[Openstack] Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Devendra Gupta
dev29aug at gmail.com
Tue Apr 15 15:47:09 UTC 2014
Missed include list so adding.
On Apr 15, 2014 9:41 AM, "Devendra Gupta" <dev29aug at gmail.com> wrote:
> Hi Mark,
>
> Thanks for your inputs around "Stunnel", I'll try it later as it looks
> very new to me and little unknown/complex. But first I wanted to try HTTPD
> with mod_wsgi as I don't have much security concern in my test environment
> so could you please guide me around those three points which I mentioned in
> the first mail. I could see in mailing list archive that you tried that
> approach so I think your guidance would be helpful.
>
> Regards,
> Devendra
> On Apr 15, 2014 4:18 AM, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <
> mark.m.miller at hp.com> wrote:
>
>> Look up "stunnel". The HTTPD and mod_wsgi wasn't really stable and
>> provided a security risk in that breaking into Apache granted you access to
>> every OpenStack service started by Apache.
>>
>> -----Original Message-----
>> From: Devendra Gupta [mailto:dev29aug at gmail.com]
>> Sent: Monday, April 14, 2014 3:31 PM
>> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Cc: ayoung at redhat.com; openstack at lists.openstack.org
>> Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>>
>> OK, So If I want something on stable on Havana then I need to go through
>> the HTTPD/mod_wsgi ? Isn't it.
>>
>> I also see lots of things around TripleO but don't have much idea.
>> Things like TripleO, Tuskar
>> .http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO
>>
>> Though not sure, what all this is doing.
>>
>> Devendra
>>
>> On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D -
>> Corvallis) <mark.m.miller at hp.com> wrote:
>> > I am just learning myself and it is aimed at Icehouse, not Havana.
>> >
>> > http://docs.openstack.org/developer/tripleo-incubator/devtest.html
>> >
>> > Mark
>> >
>> >
>> > -----Original Message-----
>> > From: Devendra Gupta [mailto:dev29aug at gmail.com]
>> > Sent: Monday, April 14, 2014 3:14 PM
>> > To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> > Cc: ayoung at redhat.com; openstack at lists.openstack.org
>> > Subject: Re: Enabling SSL For The OpenStack API using HTTPD and
>> > mod_wsgi
>> >
>> > Thanks Mark, TripleO seems good. I just came to know about it from you
>> so doing google around it. Do you see some known/trusted doc to configure
>> it with OpenStack. I am willing to proceed with it on Havana.
>> >
>> > - Devendra
>> >
>> > On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D -
>> > Corvallis) <mark.m.miller at hp.com> wrote:
>> >> Devendra,
>> >>
>> >> We are now using an SSL terminator solution instead of attempting to
>> turn SSL on all of the OpenStack services. I have not attempted to turn SSL
>> on Havana nor Icehouse builds, but the Grizzly base was pretty flakey .
>> Right now the TripleO work is using the "stunnel" proxy server in front of
>> all OpenStack services to terminate SSL. You can then proxy the incoming
>> HTTPS request onto the local 127.0.0.1/8 bus which is inaccessible from
>> outside your server. It also isolates the SSL terminator from the OpenStack
>> service processes.
>> >>
>> >> Mark
>> >>
>> >> -----Original Message-----
>> >> From: Devendra Gupta [mailto:dev29aug at gmail.com]
>> >> Sent: Monday, April 14, 2014 2:30 PM
>> >> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); ayoung at redhat.com
>> >> Cc: openstack at lists.openstack.org
>> >> Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>> >>
>> >> Hi,
>> >>
>> >> I want to enable SSL for all the OpenStack APIs and test it but I
>> couldn't find detailed doc on docs.openstack.org. Does anyone have some
>> notes on how to set this up ?
>> >>
>> >> I did good search around it on Google and OpenStack/RDO mailing list,
>> I found lots of different paths but most of them were limited to Keystone
>> only using 'keystone-manage ssl_setup'. I also found following nice blog
>> which have 6 posts for setting up the SSL for all the components using
>> Apache2 and mod_wsgi.
>> >>
>> >> http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keys
>> >> t
>> >> one/
>> >>
>> >> I want to go through this doc to do a complete setup but before that I
>> wanted to take few inputs about my environment:
>> >>
>> >> 1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it
>> fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have
>> OpenStack setup on Ubuntu/Grizzly ?
>> >>
>> >> 2. Since all the OpenStack components are running on the same host, I
>> >> guess I need to add VHost entries for all the APIs (mentioned in all
>> >> 6
>> >> docs) in the /etc/httpd/conf/http.conf. Please help me if someone have
>> a sample file VHost file with sites created for some/all components.
>> >>
>> >> 3. Can I have single set of self signed certificate path for all the
>> Virtual Host entries as all APIs are running on the single VM.
>> >> SSLCertificateFile /location/of/server.pem
>> >> SSLCertificateKeyFile /location/of/server.key
>> >>
>> >> Another thing, the ketstone configuration part in this blog is having
>> reference to the github page (http://goo.gl/ZIhcn2) for configuring
>> Keystone with SSL but I find that doc little difficult to understand as
>> there is no details of configuring virtual hosts so can I skip the github
>> doc and proceed with the same blog.
>> >>
>> >> Regards,
>> >> Devendra Gupta
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/58e63fac/attachment.html>
More information about the Openstack
mailing list