fuel-dev team mailing list archive

[Dmitry Borodaenko <dborodaenko@xxxxxxxxxxxx>]

On Thu, Mar 27, 2014 at 10:58 AM, Maksim Mazur <mmaxur@xxxxxxxxxxxx> wrote:
> As I see fuel 4.1 configure apache on controller to listen on *:443 but
> there is only default page.
>
> Could you explain me please why do we have such configuration.

As far as I understand the primary reason not to enable SSL for
OpenStack out of the box is cert management. We don't want to deploy
with self-signed certificates that would provide false sense of
security, and we don't have a proper cert management infrastructure
integrated in Fuel.

> I would like to use https for securing horizon - can I safely disable ssl in
> apache?

Yes. To do it properly via Fuel, you'll need to make sure that Apache
configuration templates in horizon/templates/*.conf.erb consistently
follow $use_ssl variable from the horizon Puppet class (current code
pre-dates Ubuntu support and seems to be RedHat/CentOS specific), fix
osnailyfacter::cluster_* to consistently pass that variable to horizon
based on horizon_use_ssl from fuel_settings (at the moment it is only
used on cluster_ha), and make sure that variable is actually present
in astute.yaml (at the moment it isn't).

> I already have patch for fuel 4.0 which enables SSL with external nginx, not
> changing apache config.
>
> Do we need such functionality in 4.1.1?

Having this as an option would be nice, but I would be very careful
about letting users deploy with autogenerated self-signed certificates
and believing they're any more secure than without SSL. Does your
patch allow using valid pre-defined certificates?

-- 
Dmitry Borodaenko