I get a job to hide openstack behind a reverse proxy and make default ports completely invisible from users.
Right now I am afraid openstack has some problem with a unified api gateway, so I have to modify response body if version controller is accessed by the end user. (Sadly version controller should not be used because from my point of view, it conflicts with endpoints returned)
# nginx config
server {
listen 10.100.0.131:443;
listen 10.100.0.133:443;
ssi on;
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate_key /root/proxy.key;
ssl_certificate /root/proxy.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ecdh_curve secp521r1;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
underscores_in_headers on;
server_name openapi.cn-north-3.inspurcloud.cn;
root /;
location /keystone/ {
proxy_pass https://10.200.0.20:5000/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
sub_filter_once off;
sub_filter_types application/json;
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v3/' 'openapi.cn-north-3.inspurcloud.cn/keystone/v3/';
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v3/' 'openapi.cn-north-3.inspurcloud.cn/keystone/v3/';
}
location /nova/ {
proxy_pass https://10.200.0.20:8774/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
sub_filter_once off;
sub_filter_types application/json;
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v2/' 'openapi.cn-north-3.inspurcloud.cn/nova/v2/';
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v2.1/' 'openapi.cn-north-3.inspurcloud.cn/nova/v2.1/';
}
location /neutron/ {
proxy_pass https://10.200.0.20:9696/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
sub_filter_once off;
sub_filter_types application/json;
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v2.0/' 'openapi.cn-north-3.inspurcloud.cn/keystone/neutron/v2.0/';
}
location /glance/ {
client_max_body_size 30000m;
client_body_buffer_size 200m;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_pass https://10.200.0.20:9292/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
sub_filter_once off;
sub_filter_types application/json;
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v2/' 'openapi.cn-north-3.inspurcloud.cn/glance/v2/';
}
location /cinder/ {
proxy_pass https://10.200.0.20:8776/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
sub_filter_once off;
sub_filter_types application/json;
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v1/' 'openapi.cn-north-3.inspurcloud.cn/cinder/v1/';
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v2/' 'openapi.cn-north-3.inspurcloud.cn/cinder/v2/';
sub_filter 'openapi.cn-north-3.inspurcloud.cn/v3/' 'openapi.cn-north-3.inspurcloud.cn/cinder/v3/';
}
}
Nginx will response to a request even if there is a hostname mismatch. This is problematic for us, because it will opens a backdoor to our backend. So I write a default configuration which redirects direct ip access to our domain name.
server {
listen 0.0.0.0:443;
server_name x.x.x.x;
server_name x.x.x.x;
return 302 https://openapi.cn-north-3.inspurcloud.cn$request_uri;
}