[Openstack] Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Devendra Gupta
dev29aug at gmail.com
Mon Apr 14 22:30:39 UTC 2014
OK, So If I want something on stable on Havana then I need to go
through the HTTPD/mod_wsgi ? Isn't it.
I also see lots of things around TripleO but don't have much idea.
Things like TripleO, Tuskar
.http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO
Though not sure, what all this is doing.
Devendra
On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <mark.m.miller at hp.com> wrote:
> I am just learning myself and it is aimed at Icehouse, not Havana.
>
> http://docs.openstack.org/developer/tripleo-incubator/devtest.html
>
> Mark
>
>
> -----Original Message-----
> From: Devendra Gupta [mailto:dev29aug at gmail.com]
> Sent: Monday, April 14, 2014 3:14 PM
> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Cc: ayoung at redhat.com; openstack at lists.openstack.org
> Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>
> Thanks Mark, TripleO seems good. I just came to know about it from you so doing google around it. Do you see some known/trusted doc to configure it with OpenStack. I am willing to proceed with it on Havana.
>
> - Devendra
>
> On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D -
> Corvallis) <mark.m.miller at hp.com> wrote:
>> Devendra,
>>
>> We are now using an SSL terminator solution instead of attempting to turn SSL on all of the OpenStack services. I have not attempted to turn SSL on Havana nor Icehouse builds, but the Grizzly base was pretty flakey . Right now the TripleO work is using the "stunnel" proxy server in front of all OpenStack services to terminate SSL. You can then proxy the incoming HTTPS request onto the local 127.0.0.1/8 bus which is inaccessible from outside your server. It also isolates the SSL terminator from the OpenStack service processes.
>>
>> Mark
>>
>> -----Original Message-----
>> From: Devendra Gupta [mailto:dev29aug at gmail.com]
>> Sent: Monday, April 14, 2014 2:30 PM
>> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); ayoung at redhat.com
>> Cc: openstack at lists.openstack.org
>> Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>>
>> Hi,
>>
>> I want to enable SSL for all the OpenStack APIs and test it but I couldn't find detailed doc on docs.openstack.org. Does anyone have some notes on how to set this up ?
>>
>> I did good search around it on Google and OpenStack/RDO mailing list, I found lots of different paths but most of them were limited to Keystone only using 'keystone-manage ssl_setup'. I also found following nice blog which have 6 posts for setting up the SSL for all the components using Apache2 and mod_wsgi.
>>
>> http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keyst
>> one/
>>
>> I want to go through this doc to do a complete setup but before that I wanted to take few inputs about my environment:
>>
>> 1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have OpenStack setup on Ubuntu/Grizzly ?
>>
>> 2. Since all the OpenStack components are running on the same host, I
>> guess I need to add VHost entries for all the APIs (mentioned in all 6
>> docs) in the /etc/httpd/conf/http.conf. Please help me if someone have a sample file VHost file with sites created for some/all components.
>>
>> 3. Can I have single set of self signed certificate path for all the Virtual Host entries as all APIs are running on the single VM.
>> SSLCertificateFile /location/of/server.pem
>> SSLCertificateKeyFile /location/of/server.key
>>
>> Another thing, the ketstone configuration part in this blog is having reference to the github page (http://goo.gl/ZIhcn2) for configuring Keystone with SSL but I find that doc little difficult to understand as there is no details of configuring virtual hosts so can I skip the github doc and proceed with the same blog.
>>
>> Regards,
>> Devendra Gupta
More information about the Openstack
mailing list