[Openstack] Enabling SSL For The OpenStack API using HTTPD and mod_wsgi

Rob Crittenden rcritten at redhat.com
Wed Apr 16 18:02:21 UTC 2014


Devendra Gupta wrote:
> OK, So If I want something on stable on Havana then I need to go
> through the HTTPD/mod_wsgi ? Isn't it.
>
> I also see lots of things around TripleO but don't have much idea.
> Things like TripleO, Tuskar
> .http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO
>
> Though not sure, what all this is doing.

You may be able to get away with the Eventlet server. From my testing so 
far SSL works ok there, but others have expressed great concerns over 
performance so they tend to stick an SSL terminator in front instead.

As you do this, be aware that a lot of the servers act as clients as 
well so you'll need to dig into the configuration files and tweak a lot 
of things as you go. The order I did was keystone, nova, cinder, glance, 
heat, in the context of devstack.

Take good notes :-)

rob

>
> Devendra
>
> On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D -
> Corvallis) <mark.m.miller at hp.com> wrote:
>> I am just learning myself and it is aimed at Icehouse, not Havana.
>>
>> http://docs.openstack.org/developer/tripleo-incubator/devtest.html
>>
>> Mark
>>
>>
>> -----Original Message-----
>> From: Devendra Gupta [mailto:dev29aug at gmail.com]
>> Sent: Monday, April 14, 2014 3:14 PM
>> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
>> Cc: ayoung at redhat.com; openstack at lists.openstack.org
>> Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>>
>> Thanks Mark, TripleO seems good. I just came to know about it from you so doing google around it. Do you see some known/trusted doc to configure it with OpenStack. I am willing to proceed with it on Havana.
>>
>> - Devendra
>>
>> On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D -
>> Corvallis) <mark.m.miller at hp.com> wrote:
>>> Devendra,
>>>
>>> We are now using an SSL terminator solution instead of attempting to turn SSL on all of the OpenStack services. I have not attempted to turn SSL on Havana nor Icehouse builds, but the Grizzly base was pretty flakey . Right now the TripleO work is using the "stunnel" proxy server in front of all OpenStack services to terminate SSL. You can then proxy the incoming HTTPS request onto the local 127.0.0.1/8 bus which is inaccessible from outside your server. It also isolates the SSL terminator from the OpenStack service processes.
>>>
>>> Mark
>>>
>>> -----Original Message-----
>>> From: Devendra Gupta [mailto:dev29aug at gmail.com]
>>> Sent: Monday, April 14, 2014 2:30 PM
>>> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); ayoung at redhat.com
>>> Cc: openstack at lists.openstack.org
>>> Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
>>>
>>> Hi,
>>>
>>> I want to enable SSL for all the OpenStack APIs and test it but I couldn't find detailed doc on docs.openstack.org. Does anyone have some notes on how to set this up ?
>>>
>>> I did good search around it on Google and OpenStack/RDO mailing list, I found lots of different paths but most of them were limited to Keystone only using 'keystone-manage ssl_setup'. I also found following nice blog which have 6 posts for setting up the SSL for all the components using Apache2 and mod_wsgi.
>>>
>>> http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keyst
>>> one/
>>>
>>> I want to go through this doc to do a complete setup but before that I wanted to take few inputs about my environment:
>>>
>>> 1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have OpenStack setup on Ubuntu/Grizzly ?
>>>
>>> 2. Since all the OpenStack components are running on the same host, I
>>> guess I need to add VHost entries for all the APIs (mentioned in all 6
>>> docs) in the /etc/httpd/conf/http.conf. Please help me if someone have a sample file VHost file with sites created for some/all components.
>>>
>>> 3. Can I have single set of  self signed certificate path for all the Virtual Host entries as all APIs are running on the single VM.
>>>      SSLCertificateFile /location/of/server.pem
>>>      SSLCertificateKeyFile /location/of/server.key
>>>
>>> Another thing, the ketstone configuration part in this blog is having reference to the github page (http://goo.gl/ZIhcn2) for configuring Keystone with SSL but I find that doc little difficult to understand as there is no details of configuring virtual hosts so can I skip the github doc and proceed with the same blog.
>>>
>>> Regards,
>>> Devendra Gupta
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>





More information about the Openstack mailing list