Re: [Openstack] Reverse proxy component

2016-10-19 Thread Jose Manuel Ferrer Mosteiro 

You are right. This is the schema:
 
+--+
 |   
   |
 |OPENSTACK  
   |
+--+  +---+  |   
   |
|  |  |   |  |  +-+  
   |
| internet +->+ reverse_proxy +>| floating_ip |  
   |
|  |  |   |  |  +---+-+  
   |
+--+  +---+  |  |
   |
 |  |
   |
 |  v
   |
 |  +---+
   |
 |  |lb_vip |
   |
 |  ++--+
   |
 |   |   
   |
 |   |   
   |
 |   v   
   |
 |  ++   
   |
 |  |servers |   
   |
 |  ||-+ 
   |
 |  ++ | 
   |
 ||| 
   |
 |++ 
   |
 
+--+


A lot of enterprises use only a ip address to expose al the websites so 
they use a reverse proxy as "router" using "virtualhosts".


lbaas works inside openstack very well. I want more or less the same 
outside openstack.


With Designate and Heat I can create a register with the floating ip of 
the balanced service vip:


  webpage_record:
type: OS::Designate::Record
properties:
  name: webpage.example.com.
  type: A
  domain: example.com.
  data: { get_attr: [webpage_lb_vip_floating_ip, 
floating_ip_address] }


I want to add a route in the reverse_proxy so I want something like:

  webpage_reverse_proxy:
type: OS::ReverseProxy::VirtualHost
properties:
  external_name: webpage.example.com.
  internal_name: webpage.example.com.
  external_protocol: HTTPS
  internal_protocol: HTTP


Is there any way to do this?

Thank you,

Jose Manuel



El 2016-10-19 10:50, Federico M. Facca escribió:


Let me add a bit,
By default lbaas manage ha proxy instances in your openstack, but it's 
just a matter of creating a proper driver if not existing, to manage a 
physical lb or an external service providing that. But an external 
service to your network will need anyhow a public ip on your VMs. So it 
will be hard to not have external visibility and use, for example 
amazon lb.


Federico

Fede's mobile edition

DR. FEDERICO MICHELE FACCA
_Head of Martel Lab_

MARTEL INNOVATE
Dorfstrasse 73 - 3073 Gümligen [1] (Switzerland)
0041 78 807 58 38 [2]
0041 31 994 25 25 [3]
martel-innovate.com [4]

Il giorno 19 ott 2016, alle ore 10:40, Jose Manuel Ferrer Mosteiro 
 ha scritto:


Hi,

Yes, I can, but I want something with an api, integrated with keystone, 
... an openstack component.


Designate manages external DNS servers. I mean the same for managing 
external reverse proxy servers.


Jose Manuel

El 2016-10-19 08:21, Federico M. Facca escribió:
Hi,
You can use a load balancer for that, no?

Federico

Fede's mobile edition

DR. FEDERICO MICHELE FACCA
_Head of Martel Lab_

MARTEL INNOVATE
Dorfstrasse 73 - 3073 Gümligen [1] (Switzerland)
0041 78 807 58 38 [2]
0041 31 994 25 25 [3]
martel-innovate.com [4]

Il giorno 19 ott 2016, alle ore 07:49, Jose Manuel Ferrer Mosteiro 
 ha scritto:


Hi

I wonder if there is some kind of reverse proxy module for OpenStack.

In some cases the OpenStack deployment is in an internal network 
without external visibility. When I want to expose a server to outside 
I use a nginx or an apache with this configuration:


+++

ProxyPass / http://webpage/ [5]
ProxyPassReverse / http://webpage/ [5]

+++

It is more or less the same functionality that we would make with a F5, 
ceryx or the OpenShift router.


Is there any "reverse proxy" component for OpenStack?

I cannot find it.

Thank you,

Jose Manuel
___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [6]

Post to :

Re: [Openstack] Reverse proxy component

2016-10-19 Thread Federico M. Facca 
Let me add a bit, 
By default lbaas manage ha proxy instances in your openstack, but it's just a 
matter of creating a proper driver if not existing, to manage a physical lb or 
an external service providing that. But an external service to your network 
will need anyhow a public ip on your VMs. So it will be hard to not have 
external visibility and use, for example amazon lb. 

Federico

Fede's mobile edition
Dr. Federico Michele Facca
Head of Martel Lab

Martel Innovate
Dorfstrasse 73 - 3073 Gümligen (Switzerland)
0041 78 807 58 38
0041 31 994 25 25
martel-innovate.com


> Il giorno 19 ott 2016, alle ore 10:40, Jose Manuel Ferrer Mosteiro 
>  ha scritto:
> 
> Hi,
> 
> Yes, I can, but I want something with an api, integrated with keystone, ... 
> an openstack component.
> 
> Designate manages external DNS servers. I mean the same for managing external 
> reverse proxy servers.
> 
> Jose Manuel
> 
>  
>  
> 
> El 2016-10-19 08:21, Federico M. Facca escribió:
> 
>> Hi,
>> You can use a load balancer for that, no?
>>  
>> Federico 
>> 
>> Fede's mobile edition
>> Dr. Federico Michele Facca
>> Head of Martel Lab
>> 
>> Martel Innovate
>> Dorfstrasse 73 - 3073 Gümligen (Switzerland)
>> 0041 78 807 58 38
>> 0041 31 994 25 25
>> martel-innovate.com
>> 
>> 
>>> Il giorno 19 ott 2016, alle ore 07:49, Jose Manuel Ferrer Mosteiro 
>>>  ha scritto:
>>> 
>>> Hi
>>> 
>>>  
>>> 
>>>  
>>> I wonder if there is some kind of reverse proxy module for OpenStack.
>>> 
>>> In some cases the OpenStack deployment is in an internal network without 
>>> external visibility. When I want to expose a server to outside I use a 
>>> nginx or an apache with this configuration:
>>> 
>>> +++
>>> 
>>> ProxyPass / http://webpage/
>>> ProxyPassReverse / http://webpage/
>>> 
>>> +++
>>> 
>>>  
>>> It is more or less the same functionality that we would make with a F5, 
>>> ceryx or the OpenShift router.
>>> 
>>> Is there any "reverse proxy" component for OpenStack?
>>> 
>>> I cannot find it.
>>> 
>>>  
>>> 
>>> Thank you,
>>> 
>>> Jose Manuel
>>> 
>>> ___
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to : openstack@lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Reverse proxy component

2016-10-19 Thread Federico M. Facca 
Exactly, lbaas is part of neutron.

Cheers,
Federico

Fede's mobile edition
Dr. Federico Michele Facca
Head of Martel Lab

Martel Innovate
Dorfstrasse 73 - 3073 Gümligen (Switzerland)
0041 78 807 58 38
0041 31 994 25 25
martel-innovate.com


> Il giorno 19 ott 2016, alle ore 10:40, Jose Manuel Ferrer Mosteiro 
>  ha scritto:
> 
> Hi,
> 
> Yes, I can, but I want something with an api, integrated with keystone, ... 
> an openstack component.
> 
> Designate manages external DNS servers. I mean the same for managing external 
> reverse proxy servers.
> 
> Jose Manuel
> 
>  
>  
> 
> El 2016-10-19 08:21, Federico M. Facca escribió:
> 
>> Hi,
>> You can use a load balancer for that, no?
>>  
>> Federico 
>> 
>> Fede's mobile edition
>> Dr. Federico Michele Facca
>> Head of Martel Lab
>> 
>> Martel Innovate
>> Dorfstrasse 73 - 3073 Gümligen (Switzerland)
>> 0041 78 807 58 38
>> 0041 31 994 25 25
>> martel-innovate.com
>> 
>> 
>>> Il giorno 19 ott 2016, alle ore 07:49, Jose Manuel Ferrer Mosteiro 
>>>  ha scritto:
>>> 
>>> Hi
>>> 
>>>  
>>> 
>>>  
>>> I wonder if there is some kind of reverse proxy module for OpenStack.
>>> 
>>> In some cases the OpenStack deployment is in an internal network without 
>>> external visibility. When I want to expose a server to outside I use a 
>>> nginx or an apache with this configuration:
>>> 
>>> +++
>>> 
>>> ProxyPass / http://webpage/
>>> ProxyPassReverse / http://webpage/
>>> 
>>> +++
>>> 
>>>  
>>> It is more or less the same functionality that we would make with a F5, 
>>> ceryx or the OpenShift router.
>>> 
>>> Is there any "reverse proxy" component for OpenStack?
>>> 
>>> I cannot find it.
>>> 
>>>  
>>> 
>>> Thank you,
>>> 
>>> Jose Manuel
>>> 
>>> ___
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to : openstack@lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Reverse proxy component

2016-10-19 Thread Jose Manuel Ferrer Mosteiro 
 

Hi, 

Yes, I can, but I want something with an api, integrated with keystone,
... an openstack component. 

Designate manages external DNS servers. I mean the same for managing
external reverse proxy servers. 

Jose Manuel 

El 2016-10-19 08:21, Federico M. Facca escribió: 

> Hi, 
> You can use a load balancer for that, no? 
> 
> Federico 
> 
> Fede's mobile edition 
> 
> DR. FEDERICO MICHELE FACCA
> _Head of Martel Lab_ 
> 
> MARTEL INNOVATE
> Dorfstrasse 73 - 3073 Gümligen [3] (Switzerland)
> 0041 78 807 58 38 [4]
> 0041 31 994 25 25 [5]
> martel-innovate.com [6] 
> 
> Il giorno 19 ott 2016, alle ore 07:49, Jose Manuel Ferrer Mosteiro 
>  ha scritto:
> 
>> Hi 
>> 
>> I wonder if there is some kind of reverse proxy module for OpenStack. 
>> 
>> In some cases the OpenStack deployment is in an internal network without 
>> external visibility. When I want to expose a server to outside I use a nginx 
>> or an apache with this configuration: 
>> 
>> +++ 
>> 
>> ProxyPass / http://webpage/ [1]
>> ProxyPassReverse / http://webpage/ [1] 
>> 
>> +++ 
>> 
>> It is more or less the same functionality that we would make with a F5, 
>> ceryx or the OpenShift router. 
>> 
>> Is there any "reverse proxy" component for OpenStack? 
>> 
>> I cannot find it. 
>> 
>> Thank you, 
>> 
>> Jose Manuel
> 
>> ___
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> [2]
>> Post to : openstack@lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> [2]
 

Links:
--
[1] http://webpage/
[2] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[3] x-apple-data-detectors://1/0
[4] tel:0041%2078%20807%2058%2038
[5] tel:0041%2031%20994%2025%2025
[6] http://martel-innovate.com/
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Reverse proxy component

2016-10-19 Thread Uwe Sauter 
Hi Jose,

slightly off topic but this is the configuration I have in production where 
Nginx is used as remote.

Replace everything within <>. "YOUR OPENSTACK IP/HOSTNAME" means the IP that 
your Openstack installation thinks is external, while
"YOUR DOMAIN(s)" means what the revproxy should listen to.

You also have to create at least the file 
/usr/share/nginx/html/OPENSTACK/index.html which acts as the landing page if 
someone
only enters your domain as URL.

Regards,

Uwe


--- Begin /etc/nginx/openstack 
ssl_certificate/etc/nginx/certs/;
ssl_certificate_key/etc/nginx/certs/;
ssl_dhparam/etc/nginx/certs/;
ssl_protocols  TLSv1.2 TLSv1.1;
ssl_ciphers
AES256+EECDH:AES128+EECDH:!aNULL:!eNULL:!ECDSA:!SHA:!DSS;
ssl_prefer_server_ciphers  on;
ssl_session_cache  shared:SSL:10m;
ssl_session_timeout10m;

# HTTP # http is only used to present an index where your customers are 
redirected to the dashboard
server {
  server_name ;
  listen  *:80;
  root/usr/share/nginx/html/OPENSTACK;

  location / {
index index.html;
  }

  location ~ ^/dashboard {
return302 https://$host$request_uri;
  }

  location ~ ^/console {
return302 https://$host:6080$request_uri;
  }

  location ~ ^/websockify {
return302 https://$host:6080$request_uri;
  }
}

# HTTPS server #
server {
  server_name;
  listen *:443;
  sslon;
  root/usr/share/nginx/html/OPENSTACK;

  location / {
index index.html;
  }

 OpenStack ##
  location ~ ^/dashboard {
sub_filter   'http://'
'https://$host';
sub_filter   'http://$host''https://$host';
sub_filter_last_modified on;
sub_filter_once  off;
sub_filter_types *;
proxy_pass   http://;
proxy_request_buffering  off;
proxy_set_header Host $host;
proxy_set_header Origin   http://$host;
proxy_set_header Accept-Encoding  "";
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server   $host;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_set_header X-Forwarded-For  
$proxy_add_x_forwarded_for;
proxy_connect_timeout90;
proxy_send_timeout   90;
proxy_read_timeout   90;
  }
# End OpenStack ##
}

 OpenStack ##
  location / {
proxy_pass   http://:6080;
proxy_request_buffering  off;
proxy_http_version   1.1;
proxy_set_header Upgrade  $http_upgrade;
proxy_set_header Connection   "upgrade";
proxy_set_header Host $host;
proxy_set_header Origin   http://$host;
proxy_set_header X-Real-IP$remote_addr; # The IP 
address of the client.
proxy_set_header X-Forwarded-Host $host; # The original 
host requested by the client in the Host HTTP request
header.
proxy_set_header X-Forwarded-Server   $host; # The hostname of 
the proxy server.
proxy_set_header X-Forwarded-Proto$scheme;
proxy_set_header X-Forwarded-For  
$proxy_add_x_forwarded_for; # The IP address of the client and all proxies
in between..
  }
### End OpenStack #
}
--- End /etc/nginx/openstack --


Am 19.10.2016 um 07:49 schrieb Jose Manuel Ferrer Mosteiro:
> Hi
> 
>  
> 
>  
> 
> I wonder if there is some kind of reverse proxy module for OpenStack.
> 
> In some cases the OpenStack deployment is in an internal network without 
> external visibility. When I want to expose a server to
> outside I use a nginx or an apache with this configuration:
> 
> +++
> 
> ProxyPass / http://webpage/
> ProxyPassReverse / http://webpage/
> 
> +++
> 
>  
> 
> It is more or less the same functionality that we would make with a F5, ceryx 
> or the OpenShift router.
> 
> Is there any "reverse proxy" component for OpenStack?
> 
> I cannot find it.
> 
>  
> 
> Thank you,
> 
> Jose Manuel
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :