Hi, Yes, I know I can use proxy or lb to ssl offload but I need to do end-to-end with TLS. That is why I need to terminate TLS on ACS server.
Thanks for your suggestion anyway. Regards, On Tue, 18 Sep 2018 at 1:36 PM, Skale Franz <franz.sk...@citycom-austria.com> wrote: > Why not using nginx as a reverse proxy ? > To start with, check my example config (replace ip, hostname and of course > generate a dhparam file and use a valid certificate). > Will produce an A+ on ssllabs test and downwards compatibles to old > browsers ! > > server { > listen 10.1.1.1:80; > server_name cloudstack.example.com; > ## redirect http to https ## > rewrite ^ https://$server_name/client/ permanent; > } > > server { > listen 10.1.1.1:443; > server_name cloudstack.example.com; > > rewrite ^/$ https://cloudstack.example.com/client/ permanent; > > ### ssl config - customize as per your cert files ### > ssl on; > ssl_certificate /etc/ssl/certs/cloudstack.example.com.pem; > ssl_certificate_key /etc/ssl/private/cloudstack.example.com.key; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; > ssl_prefer_server_ciphers on; > ssl_dhparam /etc/ssl/certs/dhparam.pem; > keepalive_timeout 70; > ssl_session_cache shared:SSL:10m; > ssl_session_timeout 10m; > > ## Reverse Proxy > location / { > add_header Front-End-Https on; > add_header Cache-Control "public, must-revalidate"; > add_header Strict-Transport-Security "max-age=63072000; > includeSubdomains; preload"; > add_header X-Frame-Options "DENY"; > proxy_pass http://127.0.0.1:8080; > proxy_next_upstream error timeout invalid_header http_500 http_502 > http_503; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > } > > Best regards > Franz Skale > > Rechenzentrum-Services > > > Citycom Telekommunikation GmbH > Gadollaplatz 1 > 8010 Graz | Austria > > T: +43(316)887-6264 > M: +43(664)88275444 > E: franz.sk...@citycom-austria.com > www.citycom-austria.com > > FN 165640p, Landes- als Firmenbuchgericht Graz > UID-Nr.: ATU 61241999 > > > > ________________________________________ > Von: Netlynker <netlyn...@gmail.com> > Gesendet: Dienstag, 18. September 2018 05:57 > An: users@cloudstack.apache.org > Betreff: How to configure TLS on ACS 4.11.1 Web UI > > Hi, > The document for 4.11.1 is not updated and it is still refering to tomcat > ssl config. > > Where can I find information to configure TLS/SSL on ACS 4.11.1 Web UI? > > Thanks in advance, > Netlynker >