On Thu, Mar 27, 2014 at 10:58 AM, Maksim Mazur <[email protected]> wrote: > As I see fuel 4.1 configure apache on controller to listen on *:443 but > there is only default page. > > Could you explain me please why do we have such configuration.
As far as I understand the primary reason not to enable SSL for OpenStack out of the box is cert management. We don't want to deploy with self-signed certificates that would provide false sense of security, and we don't have a proper cert management infrastructure integrated in Fuel. > I would like to use https for securing horizon - can I safely disable ssl in > apache? Yes. To do it properly via Fuel, you'll need to make sure that Apache configuration templates in horizon/templates/*.conf.erb consistently follow $use_ssl variable from the horizon Puppet class (current code pre-dates Ubuntu support and seems to be RedHat/CentOS specific), fix osnailyfacter::cluster_* to consistently pass that variable to horizon based on horizon_use_ssl from fuel_settings (at the moment it is only used on cluster_ha), and make sure that variable is actually present in astute.yaml (at the moment it isn't). > I already have patch for fuel 4.0 which enables SSL with external nginx, not > changing apache config. > > Do we need such functionality in 4.1.1? Having this as an option would be nice, but I would be very careful about letting users deploy with autogenerated self-signed certificates and believing they're any more secure than without SSL. Does your patch allow using valid pre-defined certificates? -- Dmitry Borodaenko -- Mailing list: https://launchpad.net/~fuel-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~fuel-dev More help : https://help.launchpad.net/ListHelp
