I don't, some community users have for sure, and here is a LMGTFY :) https://wiki.deimos.fr/HAProxy:_load_balance_your_traffic#Offloading_SSL (haven't tested this exact setup - but you will get the idea) - you can always play with simple yum install httpd on CentOS as the backend http server, and the SSL offloading on Haproxy, then switch backend to ACS.
Cheers On Mon, 24 Feb 2020 at 19:52, Olivier Guin <[email protected]> wrote: > I tried to use haproxy but without success, I cannot redirect port 443 to > port 8080 ! > Do you have an example of a haproxy conf ? > > Regards, > > Olivier > > > Le 24/02/2020 à 15:22, Andrija Panic a écrit : > > Great - it's like anything in it, restart and it works better... :) > > Our blog, says like this: > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ (find > it in the middle) > > But in production, one would usually use a reverse proxy like HaProxy and > do SSL termination on this one. > > cheers > > On Mon, 24 Feb 2020 at 19:17, Olivier Guin > <[email protected]> <[email protected]> > wrote: > >> 1) consoleproxy.sslEnabled = false , restart mgmt, destroy CPVM ONLY all >> OK ! (UI using HTTP) >> 2) consoleproxy.sslEnabled = true , restart mgmt, destroy CPVM ONLY all >> OK ! (UI using HTTP) >> consoleproxy.sslEnabled Enable SSL for console proxy true >> >> consoleproxy.url.domain Console proxy url domain *.wayscom.net >> >> >> It's Ok now ! ... but I don't know why :-) >> It seems to me that I had already done that >> >> Anyway thank you for your time Andrija >> >> Do you know how to switch the UI to https? >> Regards, >> Olivier >> >> Le 24/02/2020 à 13:08, Andrija Panic a écrit : >> >> login inside that linux box (CPVM) and see what's the apache >> configuration (ssl or not, netstat / listenting on 443 or not...etc) >> always easy to destroy CPVM (after mgmt server was restarted) and see if >> it fixes the issue >> >> For the start, set consoleproxy.sslEnabled=false, restart mgmt, destroy >> CPVM and see if plain HTTP works (make sure to use UI using HTTP also, >> otherwise you can't load non-SSL iframe) - to see if you are able to run >> CPVM fine in general. >> >> On Mon, 24 Feb 2020 at 16:54, Olivier Guin >> <[email protected]> <[email protected]> >> wrote: >> >>> Indeed, >>> >>> I can't connected to :443 ! >>> >>> But I don't have any firewall ! >>> >>> telnet 200.13.142.188 443 ( or 200-13-142-188.wayscom.net) >>> Trying 200.13.142.188... >>> telnet: connect to address 200.13.142.188: Connection refused >>> >>> conf ? of cpvm ? >>> >>> Regards, >>> >>> Olivier >>> Le 24/02/2020 à 12:40, Andrija Panic a écrit : >>> >>> i.e. telnet 200-13-142-188.wayscom.net 443 >>> Connecting To 200-13-142-188.wayscom.net... >>> >>> I can't connect to port 443 on this IP (from internet) >>> >>> >>> On Mon, 24 Feb 2020 at 16:38, Andrija Panic < [email protected]> >>> wrote: >>> >>>> frame src= >>>> "https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1 >>>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g> >>>> >>>> This looks fine ^^^ - it tries to load SSL URL >>>> >>>> what *exact* problem are you getting? >>>> >>>> On Mon, 24 Feb 2020 at 16:31, Olivier Guin >>>> <[email protected]> <[email protected]> >>>> wrote: >>>> >>>>> Yes, >>>>> >>>>> consoleproxy.url.domain = *.wayscom.net >>>>> consoleproxy.sslEnabled=true >>>>> secstorage.ssl.cert.domain= *.wayscom.net >>>>> secstorage.encrypt.copy=true >>>>> >>>>> For consoleproxy.url.domain : >>>>> >>>>> = *.wayscom.net => 200-13-142-188.wayscom.net from manager ping >>>>> OK, from internet ping OK >>>>> = console.wayscom.net => 200.13.142.188 from manager ping OK, from >>>>> internet ping OK >>>>> >>>>> 2020-02-24 12:27:06,973 DEBUG [c.c.s.ConsoleProxyServlet] >>>>> (qtp1875308878-17:null) (logid:) Port info consoleurl= >>>>> https://172.16.11.11/console?uuid=xxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxxx >>>>> 2020-02-24 12:27:06,973 INFO [c.c.s.ConsoleProxyServlet] >>>>> (qtp1875308878-17:null) (logid:) Parse host info returned from executing >>>>> GetVNCPortCommand. host info: consoleurl= >>>>> https://172.16.11.11/console?uuid=xxxxxxxxxxxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxx >>>>> 2020-02-24 12:27:06,977 DEBUG [c.c.s.ConsoleProxyServlet] >>>>> (qtp1875308878-17:null) (logid:) Compose console url: >>>>> https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxxxxxxxxx-Y76j1g >>>>> 2020-02-24 12:27:06,977 DEBUG [c.c.s.ConsoleProxyServlet] >>>>> (qtp1875308878-17:null) (logid:) the console url is :: >>>>> <html><title>v-202-VM</title><frameset><frame src= >>>>> "https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g"; >>>>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g> >>>>> ></frame></frameset></html> >>>>> >>>>> Error connection ! >>>>> >>>>> Regards, >>>>> Olivier >>>>> >>>>> >>>>> Le 24/02/2020 à 12:04, Andrija Panic a écrit : >>>>> >>>>> consoleproxy.sslEnabled=true is set in global config ? >>>>> (a new thing in 4.11 that is not there in pre-4.11 releases and people >>>>> sometimes miss this one) >>>>> >>>>> Regards, >>>>> Andrija >>>>> >>>>> >>>>> On Mon, 24 Feb 2020 at 15:24, Olivier Guin >>>>> <[email protected]> >>>>> <[email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> I am trying to set up ssl on systemvm. >>>>>> I was able to migrate without problem from version 4.10 to version >>>>>> 4.13 but since impossible to set up the ssl correctly on my ssvm / cpvm? >>>>>> I follow the documentation ( >>>>>> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html) >>>>>> as well as (https://www.shapeblue.com/securing-cloudstack-4-11-with- >>>>>> https-tls /). >>>>>> GUI process: cloudstack indicates that the certificate is OK, the >>>>>> cpvm and ssvm restarts correctly but still without ssl? >>>>>> How to check where it doesn't work ? >>>>>> What would be the points to check ? >>>>>> A priori things have changed since 4.11 ! >>>>>> Best regards >>>>>> >>>>>> Olivier Guin >>>>>> >>>>>> >>>>>> >>>>>> *Olivier GUIN* >>>>>> >>>>>> >>>>>> >>>>>> TL. 0594 31 02 44 >>>>>> [image: ARIAS Informatique] >>>>>> >>>>>> 513 ZI Collery 5 >>>>>> *97300 CAYENNE* >>>>>> *www.ariasnet.com* <http://www.ariasnet.com/> >>>>>> >>>>>> This message and any attachments (the "message") is intended solely >>>>>> for the intended addressees and is confidential. >>>>>> If you receive this message in error,or are not the intended >>>>>> recipient(s), please delete it and any copies from your systems and >>>>>> immediately notify the sender. Any unauthorized view, use that does not >>>>>> comply with its purpose, >>>>>> dissemination or disclosure, either whole or partial, is prohibited. >>>>>> Since the internet cannot guarantee the integrity of this message which >>>>>> may >>>>>> not be reliable, ARIAS Informatique shall not be liable for the message >>>>>> if >>>>>> modified, changed or falsified. >>>>>> Do not print this message unless it is necessary, consider the >>>>>> environment. >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------------------------------------------------------------------------- >>>>>> >>>>>> Ce message et toutes les pieces jointes (ci-apres le "message") sont >>>>>> etablis a l'intention exclusive de ses destinataires et sont >>>>>> confidentiels. >>>>>> Si vous recevez ce message par erreur ou s'il ne vous est pas >>>>>> destine, merci de le detruire ainsi que toute copie de votre systeme et >>>>>> d'en avertir immediatement l'expediteur. Toute lecture non autorisee, >>>>>> toute >>>>>> utilisation de ce message qui n'est pas conforme a sa destination, toute >>>>>> diffusion ou toute publication, totale ou partielle, est interdite. >>>>>> L'Internet ne permettant pas d'assurer l'integrite de ce message >>>>>> electronique susceptible d'alteration, ARIAS Informatique decline(nt) >>>>>> toute >>>>>> responsabilite au titre de ce message dans l'hypothese ou il aurait ete >>>>>> modifie, deforme ou falsifie. >>>>>> N'imprimez ce message que si necessaire, pensez a l'environnement. >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Andrija Panić >>>>> >>>>> >>>>> >>>>> *Olivier GUIN* >>>>> >>>>> >>>>> >>>>> TL. 0594 31 02 44 >>>>> [image: ARIAS Informatique] >>>>> >>>>> 513 ZI Collery 5 >>>>> *97300 CAYENNE* >>>>> *www.ariasnet.com* <http://www.ariasnet.com/> >>>>> >>>>> This message and any attachments (the "message") is intended solely >>>>> for the intended addressees and is confidential. >>>>> If you receive this message in error,or are not the intended >>>>> recipient(s), please delete it and any copies from your systems and >>>>> immediately notify the sender. Any unauthorized view, use that does not >>>>> comply with its purpose, >>>>> dissemination or disclosure, either whole or partial, is prohibited. >>>>> Since the internet cannot guarantee the integrity of this message which >>>>> may >>>>> not be reliable, ARIAS Informatique shall not be liable for the message if >>>>> modified, changed or falsified. >>>>> Do not print this message unless it is necessary, consider the >>>>> environment. >>>>> >>>>> >>>>> ---------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> Ce message et toutes les pieces jointes (ci-apres le "message") sont >>>>> etablis a l'intention exclusive de ses destinataires et sont >>>>> confidentiels. >>>>> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >>>>> merci de le detruire ainsi que toute copie de votre systeme et d'en >>>>> avertir >>>>> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >>>>> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >>>>> toute publication, totale ou partielle, est interdite. L'Internet ne >>>>> permettant pas d'assurer l'integrite de ce message electronique >>>>> susceptible >>>>> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >>>>> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >>>>> falsifie. >>>>> N'imprimez ce message que si necessaire, pensez a l'environnement. >>>>> >>>> >>>> >>>> -- >>>> >>>> Andrija Panić >>>> >>> >>> >>> -- >>> >>> Andrija Panić >>> >>> >>> >>> *Olivier GUIN* >>> >>> >>> >>> TL. 0594 31 02 44 >>> [image: ARIAS Informatique] >>> >>> 513 ZI Collery 5 >>> *97300 CAYENNE* >>> *www.ariasnet.com* <http://www.ariasnet.com/> >>> >>> This message and any attachments (the "message") is intended solely for >>> the intended addressees and is confidential. >>> If you receive this message in error,or are not the intended >>> recipient(s), please delete it and any copies from your systems and >>> immediately notify the sender. Any unauthorized view, use that does not >>> comply with its purpose, >>> dissemination or disclosure, either whole or partial, is prohibited. >>> Since the internet cannot guarantee the integrity of this message which may >>> not be reliable, ARIAS Informatique shall not be liable for the message if >>> modified, changed or falsified. >>> Do not print this message unless it is necessary, consider the >>> environment. >>> >>> >>> ---------------------------------------------------------------------------------------------------------------------------------- >>> >>> Ce message et toutes les pieces jointes (ci-apres le "message") sont >>> etablis a l'intention exclusive de ses destinataires et sont confidentiels. >>> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >>> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir >>> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >>> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >>> toute publication, totale ou partielle, est interdite. L'Internet ne >>> permettant pas d'assurer l'integrite de ce message electronique susceptible >>> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >>> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >>> falsifie. >>> N'imprimez ce message que si necessaire, pensez a l'environnement. >>> >> >> >> -- >> >> Andrija Panić >> >> >> >> *Olivier GUIN* >> >> >> >> TL. 0594 31 02 44 >> [image: ARIAS Informatique] >> >> 513 ZI Collery 5 >> *97300 CAYENNE* >> *www.ariasnet.com* <http://www.ariasnet.com/> >> >> This message and any attachments (the "message") is intended solely for >> the intended addressees and is confidential. >> If you receive this message in error,or are not the intended >> recipient(s), please delete it and any copies from your systems and >> immediately notify the sender. Any unauthorized view, use that does not >> comply with its purpose, >> dissemination or disclosure, either whole or partial, is prohibited. >> Since the internet cannot guarantee the integrity of this message which may >> not be reliable, ARIAS Informatique shall not be liable for the message if >> modified, changed or falsified. >> Do not print this message unless it is necessary, consider the >> environment. >> >> >> ---------------------------------------------------------------------------------------------------------------------------------- >> >> Ce message et toutes les pieces jointes (ci-apres le "message") sont >> etablis a l'intention exclusive de ses destinataires et sont confidentiels. >> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir >> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >> toute publication, totale ou partielle, est interdite. L'Internet ne >> permettant pas d'assurer l'integrite de ce message electronique susceptible >> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >> falsifie. >> N'imprimez ce message que si necessaire, pensez a l'environnement. >> > > > -- > > Andrija Panić > > > > *Olivier GUIN* > > > > TL. 0594 31 02 44 > [image: ARIAS Informatique] > > 513 ZI Collery 5 > *97300 CAYENNE* > *www.ariasnet.com* <http://www.ariasnet.com/> > > This message and any attachments (the "message") is intended solely for > the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its > purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet cannot guarantee the integrity of this message which may not > be reliable, ARIAS Informatique shall not be liable for the message if > modified, changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") sont > etablis a l'intention exclusive de ses destinataires et sont confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > de ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute publication, totale ou partielle, est interdite. L'Internet ne > permettant pas d'assurer l'integrite de ce message electronique susceptible > d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre > de ce message dans l'hypothese ou il aurait ete modifie, deforme ou > falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > -- Andrija Panić
