You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Netlynker <ne...@gmail.com> on 2018/09/18 03:57:03 UTC

How to configure TLS on ACS 4.11.1 Web UI

Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.

Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?

Thanks in advance,
Netlynker

Re: How to configure TLS on ACS 4.11.1 Web UI

Posted by Netlynker <ne...@gmail.com>.

Hi,

Yes, I know I can use proxy or lb to ssl offload but I need to do
end-to-end with TLS. That is why I need to terminate TLS on ACS server.

Thanks for your suggestion anyway.

Regards,

On Tue, 18 Sep 2018 at 1:36 PM, Skale Franz <fr...@citycom-austria.com>
wrote:

> Why not using nginx as a reverse proxy ?
> To start with, check my example config (replace ip, hostname and of course
> generate a dhparam file and use a valid certificate).
> Will produce an A+ on ssllabs test and downwards compatibles to old
> browsers !
>
> server {
>       listen 10.1.1.1:80;
>       server_name cloudstack.example.com;
>       ## redirect http to https ##
>       rewrite  ^ https://$server_name/client/ permanent;
> }
>
> server {
>       listen      10.1.1.1:443;
>       server_name cloudstack.example.com;
>
>       rewrite  ^/$  https://cloudstack.example.com/client/  permanent;
>
>     ### ssl config - customize as per your cert files ###
>      ssl on;
>      ssl_certificate      /etc/ssl/certs/cloudstack.example.com.pem;
>      ssl_certificate_key  /etc/ssl/private/cloudstack.example.com.key;
>      ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
>      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
>      ssl_prefer_server_ciphers on;
>      ssl_dhparam /etc/ssl/certs/dhparam.pem;
>      keepalive_timeout    70;
>      ssl_session_cache    shared:SSL:10m;
>      ssl_session_timeout  10m;
>
>     ## Reverse Proxy
>       location / {
>         add_header           Front-End-Https    on;
>         add_header  Cache-Control "public, must-revalidate";
>         add_header Strict-Transport-Security "max-age=63072000;
> includeSubdomains; preload";
>         add_header X-Frame-Options "DENY";
>         proxy_pass  http://127.0.0.1:8080;
>         proxy_next_upstream error timeout invalid_header http_500 http_502
> http_503;
>         proxy_set_header        Host            $host;
>         proxy_set_header        X-Real-IP       $remote_addr;
>         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>       }
> }
>
> Best regards
> Franz Skale
>
> Rechenzentrum-Services
>
>
> Citycom Telekommunikation GmbH
> Gadollaplatz 1
> 8010 Graz | Austria
>
> T: +43(316)887-6264
> M: +43(664)88275444
> E: franz.skale@citycom-austria.com
> www.citycom-austria.com
>
> FN 165640p, Landes- als Firmenbuchgericht Graz
> UID-Nr.: ATU 61241999
>
>
>
> ________________________________________
> Von: Netlynker <ne...@gmail.com>
> Gesendet: Dienstag, 18. September 2018 05:57
> An: users@cloudstack.apache.org
> Betreff: How to configure TLS on ACS 4.11.1 Web UI
>
> Hi,
> The document for 4.11.1 is not updated and it is still refering to tomcat
> ssl config.
>
> Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?
>
> Thanks in advance,
> Netlynker
>

AW: How to configure TLS on ACS 4.11.1 Web UI

Posted by Skale Franz <fr...@citycom-austria.com>.

Why not using nginx as a reverse proxy ?
To start with, check my example config (replace ip, hostname and of course generate a dhparam file and use a valid certificate).
Will produce an A+ on ssllabs test and downwards compatibles to old browsers !

server {
      listen 10.1.1.1:80;
      server_name cloudstack.example.com;
      ## redirect http to https ##
      rewrite  ^ https://$server_name/client/ permanent;
}

server {
      listen      10.1.1.1:443;
      server_name cloudstack.example.com;

      rewrite  ^/$  https://cloudstack.example.com/client/  permanent;

    ### ssl config - customize as per your cert files ###
     ssl on;
     ssl_certificate      /etc/ssl/certs/cloudstack.example.com.pem;
     ssl_certificate_key  /etc/ssl/private/cloudstack.example.com.key;
     ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     ssl_prefer_server_ciphers on;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
     keepalive_timeout    70;
     ssl_session_cache    shared:SSL:10m;
     ssl_session_timeout  10m;

    ## Reverse Proxy
      location / {
        add_header           Front-End-Https    on;
        add_header  Cache-Control "public, must-revalidate";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options "DENY";
        proxy_pass  http://127.0.0.1:8080;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      }
}

Best regards
Franz Skale

Rechenzentrum-Services


Citycom Telekommunikation GmbH
Gadollaplatz 1
8010 Graz | Austria

T: +43(316)887-6264
M: +43(664)88275444
E: franz.skale@citycom-austria.com
www.citycom-austria.com

FN 165640p, Landes- als Firmenbuchgericht Graz
UID-Nr.: ATU 61241999



________________________________________
Von: Netlynker <ne...@gmail.com>
Gesendet: Dienstag, 18. September 2018 05:57
An: users@cloudstack.apache.org
Betreff: How to configure TLS on ACS 4.11.1 Web UI

Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.

Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?

Thanks in advance,
Netlynker

Re: How to configure TLS on ACS 4.11.1 Web UI

Posted by Rohit Yadav <ro...@shapeblue.com>.

Hi Netlynker,


You're right we've to fix the docs, as we've moved to using embedded jetty as our webserver. The configuration can be found in /etc/cloudstack/management/server.properties:

https://github.com/apache/cloudstack/blob/master/client/conf/server.properties.in#L35


You just need to create a jks file that has your https certificates under an alias and configure the path and passphrase in the server.properties file where you can also enable https and specify a port (8443, 443 etc).


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Netlynker <ne...@gmail.com>
Sent: Tuesday, September 18, 2018 9:27:03 AM
To: users@cloudstack.apache.org
Subject: How to configure TLS on ACS 4.11.1 Web UI

Hi,
The document for 4.11.1 is not updated and it is still refering to tomcat
ssl config.

Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI?

Thanks in advance,
Netlynker

rohit.yadav@shapeblue.com 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue