GitHub user bradh352 added a comment to the discussion: Nginx or Apache as a
reverse proxy in front of CloudStack (including VNC console support)
I just wanted to follow up here that I finally implemented the reverse proxy in
front of ssvm and consoleproxy without needing to know the exact IP addresses
before hand. I'm using nginx running on the cloudstack mgmt nodes to
accomplish this.
A few things to note:
1. You must know the ip subnet for the public ips that the console proxy and
ssvm pull from, otherwise you might try to proxy addresses from your internal
network that your hypervisor can access which would be bad.
2. You must tell cloudstack mgmt to listen on a different port than 8080 (I
used 8123) as nginx needs to bind to port 8080 for the consoleproxy to work as
it is a hardcoded port. (configured in
`/etc/cloudstack/management/server.properties`: `http.port=8123`)
3. you must use different base domains for ssvm and consoleproxy and program
them into the config settings of `secstorage.ssl.cert.domain` and
`consoleproxy.url.domain`, respectively.
- Confusingly, you MUST prefix the domain with `*.` when programming them
otherwise it will not use the `xxx-xxx-xxx-xxx` prefix.
4. you must use a wildcard DNS record for the above domains to point to the
same ip address
5. You need to have TLS certs that support wildcard DNS. I use certbot with
DNS01 challenge.
Now, this isn't perfect. I wish you could dedicate a range to ssvm and
consoleproxy in cloudstack for the public ips to use and guarantee nothing else
would be in there. Perhaps you use a firewall in front of cloudstack to
control access to those public ips ... well, this could be used to bypass that.
So, on to the implementation... I use ansible to deploy, so the generation
heavily relies on jinja2, including a regex generator for the subnet
calculation:
*
https://github.com/bradh352/ansible-role-service-cloudstack/blob/main/templates/macros/regex_gen.j2
*
https://github.com/bradh352/ansible-role-service-cloudstack/blob/main/templates/nginx-cloudstack.j2
So basically, if you have a subnet of 10.10.16.0/20 and a ssvm hostname of
`ssvm.cs.example.com`, it would generate a regex like:
```
server_name
"~^(?<ip_octet1>(10))-(?<ip_octet2>(10))-(?<ip_octet3>(1[6-9]|2\d|3[0-1]))-(?<ip_octet4>(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]))\.ssvm\.cs\.example\.com$";
```
Feel free to browse around https://github.com/bradh352/ansible-scripts that has
my full ansible playbooks for deploying cloudstack, ceph, certbot, keepalived,
mariadb, and cloudstack.
GitHub link:
https://github.com/apache/cloudstack/discussions/11562#discussioncomment-15014257
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
