Openstack SSL Memo

发布时间:2014-10-22 12:06:56编辑 分享查询网我要评论
本篇文章主要介绍了"Openstack SSL Memo",主要涉及到Openstack SSL Memo方面的内容,对于Openstack SSL Memo感兴趣的同学可以参考一下。

We need enable SSL in openstack, in production environment we use ACE for Load balance, in Dev environment, we use haproxy to simulate ACE. Openstack can support SSL, But we do not want enable them in openstack, we enable SSL in ACE/Haproxy. Use Horizon for example: Environment: User ---- https(443) ---> ACE(Production Env) / Haproxy(Dev Env) ---- http(8088) ----> Horizon Steps: 1. Compile & Install haproxy Only haproxy version >=1.5 can support SSL. We use haproxy 1.5 here. yum grouplist -v "development" | grep tools yum install @development yum install openssl-devel wget [] tar zxf haproxy-1.5-dev19.tar.gz cd haproxy-1.5-dev19 make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz make PREFIX=/usr/local/haproxy install install -d /usr/local/haproxy/sbin install haproxy /usr/local/haproxy/sbin install haproxy-systemd-wrapper /usr/local/haproxy/sbin install -d /usr/local/haproxy/share/man/man1 install -m 644 doc/haproxy.1 /usr/local/haproxy/share/man/man1 install -d /usr/local/haproxy/doc/haproxy for x in configuration architecture haproxy-en haproxy-fr; do \ install -m 644 doc/$x.txt /usr/local/haproxy/doc/haproxy ; \ done 2. Generate SSL : openssl genrsa -out privkey.pem 2048 openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 cat cacert.pem privkey.pem > my.pem 3. Config haproxy: global log local0 maxconn 4000 daemon user root group root defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 option http-server-close option redispatch frontend horizon_frontend bind ssl crt /home/matt/try/my.pem mode http option httpclose option forwardfor reqadd X-Forwarded-Protocol:\ https default_backend horizon_server backend horizon_server mode http balance roundrobin cookie SERVERID insert indirect nocache server horizon check cookie horizon 4. When Django Version >=1.4, add the following config in /etc/openstack-dashboard/local_settings: SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') Refer URL:



关键词: Openstack SSL Memo