On 3 February 2012 11:30, Ulrich Schwickerath <[email protected]> wrote: > Hi, Daniel, > > thanks a lot for the help on this. The problem with the ssl proxy was that I > was missing an extra / at the end of the ssl_server directive. So one needs > > :ssl_server: https://cloud.opennebula.org/ > > rather than > > :ssl_server: https://cloud.opennebula.org > > else I get authentication errors. However, this is not the end of the story > I'm afraid. With this patch in place I can query the system, but it's very > very slow. My most important user has some 500 VMs in the system, and a > euca-describe-instances > times out or gives expat parse errors. If I query the system locally it > works fine and is very responsive. This problem is new in 3.2.1, I didn't > have this in 3.0 which I was using before. I already checked that I have all > rubygems installed which are needed.
Are you using the same client in both sides? Maybe It is an environment problem (EC2_URL) > > Any idea? > > Thanks! > Ulrich > > > > > On 02/02/2012 11:40 PM, Daniel Molina wrote: >> >> Hi Ulrich, >> >> We have added a new patch in order to support custom paths and ports >> when setting up an SSL proxy on top of the econe-server. You can see >> this patch in the following link: >> >> http://dev.opennebula.org/issues/985 >> >> This patch has been included in the last release (3.2.1). I recommend >> you to upgrade to this version. Also the performance should be >> improved since we have included a new authentication cache. >> >> Currently the econe-server is running in our public cloud with an SSL >> proxy, using the following configuration: >> >> $ cat econe.conf >> # Host and port where econe server will run >> :server: localhost >> :port: 7141 >> >> # SSL proxy that serves the API (set if is being used) >> :ssl_server: https://cloud.opennebula.org/econe >> >> # Authentication driver for incomming requests >> # ec2, default Acess key and Secret key scheme >> # x509, for x509 certificates based authentication >> :auth: ec2 >> >> # Authentication driver to communicate with OpenNebula core >> # cipher, for symmetric cipher encryption of tokens >> # x509, for x509 certificate encryption of tokens >> :core_auth: cipher >> >> $ cat apache2.conf >> <VirtualHost *:443> >> servername cloud.opennebula.org >> SSLEngine on >> ProxyPass /econe http://localhost:7141/ >> ProxyPassReverse /econe http://localhost:7141/ >> </VirtualHost> >> >> If you use a path different from '/' the client must support this >> feature, otherwise the authentication will fail. The econe tools >> included in the 3.2.1 release support custom paths. >> >> Also if you want the proxy to listen in a different port from the >> default (443) you can specify it in the ssl_parameter: >> :ssl_server: https://cloud.opennebula.org:8082/ >> >> Hope this helps >> >> On 2 February 2012 22:45, Ulrich Schwickerath >> <[email protected]> wrote: >>> >>> Hi, >>> >>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ? The >>> instructions on the web on this seem to be a bit out of date. >>> I had it working fine with 3.0 but with 3.2 I get authentication errors >>> (the >>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works >>> (although slower than before). >>> >>> Cheers, >>> Ulrich >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> >> > > > -- > -------------------------------------- > Dr. Ulrich Schwickerath > CERN IT/PES-PS > 1211 Geneva 23 > e-mail: [email protected] > phone: +41 22 767 9576 > mobile: +41 76 487 5602 > -- Daniel Molina Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
