I tried to use haproxy but without success, I cannot redirect port 443 to port 8080 ! Do you have an example of a haproxy conf ?
Regards, Olivier Le 24/02/2020 à 15:22, Andrija Panic a écrit : > Great - it's like anything in it, restart and it works better... :) > > Our blog, says like this: > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ (find > it in the middle) > > But in production, one would usually use a reverse proxy like HaProxy > and do SSL termination on this one. > > cheers > > On Mon, 24 Feb 2020 at 19:17, Olivier Guin > <[email protected]> wrote: > > 1) consoleproxy.sslEnabled = false , restart mgmt, destroy CPVM > ONLY all OK ! (UI using HTTP) > 2) consoleproxy.sslEnabled = true , restart mgmt, destroy CPVM > ONLY all OK ! (UI using HTTP) > > consoleproxy.sslEnabled Enable SSL for console proxy true > consoleproxy.url.domain Console proxy url domain *.wayscom.net > <http://wayscom.net> > > It's Ok now ! ... but I don't know why :-) > It seems to me that I had already done that > > Anyway thank you for your time Andrija > > Do you know how to switch the UI to https? > > Regards, > Olivier > > Le 24/02/2020 à 13:08, Andrija Panic a écrit : >> login inside that linux box (CPVM) and see what's the apache >> configuration (ssl or not, netstat / listenting on 443 or not...etc) >> always easy to destroy CPVM (after mgmt server was restarted) and >> see if it fixes the issue >> >> For the start, set consoleproxy.sslEnabled=false, restart mgmt, >> destroy CPVM and see if plain HTTP works (make sure to use UI >> using HTTP also, otherwise you can't load non-SSL iframe) - to >> see if you are able to run CPVM fine in general. >> >> On Mon, 24 Feb 2020 at 16:54, Olivier Guin >> <[email protected]> >> <mailto:[email protected]> wrote: >> >> Indeed, >> >> I can't connected to :443 ! >> >> But I don't have any firewall ! >> >> telnet 200.13.142.188 443 ( or 200-13-142-188.wayscom.net >> <http://200-13-142-188.wayscom.net>) >> Trying 200.13.142.188... >> telnet: connect to address 200.13.142.188 >> <http://200.13.142.188>: Connection refused >> >> conf ? of cpvm ? >> >> Regards, >> >> Olivier >> >> Le 24/02/2020 à 12:40, Andrija Panic a écrit : >>> i.e. telnet 200-13-142-188.wayscom.net >>> <http://200-13-142-188.wayscom.net> 443 >>> Connecting To 200-13-142-188.wayscom.net... >>> >>> I can't connect to port 443 on this IP (from internet) >>> >>> >>> On Mon, 24 Feb 2020 at 16:38, Andrija Panic < >>> [email protected] <mailto:[email protected]>> >>> wrote: >>> >>> frame src= >>> >>> "https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1 >>> >>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g> >>> >>> This looks fine ^^^ - it tries to load SSL URL >>> >>> what *exact* problem are you getting? >>> >>> On Mon, 24 Feb 2020 at 16:31, Olivier Guin >>> <[email protected]> >>> <mailto:[email protected]> wrote: >>> >>> Yes, >>> >>> consoleproxy.url.domain = *.wayscom.net >>> <http://wayscom.net> >>> consoleproxy.sslEnabled=true >>> secstorage.ssl.cert.domain= *.wayscom.net >>> <http://wayscom.net> >>> secstorage.encrypt.copy=true >>> >>> For consoleproxy.url.domain : >>> >>> = *.wayscom.net <http://wayscom.net> => >>> 200-13-142-188.wayscom.net >>> <http://200-13-142-188.wayscom.net> from manager >>> ping OK, from internet ping OK >>> = console.wayscom.net <http://console.wayscom.net> >>> => 200.13.142.188 from manager ping OK, from >>> internet ping OK >>> >>> 2020-02-24 12:27:06,973 DEBUG >>> [c.c.s.ConsoleProxyServlet] (qtp1875308878-17:null) >>> (logid:) Port info >>> >>> consoleurl=https://172.16.11.11/console?uuid=xxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxxx >>> 2020-02-24 12:27:06,973 INFO >>> [c.c.s.ConsoleProxyServlet] (qtp1875308878-17:null) >>> (logid:) Parse host info returned from executing >>> GetVNCPortCommand. host info: >>> >>> consoleurl=https://172.16.11.11/console?uuid=xxxxxxxxxxxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxx >>> 2020-02-24 12:27:06,977 DEBUG >>> [c.c.s.ConsoleProxyServlet] (qtp1875308878-17:null) >>> (logid:) Compose console url: >>> >>> https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxxxxxxxxx-Y76j1g >>> 2020-02-24 12:27:06,977 DEBUG >>> [c.c.s.ConsoleProxyServlet] (qtp1875308878-17:null) >>> (logid:) the console url is :: >>> <html><title>v-202-VM</title><frameset><frame >>> >>> src="https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g"; >>> >>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g>></frame></frameset></html> >>> >>> Error connection ! >>> >>> Regards, >>> Olivier >>> >>> >>> Le 24/02/2020 à 12:04, Andrija Panic a écrit : >>>> consoleproxy.sslEnabled=true is set in global config ? >>>> (a new thing in 4.11 that is not there in pre-4.11 >>>> releases and people sometimes miss this one) >>>> >>>> Regards, >>>> Andrija >>>> >>>> >>>> On Mon, 24 Feb 2020 at 15:24, Olivier Guin >>>> <[email protected]> >>>> <mailto:[email protected]> wrote: >>>> >>>> Hello, >>>> I am trying to set up ssl on systemvm. >>>> I was able to migrate without problem from >>>> version 4.10 to version 4.13 but since >>>> impossible to set up the ssl correctly on my >>>> ssvm / cpvm? >>>> I follow the documentation >>>> >>>> (http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html) >>>> as well as >>>> >>>> (https://www.shapeblue.com/securing-cloudstack-4-11-with- >>>> https-tls /). >>>> GUI process: cloudstack indicates that the >>>> certificate is OK, the cpvm and ssvm restarts >>>> correctly but still without ssl? >>>> How to check where it doesn't work ? >>>> What would be the points to check ? >>>> A priori things have changed since 4.11 ! >>>> >>>> Best regards >>>> >>>> Olivier Guin >>>> >>>> >>>> >>>> *Olivier GUIN* >>>> >>>> >>>> >>>> TL. 0594 31 02 44 >>>> >>>> ARIAS Informatique >>>> >>>> 513 ZI Collery 5 >>>> */97300 CAYENNE/* >>>> *www.ariasnet.com* <http://www.ariasnet.com/> >>>> >>>> This message and any attachments (the >>>> "message") is intended solely for the intended >>>> addressees and is confidential. >>>> If you receive this message in error,or are not >>>> the intended recipient(s), please delete it and >>>> any copies from your systems and immediately >>>> notify the sender. Any unauthorized view, use >>>> that does not comply with its purpose, >>>> dissemination or disclosure, either whole or >>>> partial, is prohibited. Since the internet >>>> cannot guarantee the integrity of this message >>>> which may not be reliable, ARIAS Informatique >>>> shall not be liable for the message if >>>> modified, changed or falsified. >>>> Do not print this message unless it is >>>> necessary, consider the environment. >>>> >>>> >>>> ---------------------------------------------------------------------------------------------------------------------------------- >>>> >>>> Ce message et toutes les pieces jointes >>>> (ci-apres le "message") sont etablis a >>>> l'intention exclusive de ses destinataires et >>>> sont confidentiels. >>>> Si vous recevez ce message par erreur ou s'il >>>> ne vous est pas destine, merci de le detruire >>>> ainsi que toute copie de votre systeme et d'en >>>> avertir immediatement l'expediteur. Toute >>>> lecture non autorisee, toute utilisation de ce >>>> message qui n'est pas conforme a sa >>>> destination, toute diffusion ou toute >>>> publication, totale ou partielle, est >>>> interdite. L'Internet ne permettant pas >>>> d'assurer l'integrite de ce message >>>> electronique susceptible d'alteration, ARIAS >>>> Informatique decline(nt) toute responsabilite >>>> au titre de ce message dans l'hypothese ou il >>>> aurait ete modifie, deforme ou falsifie. >>>> N'imprimez ce message que si necessaire, pensez >>>> a l'environnement. >>>> >>>> >>>> >>>> -- >>>> >>>> Andrija Panić >>> >>> >>> *Olivier GUIN* >>> >>> >>> >>> TL. 0594 31 02 44 >>> >>> ARIAS Informatique >>> >>> 513 ZI Collery 5 >>> */97300 CAYENNE/* >>> *www.ariasnet.com* <http://www.ariasnet.com/> >>> >>> This message and any attachments (the "message") is >>> intended solely for the intended addressees and is >>> confidential. >>> If you receive this message in error,or are not the >>> intended recipient(s), please delete it and any >>> copies from your systems and immediately notify the >>> sender. Any unauthorized view, use that does not >>> comply with its purpose, >>> dissemination or disclosure, either whole or >>> partial, is prohibited. Since the internet cannot >>> guarantee the integrity of this message which may >>> not be reliable, ARIAS Informatique shall not be >>> liable for the message if modified, changed or >>> falsified. >>> Do not print this message unless it is necessary, >>> consider the environment. >>> >>> >>> ---------------------------------------------------------------------------------------------------------------------------------- >>> >>> Ce message et toutes les pieces jointes (ci-apres le >>> "message") sont etablis a l'intention exclusive de >>> ses destinataires et sont confidentiels. >>> Si vous recevez ce message par erreur ou s'il ne >>> vous est pas destine, merci de le detruire ainsi que >>> toute copie de votre systeme et d'en avertir >>> immediatement l'expediteur. Toute lecture non >>> autorisee, toute utilisation de ce message qui n'est >>> pas conforme a sa destination, toute diffusion ou >>> toute publication, totale ou partielle, est >>> interdite. L'Internet ne permettant pas d'assurer >>> l'integrite de ce message electronique susceptible >>> d'alteration, ARIAS Informatique decline(nt) toute >>> responsabilite au titre de ce message dans >>> l'hypothese ou il aurait ete modifie, deforme ou >>> falsifie. >>> N'imprimez ce message que si necessaire, pensez a >>> l'environnement. >>> >>> >>> >>> -- >>> >>> Andrija Panić >>> >>> >>> >>> -- >>> >>> Andrija Panić >> >> >> *Olivier GUIN* >> >> >> >> TL. 0594 31 02 44 >> >> ARIAS Informatique >> >> 513 ZI Collery 5 >> */97300 CAYENNE/* >> *www.ariasnet.com* <http://www.ariasnet.com/> >> >> This message and any attachments (the "message") is intended >> solely for the intended addressees and is confidential. >> If you receive this message in error,or are not the intended >> recipient(s), please delete it and any copies from your >> systems and immediately notify the sender. Any unauthorized >> view, use that does not comply with its purpose, >> dissemination or disclosure, either whole or partial, is >> prohibited. Since the internet cannot guarantee the integrity >> of this message which may not be reliable, ARIAS Informatique >> shall not be liable for the message if modified, changed or >> falsified. >> Do not print this message unless it is necessary, consider >> the environment. >> >> >> ---------------------------------------------------------------------------------------------------------------------------------- >> >> Ce message et toutes les pieces jointes (ci-apres le >> "message") sont etablis a l'intention exclusive de ses >> destinataires et sont confidentiels. >> Si vous recevez ce message par erreur ou s'il ne vous est pas >> destine, merci de le detruire ainsi que toute copie de votre >> systeme et d'en avertir immediatement l'expediteur. Toute >> lecture non autorisee, toute utilisation de ce message qui >> n'est pas conforme a sa destination, toute diffusion ou toute >> publication, totale ou partielle, est interdite. L'Internet >> ne permettant pas d'assurer l'integrite de ce message >> electronique susceptible d'alteration, ARIAS Informatique >> decline(nt) toute responsabilite au titre de ce message dans >> l'hypothese ou il aurait ete modifie, deforme ou falsifie. >> N'imprimez ce message que si necessaire, pensez a >> l'environnement. >> >> >> >> -- >> >> Andrija Panić > > > *Olivier GUIN* > > > > TL. 0594 31 02 44 > > ARIAS Informatique > > 513 ZI Collery 5 > */97300 CAYENNE/* > *www.ariasnet.com* <http://www.ariasnet.com/> > > This message and any attachments (the "message") is intended > solely for the intended addressees and is confidential. > If you receive this message in error,or are not the intended > recipient(s), please delete it and any copies from your systems > and immediately notify the sender. Any unauthorized view, use that > does not comply with its purpose, > dissemination or disclosure, either whole or partial, is > prohibited. Since the internet cannot guarantee the integrity of > this message which may not be reliable, ARIAS Informatique shall > not be liable for the message if modified, changed or falsified. > Do not print this message unless it is necessary, consider the > environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") > sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas > destine, merci de le detruire ainsi que toute copie de votre > systeme et d'en avertir immediatement l'expediteur. Toute lecture > non autorisee, toute utilisation de ce message qui n'est pas > conforme a sa destination, toute diffusion ou toute publication, > totale ou partielle, est interdite. L'Internet ne permettant pas > d'assurer l'integrite de ce message electronique susceptible > d'alteration, ARIAS Informatique decline(nt) toute responsabilite > au titre de ce message dans l'hypothese ou il aurait ete modifie, > deforme ou falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > > > > -- > > Andrija Panić Olivier GUIN Direction 05 94 31 02 44 Mobile: 0594 31 02 44 513 ZI Collery 5 97300 CAYENNE www.ariasnet.com [http://www.ariasnet.com/]
