I configured reverse proxy with https. This is the error: FireEdge public endpoint is not working, please contact your cloud administrator.
Your doc says :public_fireedge_endpoint: http://localhost:2616
The reverse proxy uses https: I tried :public_fireedge_endpoint: https://10.3.4.5:2616
Error. Does fireedge endpoint support https?
Fireedge does not work with https. Please help.
Same issue, do you have find a solution ?
rdiaz
(Ricardo Díaz)
June 8, 2021, 1:53pm
4
Hi @Haja_Mohideen , @David_Martins ,
You can find here how to configure HTTPS for FireEdge and Sunstone.
Cheers.
Yes but the configuration its for apache but i’m using nginx.
regards,
bobc
(Bob)
June 16, 2021, 8:24pm
6
Here is the nginx configuration that works for me. Note: Although it’s not related your question I want to point out that in my nginx config file you’ll see a directive location for websockify. This was added because websockify does not allow specifying which SSL protocols to use which caused our vulnerability scan to fail.
nginx .conf file
# No squealing.
server_tokens off;
# OpenNebula Sunstone upstream
upstream sunstone {
server 127.0.0.1:9869;
}
# OpenNebula websocketproxy upstream
upstream websocketproxy {
server 127.0.0.1:29876;
}
# HTTP virtual host, redirect to HTTPS
server {
listen 80;
server_name one.mydomain.com;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
location / {
return 301 https://one.mydomain.com:443;
}
}
# HTTPS virtual host, proxy to Sunstone
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name one.mydomain.com;
root /usr/share/nginx/html;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
ssl on;
ssl_certificate /etc/pki/public/mydomain.com.crt;
ssl_certificate_key /etc/pki/private/mydomain.com.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
#access_log /var/log/nginx/opennebula-sunstone-access.log;
#error_log /var/log/nginx/opennebula-sunstone-error.log;
location / {
# Handle inconsistency in the websockify URLs provided by Sunstone
if ($args ~* "host=.+&port=.+&token=.+&encrypt=.*") {
rewrite ^/$ /websockify/ last;
}
proxy_pass http://sunstone;
proxy_redirect off;
log_not_found off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-FOR $proxy_add_x_forwarded_for;
}
location /websockify {
proxy_http_version 1.1;
proxy_pass https://websocketproxy;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 61s;
proxy_buffering off;
}
}
server {
listen 443 ssl;
server_name fireedge.mydomain.com;
ssl on;
ssl_certificate /etc/pki/public/mydomain.com.crt;
ssl_certificate_key /etc/pki/private/mydomain.com.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
#access_log /var/log/nginx/opennebula-sunstone-access.log;
#error_log /var/log/nginx/opennebula-sunstone-error.log;
location / {
proxy_pass http://10.10.10.10:2616;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# VNC connection timeout
proxy_read_timeout 61s;
# Disable cache
proxy_buffering off;
}
}
sunstone-server.conf file
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/one/ssl/mydomain.com.crt
:vnc_proxy_key: /etc/one/ssl/mydomain.com.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false
:vnc_client_port: 443
2 Likes