You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Netlynker <ne...@gmail.com> on 2018/09/18 03:57:03 UTC
How to configure TLS on ACS 4.11.1 Web UI
Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.
Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?
Thanks in advance,
Netlynker
Re: How to configure TLS on ACS 4.11.1 Web UI
Posted by Netlynker <ne...@gmail.com>.
Hi,
Yes, I know I can use proxy or lb to ssl offload but I need to do
end-to-end with TLS. That is why I need to terminate TLS on ACS server.
Thanks for your suggestion anyway.
Regards,
On Tue, 18 Sep 2018 at 1:36 PM, Skale Franz <fr...@citycom-austria.com>
wrote:
> Why not using nginx as a reverse proxy ?
> To start with, check my example config (replace ip, hostname and of course
> generate a dhparam file and use a valid certificate).
> Will produce an A+ on ssllabs test and downwards compatibles to old
> browsers !
>
> server {
> listen 10.1.1.1:80;
> server_name cloudstack.example.com;
> ## redirect http to https ##
> rewrite ^ https://$server_name/client/ permanent;
> }
>
> server {
> listen 10.1.1.1:443;
> server_name cloudstack.example.com;
>
> rewrite ^/$ https://cloudstack.example.com/client/ permanent;
>
> ### ssl config - customize as per your cert files ###
> ssl on;
> ssl_certificate /etc/ssl/certs/cloudstack.example.com.pem;
> ssl_certificate_key /etc/ssl/private/cloudstack.example.com.key;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
> ssl_prefer_server_ciphers on;
> ssl_dhparam /etc/ssl/certs/dhparam.pem;
> keepalive_timeout 70;
> ssl_session_cache shared:SSL:10m;
> ssl_session_timeout 10m;
>
> ## Reverse Proxy
> location / {
> add_header Front-End-Https on;
> add_header Cache-Control "public, must-revalidate";
> add_header Strict-Transport-Security "max-age=63072000;
> includeSubdomains; preload";
> add_header X-Frame-Options "DENY";
> proxy_pass http://127.0.0.1:8080;
> proxy_next_upstream error timeout invalid_header http_500 http_502
> http_503;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> }
> }
>
> Best regards
> Franz Skale
>
> Rechenzentrum-Services
>
>
> Citycom Telekommunikation GmbH
> Gadollaplatz 1
> 8010 Graz | Austria
>
> T: +43(316)887-6264
> M: +43(664)88275444
> E: franz.skale@citycom-austria.com
> www.citycom-austria.com
>
> FN 165640p, Landes- als Firmenbuchgericht Graz
> UID-Nr.: ATU 61241999
>
>
>
> ________________________________________
> Von: Netlynker <ne...@gmail.com>
> Gesendet: Dienstag, 18. September 2018 05:57
> An: users@cloudstack.apache.org
> Betreff: How to configure TLS on ACS 4.11.1 Web UI
>
> Hi,
> The document for 4.11.1 is not updated and it is still refering to tomcat
> ssl config.
>
> Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?
>
> Thanks in advance,
> Netlynker
>
AW: How to configure TLS on ACS 4.11.1 Web UI
Posted by Skale Franz <fr...@citycom-austria.com>.
Why not using nginx as a reverse proxy ?
To start with, check my example config (replace ip, hostname and of course generate a dhparam file and use a valid certificate).
Will produce an A+ on ssllabs test and downwards compatibles to old browsers !
server {
listen 10.1.1.1:80;
server_name cloudstack.example.com;
## redirect http to https ##
rewrite ^ https://$server_name/client/ permanent;
}
server {
listen 10.1.1.1:443;
server_name cloudstack.example.com;
rewrite ^/$ https://cloudstack.example.com/client/ permanent;
### ssl config - customize as per your cert files ###
ssl on;
ssl_certificate /etc/ssl/certs/cloudstack.example.com.pem;
ssl_certificate_key /etc/ssl/private/cloudstack.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
## Reverse Proxy
location / {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
proxy_pass http://127.0.0.1:8080;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Best regards
Franz Skale
Rechenzentrum-Services
Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria
T: +43(316)887-6264
M: +43(664)88275444
E: franz.skale@citycom-austria.com
www.citycom-austria.com
FN 165640p, Landes- als Firmenbuchgericht Graz
UID-Nr.: ATU 61241999
________________________________________
Von: Netlynker <ne...@gmail.com>
Gesendet: Dienstag, 18. September 2018 05:57
An: users@cloudstack.apache.org
Betreff: How to configure TLS on ACS 4.11.1 Web UI
Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.
Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?
Thanks in advance,
Netlynker
Re: How to configure TLS on ACS 4.11.1 Web UI
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Netlynker,
You're right we've to fix the docs, as we've moved to using embedded jetty as our webserver. The configuration can be found in /etc/cloudstack/management/server.properties:
https://github.com/apache/cloudstack/blob/master/client/conf/server.properties.in#L35
You just need to create a jks file that has your https certificates under an alias and configure the path and passphrase in the server.properties file where you can also enable https and specify a port (8443, 443 etc).
- Rohit
<https://cloudstack.apache.org>
________________________________
From: Netlynker <ne...@gmail.com>
Sent: Tuesday, September 18, 2018 9:27:03 AM
To: users@cloudstack.apache.org
Subject: How to configure TLS on ACS 4.11.1 Web UI
Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.
Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?
Thanks in advance,
Netlynker
rohit.yadav@shapeblue.comĀ
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue