Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110004148
@rsafonseca
Thank you for explanation. I will try to put my points here:
1. For public cloud HTTPS must be used (this is not an option) and external
SSL offload (proxy) should not brake entire logic.
2. While I have found, that most of the logic works just perfect behind the
proxy there are 2 issues that need to be fixed
* login procedure somewhere uses direct path (not relative) and tried to
call /client/api?command directly. I have fixed it by 1 rewrite rule (see
below). Otherwise login is not possible -- 404 response.
* F5 brakes session if I work over HTTPS proxy. Hope we will fix it
together.
I am using very simple nginx conf. Pure proxy:
```
server {
listen 443 ssl;
server_name kickcloud.net;
ssl_certificate /usr/local/etc/ssl/my.crt;
ssl_certificate_key /usr/local/etc/ssl/my.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/kickckloud.net.log;
location / {
rewrite /client(.*) $1 last;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://x.x.x.x:8080/client/;
proxy_redirect default;
proxy_read_timeout 90;
}
}
```
x.x.x.x -- backend server where Cloudstack runs
public name that you can access and check *cloudStack.js* is here:
https://kickcloud.net/. I have some more redirects from ports 8080 and 80 to
443, but they are not relevant here I assume.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
