Missed include list so adding. On Apr 15, 2014 9:41 AM, "Devendra Gupta" <dev29...@gmail.com> wrote:
> Hi Mark, > > Thanks for your inputs around "Stunnel", I'll try it later as it looks > very new to me and little unknown/complex. But first I wanted to try HTTPD > with mod_wsgi as I don't have much security concern in my test environment > so could you please guide me around those three points which I mentioned in > the first mail. I could see in mailing list archive that you tried that > approach so I think your guidance would be helpful. > > Regards, > Devendra > On Apr 15, 2014 4:18 AM, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" < > mark.m.mil...@hp.com> wrote: > >> Look up "stunnel". The HTTPD and mod_wsgi wasn't really stable and >> provided a security risk in that breaking into Apache granted you access to >> every OpenStack service started by Apache. >> >> -----Original Message----- >> From: Devendra Gupta [mailto:dev29...@gmail.com] >> Sent: Monday, April 14, 2014 3:31 PM >> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis) >> Cc: ayo...@redhat.com; openstack@lists.openstack.org >> Subject: Re: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi >> >> OK, So If I want something on stable on Havana then I need to go through >> the HTTPD/mod_wsgi ? Isn't it. >> >> I also see lots of things around TripleO but don't have much idea. >> Things like TripleO, Tuskar >> .http://openstack.redhat.com/Deploying_RDO_using_Tuskar_and_TripleO >> >> Though not sure, what all this is doing. >> >> Devendra >> >> On Tue, Apr 15, 2014 at 3:48 AM, Miller, Mark M (EB SW Cloud - R&D - >> Corvallis) <mark.m.mil...@hp.com> wrote: >> > I am just learning myself and it is aimed at Icehouse, not Havana. >> > >> > http://docs.openstack.org/developer/tripleo-incubator/devtest.html >> > >> > Mark >> > >> > >> > -----Original Message----- >> > From: Devendra Gupta [mailto:dev29...@gmail.com] >> > Sent: Monday, April 14, 2014 3:14 PM >> > To: Miller, Mark M (EB SW Cloud - R&D - Corvallis) >> > Cc: ayo...@redhat.com; openstack@lists.openstack.org >> > Subject: Re: Enabling SSL For The OpenStack API using HTTPD and >> > mod_wsgi >> > >> > Thanks Mark, TripleO seems good. I just came to know about it from you >> so doing google around it. Do you see some known/trusted doc to configure >> it with OpenStack. I am willing to proceed with it on Havana. >> > >> > - Devendra >> > >> > On Tue, Apr 15, 2014 at 3:26 AM, Miller, Mark M (EB SW Cloud - R&D - >> > Corvallis) <mark.m.mil...@hp.com> wrote: >> >> Devendra, >> >> >> >> We are now using an SSL terminator solution instead of attempting to >> turn SSL on all of the OpenStack services. I have not attempted to turn SSL >> on Havana nor Icehouse builds, but the Grizzly base was pretty flakey . >> Right now the TripleO work is using the "stunnel" proxy server in front of >> all OpenStack services to terminate SSL. You can then proxy the incoming >> HTTPS request onto the local 127.0.0.1/8 bus which is inaccessible from >> outside your server. It also isolates the SSL terminator from the OpenStack >> service processes. >> >> >> >> Mark >> >> >> >> -----Original Message----- >> >> From: Devendra Gupta [mailto:dev29...@gmail.com] >> >> Sent: Monday, April 14, 2014 2:30 PM >> >> To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); ayo...@redhat.com >> >> Cc: openstack@lists.openstack.org >> >> Subject: Enabling SSL For The OpenStack API using HTTPD and mod_wsgi >> >> >> >> Hi, >> >> >> >> I want to enable SSL for all the OpenStack APIs and test it but I >> couldn't find detailed doc on docs.openstack.org. Does anyone have some >> notes on how to set this up ? >> >> >> >> I did good search around it on Google and OpenStack/RDO mailing list, >> I found lots of different paths but most of them were limited to Keystone >> only using 'keystone-manage ssl_setup'. I also found following nice blog >> which have 6 posts for setting up the SSL for all the components using >> Apache2 and mod_wsgi. >> >> >> >> http://andymc-stack.co.uk/2013/06/apache2-mod_wsgi-openstack-pt1-keys >> >> t >> >> one/ >> >> >> >> I want to go through this doc to do a complete setup but before that I >> wanted to take few inputs about my environment: >> >> >> >> 1. I have OpenStack RDO Havana running on Single CentOS 6 VM. Is it >> fine to try the steps on OpenStack RDO/Havana setup ? Or I need to have >> OpenStack setup on Ubuntu/Grizzly ? >> >> >> >> 2. Since all the OpenStack components are running on the same host, I >> >> guess I need to add VHost entries for all the APIs (mentioned in all >> >> 6 >> >> docs) in the /etc/httpd/conf/http.conf. Please help me if someone have >> a sample file VHost file with sites created for some/all components. >> >> >> >> 3. Can I have single set of self signed certificate path for all the >> Virtual Host entries as all APIs are running on the single VM. >> >> SSLCertificateFile /location/of/server.pem >> >> SSLCertificateKeyFile /location/of/server.key >> >> >> >> Another thing, the ketstone configuration part in this blog is having >> reference to the github page (http://goo.gl/ZIhcn2) for configuring >> Keystone with SSL but I find that doc little difficult to understand as >> there is no details of configuring virtual hosts so can I skip the github >> doc and proceed with the same blog. >> >> >> >> Regards, >> >> Devendra Gupta >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
