[GitHub] [cloudstack-documentation] DaanHoogland commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377137990 @blueorangutan docbuild -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377139611 @DaanHoogland a Jenkins job has been kicked to build the document. I'll keep you posted as I make progress. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377140817 QA-Doc build preview: https://qa.cloudstack.cloud/builds/docs-build/pr/299. (QA-JID 27) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland merged pull request #298: fix typo
DaanHoogland merged PR #298: URL: https://github.com/apache/cloudstack-documentation/pull/298 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on a diff in pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on code in PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#discussion_r1065704106 ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,44 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies +Load-balancing Console Proxies / Secondary Storage VMs ~~ An alternative to using dynamic DNS or creating a range of DNS entries as described in the last section would be to create a SSL certificate for a specific domain name, configure CloudStack to use that particular FQDN, and then configure a load balancer to load balance the console -proxy's IP address behind the FQDN. As the functionality for this is +proxy's IP address behind the FQDN. When using a load balancer it is +also possible to perform SSL-Offloading, so no certificate needs to be +configured on CloudStack itself. As the functionality for this is still new, please see Review Comment: I don´t think this is new anymore: ```suggestion proxy's IP address behind the FQDN. When using a load balancer it is also possible to perform SSL-Offloading, so no certificate needs to be configured on CloudStack itself. For further information please see ``` ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,44 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies +Load-balancing Console Proxies / Secondary Storage VMs ~~ Review Comment: ```suggestion Load-balancing Console Proxies / Secondary Storage VMs ~~ ``` ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,44 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies +Load-balancing Console Proxies / Secondary Storage VMs ~~ An alternative to using dynamic DNS or creating a range of DNS entries as described in the last section would be to create a SSL certificate for a specific domain name, configure CloudStack to use that particular FQDN, and then configure a load balancer to load balance the console -proxy's IP address behind the FQDN. As the functionality for this is +proxy's IP address behind the FQDN. When using a load balancer it is +also possible to perform SSL-Offloading, so no certificate needs to be +configured on CloudStack itself. As the functionality for this is still new, please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes for more details. +These ports needed to be configured for load-balancing: +- 443 to 443 (to CPVM) +- 8080 to 8080 (to CPVM) +- 443 to 443 (to SSVM) + +SSL-Offloading with Load-balancing for Console Proxies / Secondary Storage VMs +~~ Review Comment: ```suggestion SSL-Offloading with Load-balancing for Console Proxies / Secondary Storage VMs ~~ ``` ## source/adminguide/systemvm.rst: ## @@ -258,7 +258,7 @@ communication with SSL: - Set up a SSL wild-card certificate and domain name resolution -- Set up SSL certificate for specific FQDN and configure load-balancer +- Set up SSL certificate for specific FQDN and configure load-balancer (with ssl offloading optional) Review Comment: ```suggestion - Set up SSL certificate for specific FQDN and configure a load-balancer with optional ssl offloading. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] sbrueseke commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
sbrueseke commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377179534 @DaanHoogland thx Daan! I did some layout fixing so the port reference will be shown in a list. Hope it made it to the pull request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377192369 @blueorangutan docbuild -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377192805 @DaanHoogland a Jenkins job has been kicked to build the document. I'll keep you posted as I make progress. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377193362 QA-Doc build preview: https://qa.cloudstack.cloud/builds/docs-build/pr/299. (QA-JID 28) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on a diff in pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on code in PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#discussion_r1065735341 ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,43 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies -~~ +Load-balancing Console Proxies / Secondary Storage VMs +~~ An alternative to using dynamic DNS or creating a range of DNS entries as described in the last section would be to create a SSL certificate for a specific domain name, configure CloudStack to use that particular FQDN, and then configure a load balancer to load balance the console -proxy's IP address behind the FQDN. As the functionality for this is -still new, please see +proxy's IP address behind the FQDN. When using a load balancer it is +also possible to perform SSL-Offloading, so no certificate needs to be +configured on CloudStack itself. For further information please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes for more details. +These ports needed to be configured for load-balancing: +- 443 to 443 (to CPVM) +- 8080 to 8080 (to CPVM) +- 443 to 443 (to SSVM) Review Comment: ```suggestion These ports needed to be configured for load-balancing: - 443 to 443 (to CPVM) - 8080 to 8080 (to CPVM) - 443 to 443 (to SSVM) ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on a diff in pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on code in PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#discussion_r1065736042 ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,43 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies -~~ +Load-balancing Console Proxies / Secondary Storage VMs +~~ An alternative to using dynamic DNS or creating a range of DNS entries as described in the last section would be to create a SSL certificate for a specific domain name, configure CloudStack to use that particular FQDN, and then configure a load balancer to load balance the console -proxy's IP address behind the FQDN. As the functionality for this is -still new, please see +proxy's IP address behind the FQDN. When using a load balancer it is +also possible to perform SSL-Offloading, so no certificate needs to be +configured on CloudStack itself. For further information please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes for more details. +These ports needed to be configured for load-balancing: +- 443 to 443 (to CPVM) +- 8080 to 8080 (to CPVM) +- 443 to 443 (to SSVM) + +SSL-Offloading with Load-balancing for Console Proxies / Secondary Storage VMs +~~ +To implement SSL-Offloading you need 2 public IP addresses (one for Console Proxy and one for Secondary Storage VM) which +each of them resolve to a different FQDN and terminate at the load balancer. Also 3 global settings need to be edited. +- The setting ‘consoleproxy.url.domain’ to the FQDN used by the certificate (For example: cpvm.company.com) +- The setting ‘secstorage.ssl.cert.domain’ to the FQDN used by the cerrificate (For example: ssvm.company.com) +- The setting ‘secstorage.encrypt.copy’ to true Review Comment: ```suggestion each of them resolve to a different FQDN and terminate at the load balancer. Also 3 global settings need to be edited. - The setting ‘consoleproxy.url.domain’ to the FQDN used by the certificate (For example: cpvm.company.com) - The setting ‘secstorage.ssl.cert.domain’ to the FQDN used by the cerrificate (For example: ssvm.company.com) - The setting ‘secstorage.encrypt.copy’ to true ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on a diff in pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on code in PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#discussion_r1065736778 ## source/adminguide/systemvm.rst: ## @@ -372,17 +372,43 @@ are still in default PEM format (no URL encoding needed here). After editing the database, please restart management server, and destroy SSVM and CPVM after that, so the new SSVM and CPVM with new certificates are created. -Load-balancing Console Proxies -~~ +Load-balancing Console Proxies / Secondary Storage VMs +~~ An alternative to using dynamic DNS or creating a range of DNS entries as described in the last section would be to create a SSL certificate for a specific domain name, configure CloudStack to use that particular FQDN, and then configure a load balancer to load balance the console -proxy's IP address behind the FQDN. As the functionality for this is -still new, please see +proxy's IP address behind the FQDN. When using a load balancer it is +also possible to perform SSL-Offloading, so no certificate needs to be +configured on CloudStack itself. For further information please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes for more details. +These ports needed to be configured for load-balancing: +- 443 to 443 (to CPVM) +- 8080 to 8080 (to CPVM) +- 443 to 443 (to SSVM) + +SSL-Offloading with Load-balancing for Console Proxies / Secondary Storage VMs +~~ +To implement SSL-Offloading you need 2 public IP addresses (one for Console Proxy and one for Secondary Storage VM) which +each of them resolve to a different FQDN and terminate at the load balancer. Also 3 global settings need to be edited. +- The setting ‘consoleproxy.url.domain’ to the FQDN used by the certificate (For example: cpvm.company.com) +- The setting ‘secstorage.ssl.cert.domain’ to the FQDN used by the cerrificate (For example: ssvm.company.com) +- The setting ‘secstorage.encrypt.copy’ to true + +.. warning:: + For sake of security you should block direct public access to the IP of Console Proxy and Secondary Storage VM. It is also + possible to add a fake public IP range to CloudStack which uses internal IP addresses for SystemVM use only. Please + be aware that the load balancer needs access to the used IP addresses to forward traffic. + +After edited global settings mentioned above you need to recreate both System VMs by destroying them. CloudStack will recreate +them with the new settings automatically. + +When using SSL-Offloading you need to configure following ports on the load balancer after adding the correct certificate to the public IP of each FQDN: +- lb-publicip1:443 to CPVM:80 +- lb-publicip1:8080 to CPVM:8080 +- lb-publicip2:443 to SSVM:80 Review Comment: ```suggestion When using SSL-Offloading you need to configure following ports on the load balancer after adding the correct certificate to the public IP of each FQDN: - lb-publicip1:443 to CPVM:80 - lb-publicip1:8080 to CPVM:8080 - lb-publicip2:443 to SSVM:80 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377203936 @sbrueseke if you go to files you can add all sugestions that you want in one commit. I _think_ my latest suggestions will solve your list issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377299446 @blueorangutan docbuild -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377300733 @DaanHoogland a Jenkins job has been kicked to build the document. I'll keep you posted as I make progress. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] blueorangutan commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
blueorangutan commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377301411 QA-Doc build preview: https://qa.cloudstack.cloud/builds/docs-build/pr/299. (QA-JID 29) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] sbrueseke commented on pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
sbrueseke commented on PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299#issuecomment-1377348842 LGTM -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack-documentation] DaanHoogland merged pull request #299: Add documentation regarding SystemVMs load-balancing and SSL-Offloading
DaanHoogland merged PR #299: URL: https://github.com/apache/cloudstack-documentation/pull/299 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
