The CloudStack management server is a Java application which runs inside the Tomcat container. The default install configures the management Web UI service to listen on HTTP port 8080 on the primary interface.
It is a good practice to secure access to the CloudStack UI using SSL and can be done in more than one way…
- Enable SSL options in Tomcat container itself
- Use a reverse HTTP proxy server which supports SSL termination like Apache HTTP Server (with mod_proxy), Nginx or Apache Traffic Server
In this post, I will describe how to use the Apache HTTP server as a reverse proxy with SSL termination on CentOS.
- Install Apache HTTP server on the CloudStack management server. A self-signed SSL certificate would automatically be created during the mod_ssl package installation.
$ sudo yum install -y httpd mod_ssl
- Create /etc/httpd/conf.d/cloudstack.conf config file with the following contents:
$ cat /etc/httpd/conf.d/cloudstack.conf ProxyPass /client http://localhost:8080/client RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/client/(.*) https://%{SERVER_NAME}/client/$1 [R,L]
- Restart HTTP service
$ sudo service httpd restart
- Test using Curl from the management server
$ curl -I http://localhost/client/ HTTP/1.1 302 Found Date: Sat, 28 Dec 2013 05:18:54 GMT Server: Apache/2.2.15 (CentOS) Location: https://localhost/client/ Connection: close Content-Type: text/html; charset=iso-8859-1 $ curl -k -I https://localhost/client/ HTTP/1.1 200 OK Date: Sat, 28 Dec 2013 05:19:39 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Set-Cookie: JSESSIONID=2A67D8F8D8325E6646775055D5D04A8C; Path=/client Connection: close
In a real production setup, you would use a SSL certificate from a trusted provider like Thawte or Verisign instead of a self-signed certificate.
Resources:
- Apache Module mod_proxy
- Redirect Request to SSL
- Rewrite HTTP to HTTPS
- Setting up an SSL secured Webserver with CentOS
6 replies on “Securing CloudStack Management UI With Apache SSL”
Thanks for the article. About “In a real production setup, you would use a SSL certificate from a trusted provider like Thawte or Verisign”: No thanks, I will use self-signed certificates any day over those so called trusted providers. If Snowden’s revelations has taught us anything, it’s that the US government and their 3 letter men-in-black organizations will do anything to reach their goals. Read last week’s report about the NSA and RSA (the company). Now can you absolutely guarantee that the NSA did not compromise Thawte or Verisign or obtained a copy of their CA keys?
If you want to be safe(r) it makes total sense to use self-signed certificates, especially in production.
Hi Pieter,
I share the same privacy concerns as you do. But customer’s certainly prefer to go with big SSL brands other (business) reasons.
Hello Shanker:
I’ve never worked with tomcat so I ask:
when referring to Enable SSL options in Tomcat container itself it’s that:
https://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
thanks
Tomcat 3.3 is very old. http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html should be more relevant as CloudStack 4.2.x pulls in tomcat6 as a dependency.
yep. thanks a lot!
It’s also important to disable SSL v3 now due to the POODLE vulnerability. This can be done in the Tomcat or Apache configuration (as appropriate).