Devendra Gupta wrote:
OK, So If I want something on stable on Havana then I need to go
through the HTTPD/mod_wsgi ? Isn't it.
I also see lots of things around TripleO but don't have much idea.
Things like TripleO, Tuskar
.http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO
Though not sure, what all this is doing.
You may be able to get away with the Eventlet server. From my testing so
far SSL works ok there, but others have expressed great concerns over
performance so they tend to stick an SSL terminator in front instead.
As you do this, be aware that a lot of the servers act as clients as
well so you'll need to dig into the configuration files and tweak a lot
of things as you go. The order I did was keystone, nova, cinder, glance,
heat, in the context of devstack.
Take good notes :-)
rob
Devendra
On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <[email protected]> wrote:
I am just learning myself and it is aimed at Icehouse, not Havana.
http://docs.openstack.org/developer/tripleo-incubator/devtest.html
Mark
-----Original Message-----
From: Devendra Gupta [mailto:[email protected]]
Sent: Monday, April 14, 2014 3:14 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Cc: [email protected]; [email protected]
Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Thanks Mark, TripleO seems good. I just came to know about it from you so doing
google around it. Do you see some known/trusted doc to configure it with
OpenStack. I am willing to proceed with it on Havana.
- Devendra
On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D -
Corvallis) <[email protected]> wrote:
Devendra,
We are now using an SSL terminator solution instead of attempting to turn SSL on all of
the OpenStack services. I have not attempted to turn SSL on Havana nor Icehouse builds,
but the Grizzly base was pretty flakey . Right now the TripleO work is using the
"stunnel" proxy server in front of all OpenStack services to terminate SSL. You
can then proxy the incoming HTTPS request onto the local 127.0.0.1/8 bus which is
inaccessible from outside your server. It also isolates the SSL terminator from the
OpenStack service processes.
Mark
-----Original Message-----
From: Devendra Gupta [mailto:[email protected]]
Sent: Monday, April 14, 2014 2:30 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); [email protected]
Cc: [email protected]
Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi
Hi,
I want to enable SSL for all the OpenStack APIs and test it but I couldn't find
detailed doc on docs.openstack.org. Does anyone have some notes on how to set
this up ?
I did good search around it on Google and OpenStack/RDO mailing list, I found
lots of different paths but most of them were limited to Keystone only using
'keystone-manage ssl_setup'. I also found following nice blog which have 6
posts for setting up the SSL for all the components using Apache2 and mod_wsgi.
http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keyst
one/
I want to go through this doc to do a complete setup but before that I wanted
to take few inputs about my environment:
1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it fine to try
the steps on OpenStack RDO/Havana setup ? Or I need to have OpenStack setup on
Ubuntu/Grizzly ?
2. Since all the OpenStack components are running on the same host, I
guess I need to add VHost entries for all the APIs (mentioned in all 6
docs) in the /etc/httpd/conf/http.conf. Please help me if someone have a sample
file VHost file with sites created for some/all components.
3. Can I have single set of self signed certificate path for all the Virtual
Host entries as all APIs are running on the single VM.
SSLCertificateFile /location/of/server.pem
SSLCertificateKeyFile /location/of/server.key
Another thing, the ketstone configuration part in this blog is having reference
to the github page (http://goo.gl/ZIhcn2) for configuring Keystone with SSL but
I find that doc little difficult to understand as there is no details of
configuring virtual hosts so can I skip the github doc and proceed with the
same blog.
Regards,
Devendra Gupta
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
