This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new 052fae84 Improvement: SSL offloading with Virtual Router (#555)
052fae84 is described below
commit 052fae8445125f7a6f597724cca6e687ad923015
Author: Wei Zhou <[email protected]>
AuthorDate: Thu Sep 11 13:07:35 2025 +0200
Improvement: SSL offloading with Virtual Router (#555)
---
source/_static/images/ssl-certificate-account.png | Bin 0 -> 86173 bytes
source/_static/images/ssl-certificate-list.png | Bin 0 -> 43702 bytes
.../images/ssl-certificate-new-lb-rule-select.png | Bin 0 -> 17724 bytes
.../_static/images/ssl-certificate-new-lb-rule.png | Bin 0 -> 53050 bytes
source/_static/images/ssl-certificate-project.png | Bin 0 -> 105771 bytes
.../ssl-certificate-update-lb-rule-protocol.png | Bin 0 -> 24124 bytes
.../ssl-certificate-update-lb-rule-ssl-cert.png | Bin 0 -> 32490 bytes
source/_static/images/ssl-certificate-upload.png | Bin 0 -> 239368 bytes
.../external_firewalls_and_load_balancers.rst | 85 +++++++++++++++++++++
.../networking/virtual_private_cloud_config.rst | 6 ++
10 files changed, 91 insertions(+)
diff --git a/source/_static/images/ssl-certificate-account.png
b/source/_static/images/ssl-certificate-account.png
new file mode 100644
index 00000000..78e2dc01
Binary files /dev/null and b/source/_static/images/ssl-certificate-account.png
differ
diff --git a/source/_static/images/ssl-certificate-list.png
b/source/_static/images/ssl-certificate-list.png
new file mode 100644
index 00000000..5aa3fe74
Binary files /dev/null and b/source/_static/images/ssl-certificate-list.png
differ
diff --git a/source/_static/images/ssl-certificate-new-lb-rule-select.png
b/source/_static/images/ssl-certificate-new-lb-rule-select.png
new file mode 100644
index 00000000..682a9617
Binary files /dev/null and
b/source/_static/images/ssl-certificate-new-lb-rule-select.png differ
diff --git a/source/_static/images/ssl-certificate-new-lb-rule.png
b/source/_static/images/ssl-certificate-new-lb-rule.png
new file mode 100644
index 00000000..7dd50437
Binary files /dev/null and
b/source/_static/images/ssl-certificate-new-lb-rule.png differ
diff --git a/source/_static/images/ssl-certificate-project.png
b/source/_static/images/ssl-certificate-project.png
new file mode 100644
index 00000000..ff97b318
Binary files /dev/null and b/source/_static/images/ssl-certificate-project.png
differ
diff --git a/source/_static/images/ssl-certificate-update-lb-rule-protocol.png
b/source/_static/images/ssl-certificate-update-lb-rule-protocol.png
new file mode 100644
index 00000000..e6637e57
Binary files /dev/null and
b/source/_static/images/ssl-certificate-update-lb-rule-protocol.png differ
diff --git a/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png
b/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png
new file mode 100644
index 00000000..183c89ee
Binary files /dev/null and
b/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png differ
diff --git a/source/_static/images/ssl-certificate-upload.png
b/source/_static/images/ssl-certificate-upload.png
new file mode 100644
index 00000000..52eef234
Binary files /dev/null and b/source/_static/images/ssl-certificate-upload.png
differ
diff --git
a/source/adminguide/networking/external_firewalls_and_load_balancers.rst
b/source/adminguide/networking/external_firewalls_and_load_balancers.rst
index eae69281..a753886c 100644
--- a/source/adminguide/networking/external_firewalls_and_load_balancers.rst
+++ b/source/adminguide/networking/external_firewalls_and_load_balancers.rst
@@ -291,6 +291,11 @@ Adding a Load Balancer Rule
algorithm for the stickiness policy. See Sticky Session Policies
for Load Balancer Rules.
+ - **Protocol**: The protocol for the Load Balancer Rule such as tcp, udp,
tcp-proxy or ssl.
+
+ - **SSL Certificate**: The SSL certificate assigned to the Load Balancer
Rule.
+ This is visible only when protocol is ssl. See :ref:`conf-ssl-cert`.
+
- **AutoScale**: Click Configure and complete the AutoScale
configuration as explained in :ref:`conf-autoscale`.
@@ -470,6 +475,70 @@ For details on how to set a health check policy using the
UI, see
:ref:`adding-lb-rule`.
+.. _conf-ssl-cert:
+
+Configuring SSL Certificate for Load Balancer Rules
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SSL Offloading allows load balancers to handle encryption and decryption of
+HTTP(s) traffic giving plain text HTTP to the back end servers freeing them
+from the resource intensive task of handling encryption and decryption.
+SSL Offloading supports CloudStack Virtual Router since Apache CloudStack
4.22.0.
+
+- Upload SSL certificates
+
+SSL certificate is required for SSL offloading feature. As the first step,
users
+need to upload SSL certificates for the accounts or projects.
+
+|ssl-certificate-account.png|
+
+Click "Upload SSL Certificate" button, input the following fields in the
dialog, click "Submit"
+
+ * Name: the name of the SSL certificate. This is required.
+ * Certificate: the SSL certificate. This is required.
+ * Private Key: the private key of the SSL certificate. This is required.
+ * Certificate chain: the ROOT CA and intermediate certificate(s) of the
SSL certificate. Please input if exist, otherwise the SSL certificate might not
work.
+ * Password: the password of the private key. Currently it is unsupported
when use CloudStack Virtual Router for SSL offloading.
+ * Revocation check: Whether enables revocation checking for certificates.
Please do not check if self-signed SSL certificate.
+
+|ssl-certificate-upload.png|
+
+Users can view or remove the SSL certificates on the same page.
+
+|ssl-certificate-list.png|
+
+For projects, go to the project page and click "Certificates" tab
+
+|ssl-certificate-project.png|
+
+- Create Load balancer rule with SSL Certificate
+
+SSL certificate can be configured only when the protocol of load balancer rule
is ssl.
+
+|ssl-certificate-new-lb-rule.png|
+
+Click "SSL certificate" button, select a SSL certificate, click "OK"
+
+|ssl-certificate-new-lb-rule-select.png|
+
+- Assign SSL certificate to existing Load balancer rule
+
+If the load balancer rule has been created without SSL certificate, update
protocol to SSL if it is not
+
+|ssl-certificate-update-lb-rule-protocol.png|
+
+Click "Manage" button under the "SSL certificate" field, select a SSL
certificate,
+click "Replace" or "Assign" button to assign a new SSL certificate.
+
+|ssl-certificate-update-lb-rule-ssl-cert.png|
+
+User can remove the SSL certificate from load balancer rule by clicking
"Remove" button.
+
+.. note::
+ Since SSL offloading increases CPU utilization on the load balancer,
+ please allocate more resources to the Virtual Router when expecting high
traffic.
+
+
.. _conf-autoscale:
Configuring AutoScale
@@ -735,3 +804,19 @@ Runtime Considerations
:alt: Configuring AutoScale.
.. |EnableDisable.png| image:: /_static/images/enable-disable-autoscale.png
:alt: button to enable or disable AutoScale.
+.. |ssl-certificate-account.png| image::
/_static/images/ssl-certificate-account.png
+ :alt: Manage certificates for account.
+.. |ssl-certificate-upload.png| image::
/_static/images/ssl-certificate-upload.png
+ :alt: Upload SSL certificate for account.
+.. |ssl-certificate-list.png| image:: /_static/images/ssl-certificate-list.png
+ :alt: List of certificates for account.
+.. |ssl-certificate-project.png| image::
/_static/images/ssl-certificate-project.png
+ :alt: Manage certificates for project.
+.. |ssl-certificate-new-lb-rule.png| image::
/_static/images/ssl-certificate-new-lb-rule.png
+ :alt: Create load balancer rule with SSL protocol
+.. |ssl-certificate-new-lb-rule-select.png| image::
/_static/images/ssl-certificate-new-lb-rule-select.png
+ :alt: Select SSL certificate for new load balancer rule.
+.. |ssl-certificate-update-lb-rule-protocol.png| image::
/_static/images/ssl-certificate-update-lb-rule-protocol.png
+ :alt: Update protocol of load balancer rule to SSL.
+.. |ssl-certificate-update-lb-rule-ssl-cert.png| image::
/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png
+ :alt: Manage certificates of load balancer rule.
diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst
b/source/adminguide/networking/virtual_private_cloud_config.rst
index bf3ec5b3..219f4ea7 100644
--- a/source/adminguide/networking/virtual_private_cloud_config.rst
+++ b/source/adminguide/networking/virtual_private_cloud_config.rst
@@ -1123,6 +1123,12 @@ Creating an External LB Rule
algorithm for the stickiness policy. See Sticky Session Policies
for Load Balancer Rules.
+ - **Protocol**: The protocol for the Load Balancer Rule such as tcp, udp,
tcp-proxy or ssl.
+
+ - **SSL Certificate**: The SSL certificate assigned to the Load Balancer
Rule.
+ This is visible only when protocol is ssl. see `"Configuring SSL
Certificate for Load Balancer
+ Rules"
<external_firewalls_and_load_balancers.html#configuring-ssl-certificate-for-load-balancer-rules>`_.
+
- **Add Instances**: Click Add Instances, then select two or more
Instances that will
divide the load of incoming traffic, and click Apply.
