console proxy ssl offloading

[me...@swen.io]

Hello everyone,

 

first of all a happy new year to all of you! :-)

 

I am doing some kind of PoC and want to use a load balancer in front of the
console proxy and the secondary storage vm to offload ssl connections. I do
not get it to work.

 

I am using a load balancer on a public IP where "console.domain.tld" (of
cause I am using a working tld!) is referring to via DNS record. I
configured the domain in CS via consoleproxy.url.domain.

A working certificate is installed on the load balancer and offloading is
active. This means the lb is taking care of port 443 and the encryption and
forwarding the traffic to port 80 on the console proxy public IP not
encrypted.

I do get the page of the console proxy, but on this page the noVNC is not
loading and the connection failed to the console itself.

 

Is my setup even possible? Thx for any idea and help!

 

Cu Swen 

AW: console proxy ssl offloading

[me...@swen.io]

Thx Wie and Nux for your replies. I solved the problem and achieved ssl
offloading.

Here is what we did:
1. (optional) Add a new internal IP range as a public ip range to your zone
and activate SystemVM usage only! We did this because of the offloading the
console proxy and ssvm do not need public Ips. Or did we missed something?
2. Edit global setting consoleproxy.url.domain and add FQDN. Edit global
setting secstorage.ssl.cert.domain and add FQDN. Edit global setting
secstorage.encrypt.copy to true (So created download links will use https
instead of http) 3. Destroy consoleproxy and ssvm so both will be recreated
with new Ips and new settings. If you do not perform step 1 you do not need
to recreate consoleproxy, only ssvm needs to be recreated so new global
settings will work.
4. Create FQDNs to your DNS service and point them to Ips outside of CS
which will be used by your load balancer.
5. Configure your load balancer and add certificates for FQDNs. Activate SSL
offloading to the traffic from load balancer to consoleproxy and ssvm is not
being encrypted. This is no security risk in my point of view, because we
are talking about internal traffic when you did step 1!

To configure the load balancer was kind of difficult, because the
documentation is not really good or I was unable to find the needed info.
lb-ip1:443 (add certificate) -> consoleproxy:80
lb-ip1:8080 (add certificate) -> consoleproxy:8080
lb-ip2:443 (add certificate) -> ssvm:80

The benefit of this is that you do not need to add any certificate to CS
itself and you can control everything related to it via you load balancer.
Even you are using only one target (consoleproxy and ssvm). Of cause you can
also do the same with the UI. Which would look like this:
lb-ip3:80 -> redirect to https
lb-ip3:443 (add certificate) -> managementserver:8080

I would like to add more information to the documentation and explain this
setup.
The docu is already talking about "Set up SSL certificate for specific FQDN
and configure load-balancer". I would add more information to this point and
add ssl offloading to it. What do you thing?
http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a
-ssl-certificate-for-the-console-proxy

cu Swen

-----Ursprüngliche Nachricht-----
Von: Nux <nu...@li.nux.ro> 
Gesendet: Dienstag, 3. Januar 2023 14:44
An: users@cloudstack.apache.org
Cc: me@swen.io
Betreff: Re: console proxy ssl offloading

See if you can get any inspiration from this guy:
https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying
subsection, but best read the whole SSL thing).

---
Nux
www.nux.ro

On 2023-01-02 21:16, me@swen.io wrote:
> Hello everyone,
> 
> 
> 
> first of all a happy new year to all of you! :-)
> 
> 
> 
> I am doing some kind of PoC and want to use a load balancer in front 
> of the console proxy and the secondary storage vm to offload ssl 
> connections.
> I do
> not get it to work.
> 
> 
> 
> I am using a load balancer on a public IP where "console.domain.tld" 
> (of
> cause I am using a working tld!) is referring to via DNS record. I 
> configured the domain in CS via consoleproxy.url.domain.
> 
> A working certificate is installed on the load balancer and offloading 
> is active. This means the lb is taking care of port 443 and the 
> encryption and forwarding the traffic to port 80 on the console proxy 
> public IP not encrypted.
> 
> I do get the page of the console proxy, but on this page the noVNC is 
> not loading and the connection failed to the console itself.
> 
> 
> 
> Is my setup even possible? Thx for any idea and help!
> 
> 
> 
> Cu Swen

Re: console proxy ssl offloading

[Nux <nu...@li.nux.ro>]

See if you can get any inspiration from this guy:
https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying 
subsection, but best read the whole SSL thing).

---
Nux
www.nux.ro

On 2023-01-02 21:16, me@swen.io wrote:
> Hello everyone,
> 
> 
> 
> first of all a happy new year to all of you! :-)
> 
> 
> 
> I am doing some kind of PoC and want to use a load balancer in front of 
> the
> console proxy and the secondary storage vm to offload ssl connections. 
> I do
> not get it to work.
> 
> 
> 
> I am using a load balancer on a public IP where "console.domain.tld" 
> (of
> cause I am using a working tld!) is referring to via DNS record. I
> configured the domain in CS via consoleproxy.url.domain.
> 
> A working certificate is installed on the load balancer and offloading 
> is
> active. This means the lb is taking care of port 443 and the encryption 
> and
> forwarding the traffic to port 80 on the console proxy public IP not
> encrypted.
> 
> I do get the page of the console proxy, but on this page the noVNC is 
> not
> loading and the connection failed to the console itself.
> 
> 
> 
> Is my setup even possible? Thx for any idea and help!
> 
> 
> 
> Cu Swen

Re: console proxy ssl offloading

[Wei ZHOU <us...@gmail.com>]

Hi,

Have you uploaded the SSL certificate in cloudstack ?
You can refer to
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/

-Wei

On Mon, 2 Jan 2023 at 22:18, <me...@swen.io> wrote:

> Hello everyone,
>
>
>
> first of all a happy new year to all of you! :-)
>
>
>
> I am doing some kind of PoC and want to use a load balancer in front of the
> console proxy and the secondary storage vm to offload ssl connections. I do
> not get it to work.
>
>
>
> I am using a load balancer on a public IP where "console.domain.tld" (of
> cause I am using a working tld!) is referring to via DNS record. I
> configured the domain in CS via consoleproxy.url.domain.
>
> A working certificate is installed on the load balancer and offloading is
> active. This means the lb is taking care of port 443 and the encryption and
> forwarding the traffic to port 80 on the console proxy public IP not
> encrypted.
>
> I do get the page of the console proxy, but on this page the noVNC is not
> loading and the connection failed to the console itself.
>
>
>
> Is my setup even possible? Thx for any idea and help!
>
>
>
> Cu Swen
>
>