Securing CloudStack Management UI With Apache SSL

The CloudStack management server is a Java application which runs inside the Tomcat container. The default install configures the management Web UI service to listen on HTTP port 8080 on the primary interface.

It is a good practice to secure access to the CloudStack UI using SSL and can be done in more than one way…

  1. Enable SSL options in Tomcat container itself
  2. Use a reverse HTTP proxy server which supports SSL termination like Apache HTTP Server (with mod_proxy), Nginx or Apache Traffic Server

In this post, I will describe how to use the Apache HTTP server as a reverse proxy with SSL termination on CentOS.

  1. Install Apache HTTP server on the CloudStack management server. A self-signed SSL certificate would automatically be created during the mod_ssl package installation.
    $ sudo yum install -y httpd mod_ssl
  2. Create /etc/httpd/conf.d/cloudstack.conf config file with the following contents:
    $ cat /etc/httpd/conf.d/cloudstack.conf 
    ProxyPass /client http://localhost:8080/client
    
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/client/(.*) https://%{SERVER_NAME}/client/$1 [R,L]
    
  3. Restart HTTP service
    $ sudo service httpd restart
  4. Test using Curl from the management server
    $ curl -I http://localhost/client/
    HTTP/1.1 302 Found
    Date: Sat, 28 Dec 2013 05:18:54 GMT
    Server: Apache/2.2.15 (CentOS)
    Location: https://localhost/client/
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    $ curl -k -I https://localhost/client/
    HTTP/1.1 200 OK
    Date: Sat, 28 Dec 2013 05:19:39 GMT
    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=UTF-8
    Transfer-Encoding: chunked
    Set-Cookie: JSESSIONID=2A67D8F8D8325E6646775055D5D04A8C; Path=/client
    Connection: close
    

In a real production setup, you would use a SSL certificate from a trusted provider like Thawte or Verisign instead of a self-signed certificate.

Resources:

  1. Apache Module mod_proxy
  2. Redirect Request to SSL
  3. Rewrite HTTP to HTTPS
  4. Setting up an SSL secured Webserver with CentOS

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

6 thoughts on “Securing CloudStack Management UI With Apache SSL”

  1. Thanks for the article. About “In a real production setup, you would use a SSL certificate from a trusted provider like Thawte or Verisign”: No thanks, I will use self-signed certificates any day over those so called trusted providers. If Snowden’s revelations has taught us anything, it’s that the US government and their 3 letter men-in-black organizations will do anything to reach their goals. Read last week’s report about the NSA and RSA (the company). Now can you absolutely guarantee that the NSA did not compromise Thawte or Verisign or obtained a copy of their CA keys?

    If you want to be safe(r) it makes total sense to use self-signed certificates, especially in production.

  2. It’s also important to disable SSL v3 now due to the POODLE vulnerability. This can be done in the Tomcat or Apache configuration (as appropriate).

Leave a Reply