-
-
Save psav/afde3885098cd175c5f9 to your computer and use it in GitHub Desktop.
Setting up HAProxy for OpenStack SSL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Install HA Proxy package | |
| #> yum install haproxy | |
| 2. Generate the self-signed cert | |
| #> mkdir -p /etc/pki/haproxy | |
| #> umask 077 && openssl genrsa -out /etc/pki/haproxy/haproxy.key 1024 | |
| #> umask 022 && openssl req -key /etc/pki/haproxy/haproxy.key \ | |
| -out /etc/pki/haproxy/haproxy.crt \ | |
| -subj "/CN=qeblade25.rhq.lab.eng.bos.redhat.com/" \ | |
| -new -x509 -days 365 -extensions usr_cert | |
| #> cat /etc/pki/haproxy/haproxy.crt /etc/pki/haproxy/haproxy.key > /etc/pki/haproxy/haproxy.pem | |
| 3. Setup HA Proxy (configures proxies for keystone and nova) | |
| Note: the ports used here are for example only ... afaik, there's no "default" keystone ssl port | |
| #> cat /etc/haproxy/haproxy.cfg | |
| #--------------------------------------------------------------------- | |
| # Example configuration for a possible web application. See the | |
| # full configuration options online. | |
| # | |
| # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt | |
| # | |
| #--------------------------------------------------------------------- | |
| #--------------------------------------------------------------------- | |
| # Global settings | |
| #--------------------------------------------------------------------- | |
| global | |
| # to have these messages end up in /var/log/haproxy.log you will | |
| # need to: | |
| # | |
| # 1) configure syslog to accept network log events. This is done | |
| # by adding the '-r' option to the SYSLOGD_OPTIONS in | |
| # /etc/sysconfig/syslog | |
| # | |
| # 2) configure local2 events to go to the /var/log/haproxy.log | |
| # file. A line like the following can be added to | |
| # /etc/sysconfig/syslog | |
| # | |
| # local2.* /var/log/haproxy.log | |
| # | |
| daemon | |
| maxconn 1000 | |
| user haproxy | |
| group haproxy | |
| log 127.0.0.1:514 local0 | |
| tune.ssl.default-dh-param 2048 | |
| #--------------------------------------------------------------------- | |
| # common defaults that all the 'listen' and 'backend' sections will | |
| # use if not designated in their block | |
| #--------------------------------------------------------------------- | |
| defaults | |
| log global | |
| option dontlognull | |
| timeout connect 3s | |
| timeout client 10s | |
| timeout server 10s | |
| #--------------------------------------------------------------------- | |
| # front-end for keystone-proxy with ssl termination | |
| #--------------------------------------------------------------------- | |
| frontend keystone-proxy *:5443 | |
| mode http | |
| bind 10.16.4.46:5443 ssl crt /etc/pki/haproxy/haproxy.pem | |
| default_backend keystone-app | |
| #--------------------------------------------------------------------- | |
| # back-end for keystone-app | |
| #--------------------------------------------------------------------- | |
| backend keystone-app | |
| mode http | |
| server keystone 10.16.4.46:5000 check | |
| #--------------------------------------------------------------------- | |
| # front-end for nova-proxy with ssl termination | |
| #--------------------------------------------------------------------- | |
| frontend nova-proxy *:8474 | |
| mode http | |
| bind 10.16.4.46:8474 ssl crt /etc/pki/haproxy/haproxy.pem | |
| default_backend nova-app | |
| #--------------------------------------------------------------------- | |
| # back-end for nova-app | |
| #--------------------------------------------------------------------- | |
| backend nova-app | |
| mode http | |
| server nova 10.16.4.46:8774 check | |
| 4. Setup firewall rules (allow access to SSL ports for keystone and nova) | |
| Note: the ports used here are for example only ... afaik, there's no "default" keystone ssl port | |
| #> iptables -I INPUT 5 -p tcp --dport 5443 -j ACCEPT | |
| #> iptables -I INPUT 5 -p tcp --dport 8474 -j ACCEPT | |
| 5. Update the nova service endpoint so keystone indicates the correct (proxied) endpoint | |
| The only way I've seen to do this is directly in the mysql database. You can drop and re-add endpoints, but you cannot update them, from what I can tell from the keystone CLI/API. | |
| 6. Start haproxy | |
| #> service haproxy start | |
| Troubleshooting | |
| If the haproxy service fails to start, review the error messages. It's possible that this bug is standing in the way https://bugzilla.redhat.com/show_bug.cgi?id=1131188. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment