Ask Your Question
1

[Horizon] unable to view vnc console in <iframe> with SSL

asked 2013-10-22 15:21:52 -0500

Hi,

I have configured horizon dashboard with SSL enabled. Horizon works perfectly, but in "Console" tab there is no content visible. With chrome devel console i see that content is blocked because vnc prefix url in iframe tag is HTTP and not HTTPS.

How can I configure to make it visible without click "Click here to show only console" ?

Thanks.

Salvo.

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
4

answered 2013-10-23 21:22:09 -0500

dasp gravatar image

updated 2015-08-24 12:17:46 -0500

Add the following in /etc/nova/nova.conf (in the [DEFAULT] block) to enable SSL for VNC proxy (port 6080):

# novnc proxy
ssl_only=true
cert=/etc/nova/ssl/cloud-cert.pem
key=/etc/nova/ssl/cloud-key.pem

Obviously, tune path to cert and key.

Then, change novncproxy_base_url in the same file to start with https://

The novncproxy_base_url is set on compute nodes, while cert/key on the nova-novncproxy host.

Restart nova-novncproxy, that's it!

edit flag offensive delete link more

Comments

It's work! thanks! In addition I have modified /etc/nova.conf in my 3 compute node with https:// schema in novncproxy_base_url. Salvo.

salvorapi gravatar imagesalvorapi ( 2013-10-25 02:32:30 -0500 )edit
0

answered 2016-06-21 04:08:45 -0500

sxc731 gravatar image

Thanks for these answers guys, very helpful!

I'd just like to add that if your novncproxy is fronted by HAProxy, you may also need to modify the corresponding haproxy config to make sure the encrypted traffic is passed through to the eventual nova-novncproxy process that handles it. In my case (OpenStack Kilo deployed by Mirantis Fuel 7.0), it was simply a case of replacing option httplog with:

mode tcp
option tcplog

in /etc/haproxy/conf.d/170-nova-novncproxy.cfg on all controllers. Finally bounce HAProxy with: crm resource restart p_haproxy.

(more info on SSL traffic handling with haproxy: https://serversforhackers.com/using-s...)

edit flag offensive delete link more
2

answered 2015-08-13 15:23:15 -0500

yafsn gravatar image

Just to be a little more specific, the ssl_only/cert/key blob needs to be placed within the "[DEFAULT]" block, not necessarily at the bottom of the config. Also, if you have a separate control plane, the nonvncproxy_base_url change is only made on the compute node, ie where the VM is running.

edit flag offensive delete link more

Comments

Thanks for the comment, I updated my answer

dasp gravatar imagedasp ( 2015-08-24 12:18:02 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

4 followers

Stats

Asked: 2013-10-22 15:21:52 -0500

Seen: 4,633 times

Last updated: Jun 21 '16