[one-users] OpenNebula 3.2.1 econe-server and SSL proxy
Ulrich Schwickerath
ulrich.schwickerath at cern.ch
Fri Feb 3 02:30:11 PST 2012
Hi, Daniel,
thanks a lot for the help on this. The problem with the ssl proxy was
that I was missing an extra / at the end of the ssl_server directive. So
one needs
:ssl_server: https://cloud.opennebula.org/
rather than
:ssl_server: https://cloud.opennebula.org
else I get authentication errors. However, this is not the end of the
story I'm afraid. With this patch in place I can query the system, but
it's very very slow. My most important user has some 500 VMs in the
system, and a
euca-describe-instances
times out or gives expat parse errors. If I query the system locally it
works fine and is very responsive. This problem is new in 3.2.1, I
didn't have this in 3.0 which I was using before. I already checked that
I have all rubygems installed which are needed.
Any idea?
Thanks!
Ulrich
On 02/02/2012 11:40 PM, Daniel Molina wrote:
> Hi Ulrich,
>
> We have added a new patch in order to support custom paths and ports
> when setting up an SSL proxy on top of the econe-server. You can see
> this patch in the following link:
>
> http://dev.opennebula.org/issues/985
>
> This patch has been included in the last release (3.2.1). I recommend
> you to upgrade to this version. Also the performance should be
> improved since we have included a new authentication cache.
>
> Currently the econe-server is running in our public cloud with an SSL
> proxy, using the following configuration:
>
> $ cat econe.conf
> # Host and port where econe server will run
> :server: localhost
> :port: 7141
>
> # SSL proxy that serves the API (set if is being used)
> :ssl_server: https://cloud.opennebula.org/econe
>
> # Authentication driver for incomming requests
> # ec2, default Acess key and Secret key scheme
> # x509, for x509 certificates based authentication
> :auth: ec2
>
> # Authentication driver to communicate with OpenNebula core
> # cipher, for symmetric cipher encryption of tokens
> # x509, for x509 certificate encryption of tokens
> :core_auth: cipher
>
> $ cat apache2.conf
> <VirtualHost *:443>
> servername cloud.opennebula.org
> SSLEngine on
> ProxyPass /econe http://localhost:7141/
> ProxyPassReverse /econe http://localhost:7141/
> </VirtualHost>
>
> If you use a path different from '/' the client must support this
> feature, otherwise the authentication will fail. The econe tools
> included in the 3.2.1 release support custom paths.
>
> Also if you want the proxy to listen in a different port from the
> default (443) you can specify it in the ssl_parameter:
> :ssl_server: https://cloud.opennebula.org:8082/
>
> Hope this helps
>
> On 2 February 2012 22:45, Ulrich Schwickerath
> <ulrich.schwickerath at cern.ch> wrote:
>> Hi,
>>
>> did anybody try to setup the ONE 3.2 econe-server with an SSL proxy ? The
>> instructions on the web on this seem to be a bit out of date.
>> I had it working fine with 3.0 but with 3.2 I get authentication errors (the
>> ssl proxy setup is unchanged sinde 3.0). Direct access via http works
>> (although slower than before).
>>
>> Cheers,
>> Ulrich
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
--
--------------------------------------
Dr. Ulrich Schwickerath
CERN IT/PES-PS
1211 Geneva 23
e-mail: ulrich.schwickerath at cern.ch
phone: +41 22 767 9576
mobile: +41 76 487 5602
More information about the Users
mailing list