2015-03-05 11:11:39

How to enable SSL for Neutron and other OpenStack services

Some OpenStack services can provide SSL native. There is great reading how to enable SSL for Keystone.

However some services either does not provide native SSL or have some bug (e.g. Neutron in Icehouse), which prevent you to enable SSL. But there is way how to enable SSL on those services using haproxy.

First move Neutron to different port. Make sure that /etc/neutron/neutron.conf contains:

[DEFAULT]
use_ssl = False
bind_port = 8696

Then install haproxy:

yum install haproxy

And make sure /etc/haproxy/haproxy.cfg contains:

frontend neutron
    bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined
    default_backend neutron

backend neutron
    server neutron 127.0.0.1:8696 check

Where file /etc/haproxy/fed-cloud09.combined contains concatenated both CA certificate and certificate key

cat /etc/pki/tls/certs/fed-cloud09-keystone.pem /etc/pki/tls/private/fed-cloud09.key > /etc/haproxy/fed-cloud09.combined

Then just secure that file:

chown haproxy /etc/haproxy/haproxy.cfg
chmod 640 /etc/haproxy/haproxy.cfg

And restart and enable the services:

openstack-service restart
chkconfig haproxy on
service haproxy start

And you are done.

Benefit of this approach is that you can manage your SSL certificates on one place.

Kudos goes to Lars Kellogg-Stedman for showing me this thing.


Posted by Miroslav Suchý | Permanent link
Comments
comments powered by Disqus