboard) and for 8447 (nova compute) ports. Do we need to add for other end point URL (excluding keystone service) as well, right?</div><div><br></div>
<div><br></div></div><div class="gmail_extra"><br clear="all"><div>Regards,<br>Hassan</div><div><div class="h5">
<br><br><div class="gmail_quote">On Wed, Nov 13, 2013 at 10:00 PM, Bryan D. Payne <span dir="ltr"><<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hassan,<div><br></div><div>In a production setting, the preferred way to do this is with an SSL terminator. There are some details in the OpenStack Security Guide:</div><div><br></div><div><a href="http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html" target="_blank">http://docs.openstack.org/security-guide/content/ch020_ssl-everywhere.html</a><br>
</div><div><br></div><div>Cheers,</div><div>-bryan</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Wed, Nov 13, 2013 at 5:59 PM, Hassan Shaik <span dir="ltr"><<a href="mailto:hshaik@gmail.com" target="_blank">hshaik@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hello Openstack security experts,<div><br></div><div>I am trying to enable SSL/HTTPS in openstack REST API for all services (nova/glance endpoint URL). However, I see the documentation to enable SSL on keystone service alone.</div>
<div><br></div><div><a href="http://docs.openstack.org/grizzly/openstack-compute/admin/content//keystone-ssl.html" target="_blank">http://docs.openstack.org/grizzly/openstack-compute/admin/content//keystone-ssl.html</a><br>
</div><div><a href="http://docs.openstack.org/developer/keystone/configuration.html" target="_blank">http://docs.openstack.org/developer/keystone/configuration.html</a><br>
</div><div><br></div><div>1. Am I missing something? Is SSL/HTTPS supported for nova/glance API too?</div><div>2. Also, when I try to enable SSL in keystone service, all nova/glance CLI fail to work after the change. And, the debug shows it is trying to make use of http even after enabling SSL.</div>
<div><br></div><div><div># nova --debug list</div><div><br></div><div>REQ: curl -i <b>http</b>://openstack-ip:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin_pass"}}}'</div>
<div><br></div><div>Appreciate your help.</div><div><br></div><div>Thanks,<br>Hassan</div>
</div></div>
<br></div></div><div>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></div></blockquote></div><br></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>