Terminate TLS on Nginx
This is more efficient, and the eventlet's implementation has had substantial issues in the past. Change-Id: If5bccf360e7295cdcf145ca2b5402c168acc57af
This commit is contained in:
parent
3b61371960
commit
f30cc86557
@ -378,7 +378,7 @@
|
|||||||
name: bifrost-nginx-install
|
name: bifrost-nginx-install
|
||||||
tasks_from: bootstrap
|
tasks_from: bootstrap
|
||||||
|
|
||||||
- name: "Place nginx configuration for ironic"
|
- name: "Place nginx configuration for HTTP directory"
|
||||||
template:
|
template:
|
||||||
src: nginx_conf.d_bifrost-httpboot.conf.j2
|
src: nginx_conf.d_bifrost-httpboot.conf.j2
|
||||||
dest: /etc/nginx/conf.d/bifrost-httpboot.conf
|
dest: /etc/nginx/conf.d/bifrost-httpboot.conf
|
||||||
@ -386,6 +386,15 @@
|
|||||||
group: "{{ nginx_user }}"
|
group: "{{ nginx_user }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
|
- name: "Place nginx configuration for TLS"
|
||||||
|
template:
|
||||||
|
src: nginx_conf.d_bifrost-ironic.conf.j2
|
||||||
|
dest: /etc/nginx/conf.d/bifrost-ironic.conf
|
||||||
|
owner: "{{ nginx_user }}"
|
||||||
|
group: "{{ nginx_user }}"
|
||||||
|
mode: 0755
|
||||||
|
when: enable_tls | bool
|
||||||
|
|
||||||
- name: "Set permissions for /var/lib/ironic for the ironic user"
|
- name: "Set permissions for /var/lib/ironic for the ironic user"
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
@ -456,11 +465,17 @@
|
|||||||
- block:
|
- block:
|
||||||
- name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
|
- name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
|
||||||
seport:
|
seport:
|
||||||
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
|
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050"
|
||||||
proto: tcp
|
proto: tcp
|
||||||
setype: http_port_t
|
setype: http_port_t
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: "Allow nginx to connect to downstream servers"
|
||||||
|
seboolean:
|
||||||
|
name: httpd_can_network_connect
|
||||||
|
state: yes
|
||||||
|
persistent: yes
|
||||||
|
|
||||||
- name: "Add proper context on created data for tftpboot"
|
- name: "Add proper context on created data for tftpboot"
|
||||||
sefcontext:
|
sefcontext:
|
||||||
target: "{{ item }}"
|
target: "{{ item }}"
|
||||||
|
@ -18,11 +18,9 @@ log_dir = {{ inspector_log_dir }}
|
|||||||
transport_url = fake://
|
transport_url = fake://
|
||||||
|
|
||||||
{% if enable_tls | bool %}
|
{% if enable_tls | bool %}
|
||||||
use_ssl = True
|
# TLS is handled by nginx is proxy mode
|
||||||
|
listen_address = 127.0.0.1
|
||||||
[ssl]
|
listen_port = 15050
|
||||||
cert_file = {{ tls_certificate_path }}
|
|
||||||
key_file = {{ ironic_inspector_private_key_path }}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
|
@ -51,12 +51,18 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg
|
|||||||
|
|
||||||
{% if enable_tls | bool %}
|
{% if enable_tls | bool %}
|
||||||
[api]
|
[api]
|
||||||
enable_ssl_api = True
|
# TLS is handled by nginx is proxy mode
|
||||||
|
host_ip = 127.0.0.1
|
||||||
|
port = 6388
|
||||||
|
public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385
|
||||||
|
|
||||||
|
{% if expose_json_rpc | bool %}
|
||||||
[ssl]
|
[ssl]
|
||||||
|
# Only used for JSON RPC when expose_json_rpc is true
|
||||||
cert_file = {{ tls_certificate_path }}
|
cert_file = {{ tls_certificate_path }}
|
||||||
key_file = {{ ironic_private_key_path }}
|
key_file = {{ ironic_private_key_path }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[agent]
|
[agent]
|
||||||
{% if ironic_store_ramdisk_logs | bool %}
|
{% if ironic_store_ramdisk_logs | bool %}
|
||||||
|
@ -0,0 +1,35 @@
|
|||||||
|
server {
|
||||||
|
listen 6385 ssl http2;
|
||||||
|
server_name {{ ansible_hostname }};
|
||||||
|
|
||||||
|
ssl_certificate {{ tls_certificate_path }};
|
||||||
|
ssl_certificate_key {{ ironic_private_key_path }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:6388;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Port 6385;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if enable_inspector | bool %}
|
||||||
|
server {
|
||||||
|
listen 5050 ssl http2;
|
||||||
|
server_name {{ ansible_hostname }};
|
||||||
|
|
||||||
|
ssl_certificate {{ tls_certificate_path }};
|
||||||
|
ssl_certificate_key {{ ironic_inspector_private_key_path }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:15050;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Port 5050;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endif %}
|
5
releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml
Normal file
5
releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
TLS (when enabled) is now handled by Nginx in proxy mode rather than
|
||||||
|
services themselves.
|
Loading…
Reference in New Issue
Block a user