Sticking MAAS behind https for web and api?
Jonas Wagner
jonas.wagner at epfl.ch
Mon Feb 20 09:56:21 UTC 2017
Hi,
We've had similar issues when trying to use HTTPS.
One step was to change maas_url in regiond.conf (and also rackd.conf ?).
The second step is to ensure that there is as valid certificate set up
in /etc/apache2/conf-enabled/maas-http.conf ->
/usr/share/maas/maas-http.conf . That file by default uses a self-signed
certificate. This breaks enlistment and commissioning, silently.
Note that changing that file is a bit problematic because AFAIK, the file
is not considered a configuration file, and so your changes to it might get
overridden when you upgrade MAAS.
We also encounter the weird redirects to http, e.g., after login. I tried
setting up a redirect rule in the Apache configuration to prevent this,
without success. If you find a solution to this, I'd be glad to hear it.
Best,
Jonas
On Fri, Feb 17, 2017 at 6:48 PM Jim Tilander <jim at tilander.org> wrote:
> I’m on 2.1.2+bzr5555-0ubuntu1~16.04.1.
>
> Does the commandline do anything except change the regiond.conf file?
> Because I just hand edited the config file before and that’s when the
> enlistment and commissioning stopped working since they all try to talk to
> the API service via that link, but the twisted service doesn’t seem to know
> about HTTPS?
>
> Or is there any special place I need to place the certificate for the
> twisted service?
>
> I’ve got a wildcard certificate for my domain, and it works for the web
> service right now (although just through apache).
>
> > On Feb 17, 2017, at 9:42 AM, Peter Matulis <peter.matulis at canonical.com>
> wrote:
> >
> > It should definitely change the URL in /etc/maas/regiond.conf . I just
> > tried it. Although I am running 2.2 (beta2).
> >
> > You would also need to use the server name that is on the SSL
> > certificate (not 'localhost').
> >
> > On Fri, Feb 17, 2017 at 12:27 PM, Jim Tilander <jim at tilander.org> wrote:
> >> I hadn’t. I tried that command, it didn’t seem to change
> /etc/maas/regiond.conf (where is the URL setting kept?)
> >>
> >> Restarting the maas-regiond afterwards broke the webUI, no response. I
> had to revert back.
> >>
> >>> On Feb 17, 2017, at 6:44 AM, Peter Matulis <
> peter.matulis at canonical.com> wrote:
> >>>
> >>> Did you change the MAAS URL?
> >>>
> >>> sudo maas-region local_config_set --maas-url
> https://localhost:5240/MAAS
> >>> sudo systemctl restart maas-regiond
> >>>
> >>>
> >>> On Tue, Feb 14, 2017 at 9:44 PM, Jim Tilander <jim at tilander.org>
> wrote:
> >>>> Hi,
> >>>>
> >>>> So I’ve been trying to stick my server behind https, with little
> success.
> >>>>
> >>>> I’ve added an extra site in the apache config and stuck a certificate
> in place. I can hit https and the site *kind* of works, but there are still
> some strange redirects back to regular http (notably after the login).
> >>>>
> >>>> Is there any config that I can modify to disable the redirects to
> regular http?
> >>>>
> >>>> There is also a config file in /etc/maas/regiond.conf (I think that’s
> the file from memory here) that list the twisted port the python service is
> running under. This is a http port. Is there any way that I can change this
> to be served under https? (simply changing it to https doesn’t seem to work
> so well).
> >>>>
> >>>> Cheers,
> >>>> Jim
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Maas-devel mailing list
> >>>> Maas-devel at lists.ubuntu.com
> >>>> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
> >>
>
>
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20170220/5ad9684a/attachment-0001.html>
More information about the Maas-devel
mailing list