I configured reverse proxy with https. This is the error: FireEdge public endpoint is not working, please contact your cloud administrator.
Your doc says :public_fireedge_endpoint: http://localhost:2616
The reverse proxy uses https: I tried :public_fireedge_endpoint: https://10.3.4.5:2616
Error. Does fireedge endpoint support https?
Fireedge does not work with https. Please help.
Same issue, do you have find a solution ?
Hi @Haja_Mohideen , @David_Martins ,
You can find here how to configure HTTPS for FireEdge and Sunstone.
Cheers.
Yes but the configuration its for apache but i’m using nginx.
regards,
Here is the nginx configuration that works for me. Note: Although it’s not related your question I want to point out that in my nginx config file you’ll see a directive location for websockify. This was added because websockify does not allow specifying which SSL protocols to use which caused our vulnerability scan to fail.
nginx .conf file
# No squealing.
server_tokens off;
# OpenNebula Sunstone upstream
upstream sunstone {
server 127.0.0.1:9869;
}
# OpenNebula websocketproxy upstream
upstream websocketproxy {
server 127.0.0.1:29876;
}
# HTTP virtual host, redirect to HTTPS
server {
listen 80;
server_name one.mydomain.com;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
location / {
return 301 https://one.mydomain.com:443;
}
}
# HTTPS virtual host, proxy to Sunstone
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name one.mydomain.com;
root /usr/share/nginx/html;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
ssl on;
ssl_certificate /etc/pki/public/mydomain.com.crt;
ssl_certificate_key /etc/pki/private/mydomain.com.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
#access_log /var/log/nginx/opennebula-sunstone-access.log;
#error_log /var/log/nginx/opennebula-sunstone-error.log;
location / {
# Handle inconsistency in the websockify URLs provided by Sunstone
if ($args ~* "host=.+&port=.+&token=.+&encrypt=.*") {
rewrite ^/$ /websockify/ last;
}
proxy_pass http://sunstone;
proxy_redirect off;
log_not_found off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-FOR $proxy_add_x_forwarded_for;
}
location /websockify {
proxy_http_version 1.1;
proxy_pass https://websocketproxy;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 61s;
proxy_buffering off;
}
}
server {
listen 443 ssl;
server_name fireedge.mydomain.com;
ssl on;
ssl_certificate /etc/pki/public/mydomain.com.crt;
ssl_certificate_key /etc/pki/private/mydomain.com.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers EECDH+AESGCM:EECDH+AES256;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
#access_log /var/log/nginx/opennebula-sunstone-access.log;
#error_log /var/log/nginx/opennebula-sunstone-error.log;
location / {
proxy_pass http://10.10.10.10:2616;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# VNC connection timeout
proxy_read_timeout 61s;
# Disable cache
proxy_buffering off;
}
}
sunstone-server.conf file
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/one/ssl/mydomain.com.crt
:vnc_proxy_key: /etc/one/ssl/mydomain.com.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false
:vnc_client_port: 443