kolla部署的openstack配置https
阿新 • • 發佈:2019-01-24
環境:
openstack版本:N版
部署方式:kolla(所有服務都執行在docker裡面)
說明:kolla部署因為用了vip所以在每個節點上都運行了haproxy容器,每個節點都監聽了vip:80,vip:9696,vip:8774,
vip:5000,vip:35357等埠,haproxy代理了每個節點各個服務,所以如果想把http變為https,只需改haproxy
就行了,當然還要改各個服務的配置檔案,使其呼叫https。因為多了haproxy這一層,所以https也可以加在haproxy
這層,同時設定haproxy開啟ssl,也可以加在後端服務上,讓haproxy只起轉發的功能
方法一,修改後段服務
1)、配置horizon為https訪問
注意:我們使用自簽名證書,生成證書時輸入的Common Name要能匹配horizon的域名。
1. yum install mod_ssl openssl
2. openssl genrsa -out horizon.key 2048
3. openssl req -new -key horizon.key -out horizon.csr(生成證書)
4. openssl x509 -req -days 3650 -in horizon.csr -signkey horizon.key -out horizon.crt
5. cp horizon.crt /etc/pki/tls/certs/
6. cp horizon.key /etc/pki/tls/private/
7. cp horizon.csr /etc/pki/tls/private/
8. 在宿主機修改httpd的horizon的配置檔案:vim /etc/kolla/horizon/horizon.conf
Listen 10.55.0.45:443
#Listen 10.55.0.45:80 # 1
#<VirtualHost *:80> # 2 開啟1和2兩處的配置可監聽80,並轉到https上
# RewriteEngine On
# RewriteCond %{HTTPS} !on
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#</VirtualHost>
<VirtualHost *:443>
# Logging
LogLevel warn
ErrorLog /var/log/kolla/horizon/ssl-horizon-error.log
ServerSignature Off
CustomLog /var/log/kolla/horizon/ssl-horizon-access.log combined
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
WSGIPassAuthorization On
Alias /static /var/lib/kolla/venv/lib/python2.7/site-packages/static
<Location "/">
Require all granted
</Location>
<Location "/static">
SetHandler None
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/horizon.crt
SSLCertificateKeyFile /etc/pki/tls/private/horizon.key
</VirtualHost>
9. 重新命名horizon容器裡面的ssl的配置檔案(因為ssl.conf會監聽443埠,和本檔案的配置衝突):
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
10. 重啟horizon:docker restart horizon
2)、配置keystone為https訪問
1. yum install mod_ssl openssl
2. openssl genrsa -out keystone.key 2048
3. openssl req -new -key keystone.key -out keystone.csr(生成證書)
4. openssl x509 -req -days 3650 -in keystone.csr -signkey keystone.key -out keystone.crt
5. cp keystone.crt /etc/pki/tls/certs/
6. cp keystone.key /etc/pki/tls/private/
7. cp keystone.csr /etc/pki/tls/private/
8. 在宿主機修改httpd的horizon的配置檔案:vim /etc/kolla/keystone/wsgi-keystone.conf
Listen 10.55.0.45:5000
Listen 10.55.0.45:35357
<VirtualHost *:5000>
WSGIScriptReloading On
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel warn
ErrorLog "/var/log/kolla/keystone/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
ServerSignature Off
CustomLog "/var/log/kolla/keystone/keystone-apache-public-access.log" logformat
<Location "/">
Require all granted
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/keystone.crt
SSLCertificateKeyFile /etc/pki/tls/private/keystone.key
</VirtualHost>
<VirtualHost *:35357>
WSGIScriptReloading On
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel warn
ErrorLog "/var/log/kolla/keystone/keystone-apache-admin-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
ServerSignature Off
CustomLog "/var/log/kolla/keystone/keystone-apache-admin-access.log" logformat
<Location "/">
Require all granted
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/keystone.crt
SSLCertificateKeyFile /etc/pki/tls/private/keystone.key
</VirtualHost>
9. 重新命名horizon容器裡面的ssl的配置檔案:
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
10. 重啟horizon:docker restart keystone
注:如果docker容器起不來,請docker logs -f <container_name>檢視報錯
方法二,修改haproxy
1)修改horizon為https
1. 建立haproxy.pem
cat keystone.crt keystone.key | tee haproxy.pem
2. vim /etc/kolla/haproxy/haproxy.cfg
global
tune.ssl.default-dh-param 2048
listen horizon
bind 10.55.0.234:80 # 監聽80
bind 10.55.0.234:443 ssl crt /etc/haproxy/haproxy.pem # 監聽443
acl is_http hdr_beg(host) 10.55.0.234
redirect scheme https if !{ ssl_fc } #把80上的請求都轉到443上
balance source
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server test-centos2 10.55.0.45:80 check inter 2000 rise 2 fall 5
2)修改keystone為https
1. vim /etc/kolla/haproxy/haproxy.cfg
listen keystone_internal
bind 10.33.0.234:5000
bind 10.33.0.234:5000 ssl crt /etc/haproxy/haproxy.pem
acl is_http hdr_beg(host) 10.33.0.234
redirect scheme https if !{ ssl_fc }
balance source
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server lbq-centos2 10.33.0.45:5000 check inter 2000 rise 2 fall 5
說明:這樣https的5000埠就被監聽了,在瀏覽器訪問http://vip:5000會轉到https://vip:5000上,
但用curl呼叫http://vip:5000就不會轉到https了,所以需要把所有呼叫keystone的http的配置
檔案都改一遍,還是比較麻煩的,還要修改openstack的endpoint
openstack版本:N版
部署方式:kolla(所有服務都執行在docker裡面)
說明:kolla部署因為用了vip所以在每個節點上都運行了haproxy容器,每個節點都監聽了vip:80,vip:9696,vip:8774,
vip:5000,vip:35357等埠,haproxy代理了每個節點各個服務,所以如果想把http變為https,只需改haproxy
就行了,當然還要改各個服務的配置檔案,使其呼叫https。因為多了haproxy這一層,所以https也可以加在haproxy
這層,同時設定haproxy開啟ssl,也可以加在後端服務上,讓haproxy只起轉發的功能
方法一,修改後段服務
1)、配置horizon為https訪問
注意:我們使用自簽名證書,生成證書時輸入的Common Name要能匹配horizon的域名。
1. yum install mod_ssl openssl
2. openssl genrsa -out horizon.key 2048
3. openssl req -new -key horizon.key -out horizon.csr(生成證書)
4. openssl x509 -req -days 3650 -in horizon.csr -signkey horizon.key -out horizon.crt
5. cp horizon.crt /etc/pki/tls/certs/
6. cp horizon.key /etc/pki/tls/private/
7. cp horizon.csr /etc/pki/tls/private/
8. 在宿主機修改httpd的horizon的配置檔案:vim /etc/kolla/horizon/horizon.conf
Listen 10.55.0.45:443
#Listen 10.55.0.45:80 # 1
#<VirtualHost *:80> # 2 開啟1和2兩處的配置可監聽80,並轉到https上
# RewriteEngine On
# RewriteCond %{HTTPS} !on
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#</VirtualHost>
<VirtualHost *:443>
# Logging
LogLevel warn
ErrorLog /var/log/kolla/horizon/ssl-horizon-error.log
ServerSignature Off
CustomLog /var/log/kolla/horizon/ssl-horizon-access.log combined
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
WSGIPassAuthorization On
Alias /static /var/lib/kolla/venv/lib/python2.7/site-packages/static
<Location "/">
Require all granted
</Location>
<Location "/static">
SetHandler None
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/horizon.crt
SSLCertificateKeyFile /etc/pki/tls/private/horizon.key
</VirtualHost>
9. 重新命名horizon容器裡面的ssl的配置檔案(因為ssl.conf會監聽443埠,和本檔案的配置衝突):
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
10. 重啟horizon:docker restart horizon
2)、配置keystone為https訪問
1. yum install mod_ssl openssl
2. openssl genrsa -out keystone.key 2048
3. openssl req -new -key keystone.key -out keystone.csr(生成證書)
4. openssl x509 -req -days 3650 -in keystone.csr -signkey keystone.key -out keystone.crt
5. cp keystone.crt /etc/pki/tls/certs/
6. cp keystone.key /etc/pki/tls/private/
7. cp keystone.csr /etc/pki/tls/private/
8. 在宿主機修改httpd的horizon的配置檔案:vim /etc/kolla/keystone/wsgi-keystone.conf
Listen 10.55.0.45:5000
Listen 10.55.0.45:35357
<VirtualHost *:5000>
WSGIScriptReloading On
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel warn
ErrorLog "/var/log/kolla/keystone/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
ServerSignature Off
CustomLog "/var/log/kolla/keystone/keystone-apache-public-access.log" logformat
<Location "/">
Require all granted
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/keystone.crt
SSLCertificateKeyFile /etc/pki/tls/private/keystone.key
</VirtualHost>
<VirtualHost *:35357>
WSGIScriptReloading On
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel warn
ErrorLog "/var/log/kolla/keystone/keystone-apache-admin-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
ServerSignature Off
CustomLog "/var/log/kolla/keystone/keystone-apache-admin-access.log" logformat
<Location "/">
Require all granted
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/keystone.crt
SSLCertificateKeyFile /etc/pki/tls/private/keystone.key
</VirtualHost>
9. 重新命名horizon容器裡面的ssl的配置檔案:
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
10. 重啟horizon:docker restart keystone
注:如果docker容器起不來,請docker logs -f <container_name>檢視報錯
方法二,修改haproxy
1)修改horizon為https
1. 建立haproxy.pem
cat keystone.crt keystone.key | tee haproxy.pem
2. vim /etc/kolla/haproxy/haproxy.cfg
global
tune.ssl.default-dh-param 2048
listen horizon
bind 10.55.0.234:80 # 監聽80
bind 10.55.0.234:443 ssl crt /etc/haproxy/haproxy.pem # 監聽443
acl is_http hdr_beg(host) 10.55.0.234
redirect scheme https if !{ ssl_fc } #把80上的請求都轉到443上
balance source
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server test-centos2 10.55.0.45:80 check inter 2000 rise 2 fall 5
2)修改keystone為https
1. vim /etc/kolla/haproxy/haproxy.cfg
listen keystone_internal
bind 10.33.0.234:5000
bind 10.33.0.234:5000 ssl crt /etc/haproxy/haproxy.pem
acl is_http hdr_beg(host) 10.33.0.234
redirect scheme https if !{ ssl_fc }
balance source
http-request del-header X-Forwarded-Proto
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server lbq-centos2 10.33.0.45:5000 check inter 2000 rise 2 fall 5
說明:這樣https的5000埠就被監聽了,在瀏覽器訪問http://vip:5000會轉到https://vip:5000上,
但用curl呼叫http://vip:5000就不會轉到https了,所以需要把所有呼叫keystone的http的配置
檔案都改一遍,還是比較麻煩的,還要修改openstack的endpoint