====== 31 OpenNebula SSL化 ======
===== OpenNebula =====
:host: 0.0.0.0
:port: 80
↓
:host: 127.0.0.1
:port: 9869
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: no
:vnc_proxy_cert:
:vnc_proxy_key:
:vnc_proxy_ipv6: false
:vnc_request_password: false
↓
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem
:vnc_proxy_key: /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false
===== Nginx =====
#### OpenNebula Sunstone upstream
upstream sunstone {
server 127.0.0.1:9869;
}
upstream websocketproxy {
server 127.0.0.1:29876;
}
#### cloudserver.org HTTP virtual host
server {
listen 80;
server_name hoge.hogehoge.com;
root /usr/share/nginx/html;
### Permanent redirect to HTTPS (optional)
#return 301 https://$server_name:8443;
}
#### cloudserver.org HTTPS virtual host
server {
listen 443;
server_name hoge.hogehoge.com;
### SSL Parameters
ssl on;
ssl_session_timeout 24h;
ssl_certificate /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 10G;
### Proxy requests to upstream
location / {
proxy_pass http://sunstone;
}
location /websockify {
proxy_pass http://websocketproxy;
}
===== Lets' Encryptの場合 =====
oneadminでアクセスできないと、下記のエラーになります。
xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found
xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found
# chmod 755 /etc/letsencrypt/live /etc/letsencrypt/archive
# chmod 644 /etc/letsencrypt/archive/hoge.hogehoge.com/privkey*
==== おまけLet's Encrypt更新 ====
certbot-auto renew --force-renew --post-hook "service opennebula-sunstone restart"
{{tag>kvm opennebula}}