[Openstack] SSL Configuration
Rob Crittenden
rcritten at redhat.com
Tue Dec 2 15:31:30 UTC 2014
Georgios Dimitrakakis wrote:
> @Robert: I don't have a load-balancer for this deployment. Just
> controller, cinder and compute nodes.
>
>
>
> What I would like to do is to secure the public endpoints for Keystone,
> Glance, Nova, Cinder with SSL and the EC2 API.
>
> That would be sufficient for the moment.
>
> Is it OK if I just change the respective *.conf files or should I do
> something more? Should the changes at the *.conf files be propagated on
> all nodes?
It is a bit more complicated than that.
You can either secure things natively or use a TLS proxy (hardware or
something like haproxy or stud). Native SSL is generally frowned upon
since the assumption is that performance will be terrible due to the
python GIL.
What you do with haproxy or stud is to modify the port that the services
normally listen on (in devstack we simply add 1 to each of the ports)
and configure the proxy to listen on the "standard" ports for each service.
You also need secure endpoints defined in keystone for everything. If
you've got an existing installation you'll need to try to convert it.
I've been toying with SSL in devstack and documented some experiments I
did including converting Keystone to use native SSL,
http://blog-rcritten.rhcloud.com/?p=5 and subsequently converting nova,
glance and cinder in the same install http://blog-rcritten.rhcloud.com/?p=26
This is for native SSL, which as I said is generally frowned up, but I
was just toying after all. The process should be similar for a proxy.
rob
>
>
> All the best,
>
> George
>
>
>
> On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:
>> Hi.
>> Do you want to serve https instead http ? Or you want to encrypt all
>> of the communications between these components?
>> For the first problem the solution is : Search about how to serve and
>> https with apache or passenger.
>>
>> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:
>>
>>> Hi!
>>>
>>> Can someone point me to the right direction on how to secure
>>> publicly available services (e.g. nova,keystone,glance) with an SSL
>>> certificate?
>>>
>>> Best regards,
>>>
>>> George
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [1]
>>> Post to : openstack at lists.openstack.org [2]
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [3]
>>
>> --
>>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> Version: GnuPG v1
>>
>> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i
>> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y
>> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY
>> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg
>> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw
>> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l
>> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF
>> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB
>> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7
>> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m
>> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ
>> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+
>> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy
>> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq
>> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz
>> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya
>> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4
>> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7
>> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o
>> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92
>> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh
>> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e
>> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko
>> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ
>> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5
>> Tt1scwgVintCWdVX9BS2
>> =cxjk
>> -----END PGP PUBLIC KEY BLOCK-----
>>
>>
>> Links:
>> ------
>> [1] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [2] mailto:openstack at lists.openstack.org
>> [3] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [4] mailto:giorgis at acmac.uoc.gr
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list