[Openstack] Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Tue Apr 15 16:11:33 UTC 2014
Devendra,
Here is a set of instructions for the Icehouse Keystone HTTPD install using SSL. I did not get any further before giving up. What you are going to find is that some services that use HTTPD as a default have good support for it (i.e. Keystone and Horizon). For other services that don't use it as a default you have to try to figure out the WSGI connection code yourself and hope that the internal drivers work with that configuration. In addition, the WSGI interfaces appear to change with every new release of OpenStack. For example, the Keystone WSGI connection code that worked with Grizzly is different from the code that works with Icehouse.
Mark
Icehouse Notes:
NOTE: The Apache2 WSGI configuration scripts below replace the "/etc/init.d/keystone" startup script
Create/configure file "/etc/apache2/sites-available/keystone.conf" to match your keystone installation and server.
WSGIDaemonProcess keystone user=keystone group=nogroup processes=6
Listen 0.0.0.0:5000
<VirtualHost _default_:5000>
LogLevel debug
ErrorLog /var/log/keystone/keystone.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
SSLProtocol all -SSLv2
SSLVerifyClient none
WSGIScriptAlias / /usr/lib/cgi-bin/keystone/main
WSGIProcessGroup keystone
SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>
Listen 0.0.0.0:35357
<VirtualHost _default_:35357>
LogLevel debug
ErrorLog /var/log/keystone/keystone.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
SSLProtocol all -SSLv2
SSLVerifyClient none
WSGIScriptAlias / /usr/lib/cgi-bin/keystone/admin
WSGIProcessGroup keystone
SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>
Note: By changing the SSL_Engine variable in this file you can turn on and off the Apache2-SSL frontend to Keystone.
Now link keystone sites-enabled to keystone sites-available
sudo ln -s /etc/apache2/sites-available/keystone.conf /etc/apache2/sites-enabled/keystone.conf
Create directory "/usr/lib/cgi-bin/keystone"
sudo mkdir /usr/lib/cgi-bin
sudo mkdir /usr/lib/cgi-bin/keystone
Create file "/usr/lib/cgi-bin/keystone/admin".
import logging
import os
from paste import deploy
from keystone.openstack.common import gettextutils
from keystone.common import dependency
from keystone.common import environment
from keystone.common import sql
from keystone import config
from keystone.openstack.common import log
from keystone import service
# NOTE(blk-u):
# gettextutils.install() must run to set _ before importing any modules that
# contain static translated strings.
gettextutils.install('keystone', lazy=True)
CONF = config.CONF
config.configure()
sql.initialize()
config.set_default_for_default_log_levels()
CONF(project='keystone')
config.setup_logging()
environment.use_stdlib()
#name = os.path.basename(__file__)
name = "admin"
if CONF.debug:
CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
drivers = service.load_backends()
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
# The following is a reference to Python Paste Deploy documentation
# http://pythonpaste.org/deploy/
application = deploy.loadapp('config:%s' % config.find_paste_config(),
name=name)
dependency.resolve_future_dependencies()
Also create file "/usr/lib/cgi-bin/keystone/main".
import logging
import os
from paste import deploy
from keystone.openstack.common import gettextutils
from keystone.common import dependency
from keystone.common import environment
from keystone.common import sql
from keystone import config
from keystone.openstack.common import log
from keystone import service
# NOTE(blk-u):
# gettextutils.install() must run to set _ before importing any modules that
# contain static translated strings.
gettextutils.install('keystone', lazy=True)
CONF = config.CONF
config.configure()
sql.initialize()
config.set_default_for_default_log_levels()
CONF(project='keystone')
config.setup_logging()
environment.use_stdlib()
#name = os.path.basename(__file__)
name = "main"
if CONF.debug:
CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
drivers = service.load_backends()
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
# The following is a reference to Python Paste Deploy documentation
# http://pythonpaste.org/deploy/
application = deploy.loadapp('config:%s' % config.find_paste_config(),
name=name)
dependency.resolve_future_dependencies()
If the keystone service is running, shut it down because the Apache2 service will now start it up with as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-available/keystone.conf".
sudo service keystone stop
From: Devendra Gupta [mailto:dev29aug at gmail.com]
Sent: Tuesday, April 15, 2014 8:47 AM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); openstack at lists.openstack.org
Subject: RE: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Missed include list so adding.
On Apr 15, 2014 9:41 AM, "Devendra Gupta" <dev29aug at gmail.com<mailto:dev29aug at gmail.com>> wrote:
Hi Mark,
Thanks for your inputs around "Stunnel", I'll try it later as it looks very new to me and little unknown/complex. But first I wanted to try HTTPD with mod_wsgi as I don't have much security concern in my test environment so could you please guide me around those three points which I mentioned in the first mail. I could see in mailing list archive that you tried that approach so I think your guidance would be helpful.
Regards,
Devendra
On Apr 15, 2014 4:18 AM, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
Look up "stunnel". The HTTPD and mod_wsgi wasn't really stable and provided a security risk in that breaking into Apache granted you access to every OpenStack service started by Apache.
-----Original Message-----
From: Devendra Gupta [mailto:dev29aug at gmail.com<mailto:dev29aug at gmail.com>]
Sent: Monday, April 14, 2014 3:31 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Cc: ayoung at redhat.com<mailto:ayoung at redhat.com>; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
OK, So If I want something on stable on Havana then I need to go through the HTTPD/mod_wsgi ? Isn't it.
I also see lots of things around TripleO but don't have much idea.
Things like TripleO, Tuskar
.http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO
Though not sure, what all this is doing.
Devendra
On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
> I am just learning myself and it is aimed at Icehouse, not Havana.
>
> http://docs.openstack.org/developer/tripleo-incubator/devtest.html
>
> Mark
>
>
> -----Original Message-----
> From: Devendra Gupta [mailto:dev29aug at gmail.com<mailto:dev29aug at gmail.com>]
> Sent: Monday, April 14, 2014 3:14 PM
> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> Cc: ayoung at redhat.com<mailto:ayoung at redhat.com>; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
> Subject: Re: Enabling SSL For The OpenStack API using HTTPD and
> mod_wsgi
>
> Thanks Mark, TripleO seems good. I just came to know about it from you so doing google around it. Do you see some known/trusted doc to configure it with OpenStack. I am willing to proceed with it on Havana.
>
> - Devendra
>
> On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D -
> Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
>> Devendra,
>>
>> We are now using an SSL terminator solution instead of attempting to turn SSL on all of the OpenStack services. I have not attempted to turn SSL on Havana nor Icehouse builds, but the Grizzly base was pretty flakey . Right now the TripleO work is using the "stunnel" proxy server in front of all OpenStack services to terminate SSL. You can then proxy the incoming HTTPS request onto the local 127.0.0.1/8<http://127.0.0.1/8> bus which is inaccessible from outside your server. It also isolates the SSL terminator from the OpenStack service processes.
>>
>> Mark
>>
>> -----Original Message-----
>> From: Devendra Gupta [mailto:dev29aug at gmail.com<mailto:dev29aug at gmail.com>]
>> Sent: Monday, April 14, 2014 2:30 PM
>> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); ayoung at redhat.com<mailto:ayoung at redhat.com>
>> Cc: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
>> Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>>
>> Hi,
>>
>> I want to enable SSL for all the OpenStack APIs and test it but I couldn't find detailed doc on docs.openstack.org<http://docs.openstack.org>. Does anyone have some notes on how to set this up ?
>>
>> I did good search around it on Google and OpenStack/RDO mailing list, I found lots of different paths but most of them were limited to Keystone only using 'keystone-manage ssl_setup'. I also found following nice blog which have 6 posts for setting up the SSL for all the components using Apache2 and mod_wsgi.
>>
>> http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keys
>> t
>> one/
>>
>> I want to go through this doc to do a complete setup but before that I wanted to take few inputs about my environment:
>>
>> 1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have OpenStack setup on Ubuntu/Grizzly ?
>>
>> 2. Since all the OpenStack components are running on the same host, I
>> guess I need to add VHost entries for all the APIs (mentioned in all
>> 6
>> docs) in the /etc/httpd/conf/http.conf. Please help me if someone have a sample file VHost file with sites created for some/all components.
>>
>> 3. Can I have single set of self signed certificate path for all the Virtual Host entries as all APIs are running on the single VM.
>> SSLCertificateFile /location/of/server.pem
>> SSLCertificateKeyFile /location/of/server.key
>>
>> Another thing, the ketstone configuration part in this blog is having reference to the github page (http://goo.gl/ZIhcn2) for configuring Keystone with SSL but I find that doc little difficult to understand as there is no details of configuring virtual hosts so can I skip the github doc and proceed with the same blog.
>>
>> Regards,
>> Devendra Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140415/5a829003/attachment.html>
More information about the Openstack
mailing list