Open Stack

Hi Yang,

There are different ways of doing this:

1) configure nova/glance/neutron/cinder to "speak" SSL, this should be
covered by the official documentation
2) run nova/glance/neutron/cinder as wsgi application behind apache,
and let apache "speak" SSL
3) run nova/glance/neutron/cinder behind a load-balancer which is also
doing SSL termination.

We chose option 3), but there are a few issues. Specifically, nova,
glance and cinder will always reply with the wrong url schema (http
instead of https), regardless of what you put on the endpoint.

For nova, there is a patch not yet merged in kilo:
https://bugs.launchpad.net/glance/+bug/1384379

For glance and cinder, we solved adding a "middleware" in the wsgi
pipeline, responsible for converting "http" to "https" whenever it's
needed

Some useful links:
https://bugs.launchpad.net/glance/+bug/1384379
https://gist.github.com/invsblduck/55923d81b175ba4168c1
https://github.com/rcbops-cookbooks/openstack-ssl/wiki/OpenStack-SSL-Reverse-Proxy-Findings

.a.


On Thu, Aug 6, 2015 at 12:17 AM, YANG LI <yangli at clemson.edu> wrote:
> Is there a documentation on how to configure SSL on glance, nova and neutron API? we did get keystone done ,but had hard time to find document on how to do this on other services.
>
> Thanks,
> Yang
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



-- 
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland