Terminate TLS on Nginx

This is more efficient, and the eventlet's implementation has had
substantial issues in the past.

Change-Id: If5bccf360e7295cdcf145ca2b5402c168acc57af
This commit is contained in:
Dmitry Tantsur 2021-11-29 14:31:39 +01:00
parent 3b61371960
commit f30cc86557
5 changed files with 67 additions and 8 deletions

View File

@ -378,7 +378,7 @@
name: bifrost-nginx-install name: bifrost-nginx-install
tasks_from: bootstrap tasks_from: bootstrap
- name: "Place nginx configuration for ironic" - name: "Place nginx configuration for HTTP directory"
template: template:
src: nginx_conf.d_bifrost-httpboot.conf.j2 src: nginx_conf.d_bifrost-httpboot.conf.j2
dest: /etc/nginx/conf.d/bifrost-httpboot.conf dest: /etc/nginx/conf.d/bifrost-httpboot.conf
@ -386,6 +386,15 @@
group: "{{ nginx_user }}" group: "{{ nginx_user }}"
mode: 0755 mode: 0755
- name: "Place nginx configuration for TLS"
template:
src: nginx_conf.d_bifrost-ironic.conf.j2
dest: /etc/nginx/conf.d/bifrost-ironic.conf
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}"
mode: 0755
when: enable_tls | bool
- name: "Set permissions for /var/lib/ironic for the ironic user" - name: "Set permissions for /var/lib/ironic for the ironic user"
file: file:
path: "{{ item }}" path: "{{ item }}"
@ -456,11 +465,17 @@
- block: - block:
- name: "Allow nginx, ironic, inspector and IPA ports on SELinux" - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
seport: seport:
ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999" ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050"
proto: tcp proto: tcp
setype: http_port_t setype: http_port_t
state: present state: present
- name: "Allow nginx to connect to downstream servers"
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: "Add proper context on created data for tftpboot" - name: "Add proper context on created data for tftpboot"
sefcontext: sefcontext:
target: "{{ item }}" target: "{{ item }}"

View File

@ -18,11 +18,9 @@ log_dir = {{ inspector_log_dir }}
transport_url = fake:// transport_url = fake://
{% if enable_tls | bool %} {% if enable_tls | bool %}
use_ssl = True # TLS is handled by nginx is proxy mode
listen_address = 127.0.0.1
[ssl] listen_port = 15050
cert_file = {{ tls_certificate_path }}
key_file = {{ ironic_inspector_private_key_path }}
{% endif %} {% endif %}
[database] [database]

View File

@ -51,12 +51,18 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg
{% if enable_tls | bool %} {% if enable_tls | bool %}
[api] [api]
enable_ssl_api = True # TLS is handled by nginx is proxy mode
host_ip = 127.0.0.1
port = 6388
public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385
{% if expose_json_rpc | bool %}
[ssl] [ssl]
# Only used for JSON RPC when expose_json_rpc is true
cert_file = {{ tls_certificate_path }} cert_file = {{ tls_certificate_path }}
key_file = {{ ironic_private_key_path }} key_file = {{ ironic_private_key_path }}
{% endif %} {% endif %}
{% endif %}
[agent] [agent]
{% if ironic_store_ramdisk_logs | bool %} {% if ironic_store_ramdisk_logs | bool %}

View File

@ -0,0 +1,35 @@
server {
listen 6385 ssl http2;
server_name {{ ansible_hostname }};
ssl_certificate {{ tls_certificate_path }};
ssl_certificate_key {{ ironic_private_key_path }};
location / {
proxy_pass http://127.0.0.1:6388;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 6385;
}
}
{% if enable_inspector | bool %}
server {
listen 5050 ssl http2;
server_name {{ ansible_hostname }};
ssl_certificate {{ tls_certificate_path }};
ssl_certificate_key {{ ironic_inspector_private_key_path }};
location / {
proxy_pass http://127.0.0.1:15050;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 5050;
}
}
{% endif %}

View File

@ -0,0 +1,5 @@
---
features:
- |
TLS (when enabled) is now handled by Nginx in proxy mode rather than
services themselves.