Sticking MAAS behind https for web and api?

Mark Shuttleworth mark at
Mon Feb 20 10:09:44 UTC 2017

On 20/02/17 09:56, Jonas Wagner wrote:
> We've had similar issues when trying to use HTTPS.
> One step was to change maas_url in regiond.conf (and also rackd.conf ?).
> The second step is to ensure that there is as valid certificate set up
> in /etc/apache2/conf-enabled/maas-http.conf ->
> /usr/share/maas/maas-http.conf . That file by default uses a
> self-signed certificate. This breaks enlistment and commissioning,
> silently.
> Note that changing that file is a bit problematic because AFAIK, the
> file is not considered a configuration file, and so your changes to it
> might get overridden when you upgrade MAAS.
> We also encounter the weird redirects to http, e.g., after login. I
> tried setting up a redirect rule in the Apache configuration to
> prevent this, without success. If you find a solution to this, I'd be
> glad to hear it.

Thanks for these reports. We definitely want to make https-fronted
hosting a first-class configuration, so this should be:

 * easy to configure in one and only one place
 * self-monitored by the system in the same way we self-monitor other
process health

That won't make it into the current cycle that's in beta, but seems
sensible for the next cycle.


More information about the Maas-devel mailing list