Thx Wie and Nux for your replies. I solved the problem and achieved ssl offloading.
Here is what we did: 1. (optional) Add a new internal IP range as a public ip range to your zone and activate SystemVM usage only! We did this because of the offloading the console proxy and ssvm do not need public Ips. Or did we missed something? 2. Edit global setting consoleproxy.url.domain and add FQDN. Edit global setting secstorage.ssl.cert.domain and add FQDN. Edit global setting secstorage.encrypt.copy to true (So created download links will use https instead of http) 3. Destroy consoleproxy and ssvm so both will be recreated with new Ips and new settings. If you do not perform step 1 you do not need to recreate consoleproxy, only ssvm needs to be recreated so new global settings will work. 4. Create FQDNs to your DNS service and point them to Ips outside of CS which will be used by your load balancer. 5. Configure your load balancer and add certificates for FQDNs. Activate SSL offloading to the traffic from load balancer to consoleproxy and ssvm is not being encrypted. This is no security risk in my point of view, because we are talking about internal traffic when you did step 1! To configure the load balancer was kind of difficult, because the documentation is not really good or I was unable to find the needed info. lb-ip1:443 (add certificate) -> consoleproxy:80 lb-ip1:8080 (add certificate) -> consoleproxy:8080 lb-ip2:443 (add certificate) -> ssvm:80 The benefit of this is that you do not need to add any certificate to CS itself and you can control everything related to it via you load balancer. Even you are using only one target (consoleproxy and ssvm). Of cause you can also do the same with the UI. Which would look like this: lb-ip3:80 -> redirect to https lb-ip3:443 (add certificate) -> managementserver:8080 I would like to add more information to the documentation and explain this setup. The docu is already talking about "Set up SSL certificate for specific FQDN and configure load-balancer". I would add more information to this point and add ssl offloading to it. What do you thing? http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a -ssl-certificate-for-the-console-proxy cu Swen -----Ursprüngliche Nachricht----- Von: Nux <n...@li.nux.ro> Gesendet: Dienstag, 3. Januar 2023 14:44 An: users@cloudstack.apache.org Cc: m...@swen.io Betreff: Re: console proxy ssl offloading See if you can get any inspiration from this guy: https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying subsection, but best read the whole SSL thing). --- Nux www.nux.ro On 2023-01-02 21:16, m...@swen.io wrote: > Hello everyone, > > > > first of all a happy new year to all of you! :-) > > > > I am doing some kind of PoC and want to use a load balancer in front > of the console proxy and the secondary storage vm to offload ssl > connections. > I do > not get it to work. > > > > I am using a load balancer on a public IP where "console.domain.tld" > (of > cause I am using a working tld!) is referring to via DNS record. I > configured the domain in CS via consoleproxy.url.domain. > > A working certificate is installed on the load balancer and offloading > is active. This means the lb is taking care of port 443 and the > encryption and forwarding the traffic to port 80 on the console proxy > public IP not encrypted. > > I do get the page of the console proxy, but on this page the noVNC is > not loading and the connection failed to the console itself. > > > > Is my setup even possible? Thx for any idea and help! > > > > Cu Swen
