I recently installed Eucalyptus on Ubuntu 9.04 to do some tests, and the first thing I tried was to disable SSL in the admin interface.
Why would I want to disable SSL and use plain HTTP? You might wonder... The reason is quite simple, from the beginning I found a bit strange that a system such as the Eucalyptus Cloud Controller, the "heart" of Eucalyptus, was intended to run exposed to the Internet.
Coming from a traditional three-tier architecture mindset my first thought was that such a system, handling user credentials, business logic and many other "sensitive" topics would best fit into a backend - secure backend kind of setup.
As it is today the system looks quite tightly coupled, therefore a "secure backend" with a database, LDAP or similar seems not so easy to achieve without a deeper knowledge, but I though that a frontend - backend approach should be easy to apply.
In any case the modularity introduced with release 1.6.1 allowing a separate installation for each component and some comments in the Eucalyptus forums make me think something might happen in that area in the future.
Therefore I went for a frontend - backend approach, where the plan was to setup a frontend layer using Apache in the frontend performing the SSL offload (with my own certificates) and acting as a reverse proxy towards the Eucalyptus setup in the backend.
I setup a standard reverse proxy configuration in Apache, taking care of the SSL listening on the standard 443 port and the only thing left was to remove the SSL layer from Eucalyptus and have it listen to plain HTTP on its standard web GUI port 8443.
In order to do that I just edited a couple of files from the standard Eucalyptus installation:
1.- /etc/eucalyptus/cloud.d/eucalyptus-jetty.xml
In this file I removed the Jetty SSL connector and replaced it with an HTTP connector:
Removed
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSelectChannelConnector">
<Set name="Port">
<SystemProperty name="euca.www.port" default="8443"/>
</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystoreType">pkcs12</Set>
<Set name="truststoreType">pkcs12</Set>
<Set name="keystore"><SystemProperty name="euca.var.dir" default="conf"/>/keys/euca.p12
</Set>
<Set name="truststore"><SystemProperty name="euca.var.dir" default="conf"/>/keys/euca.p12
</Set>
<Set name="password">eucalyptus</Set>
<Set name="keyPassword">eucalyptus</Set>
<Set name="trustPassword">eucalyptus</Set>
<Set name="ThreadPool">
<New class="org.mortbay.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">25</Set>
<Set name="lowThreads">5</Set>
<Set name="SpawnOrShrinkAt">2</Set>
</New>
</Set>
</New>
</Arg>
</Call>
Replaced with:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="Port">
<SystemProperty name="euca.www.port" default="8443"/>
</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="ThreadPool">
<New class="org.mortbay.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">25</Set>
<Set name="lowThreads">5</Set>
<Set name="SpawnOrShrinkAt">2</Set>
</New>
</Set>
</New>
</Arg>
</Call>
2.- /var/lib/eucalyptus/webapps/root.war
I uncompressed this WAR file and extracted the /META-INF/web.xml file which I then edited to comment the following section:
<!--
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->
Then I compressed back the WAR containing the updated web.xml and put it back where it belongs.
After those two changes I restarted the cloud controller and voilá! Eucalyptus is now serving the web admin interface over HTTP and the SSL offload is performed in a frontend Apache.
Then I configured Eucalyptus (first time admin login) with the frontend DNS name as "cloud IP". Although the text in the form only talks about your cloud controller's IP I wrote the DNS name and didn't have any problem, so I guess it works just fine.
Since the credentials seem to have some dependency on this last parameter I find a DNS name much more convenient than the IP itself.
Anyway, I've just started testing it and although the web part works I might run into issues later on, time will tell.
No comments:
Post a Comment