How to secure console proxy use nginx reverse Self-Signed SSL Certificate ?

[herdiansah571]

I have succesfully install CloudStack 4.18.1.0

I need to secure console proxy use nginx reverse Self-Signed SSL Certificate, anyone here can help me ?

[pcfriek1987]

Did you configure the SSL setting in the Webgui? What does your nginx file looks like (just curious).

[rohityadavcloud]

Here's what you can do:

Let's assume you've a single public IP (usually your WAN), then you can setup port forwarding such as:

WAN port 80 (or 443) -> ACS mgmt server IP port 8080
WAN port 8080 -> CPVM public IP port 8080

Then you can create domain/DNS records such as:

A record for example.com -> WAN IP
A record for console.example.com -> WAN IP

ACS global settings can be tuned as: (restarting mgmt server required)
consoleproxy.sslEnabled -> true
consoleproxy.url.domain -> console.example.com

You can write nginx reverse proxy for the management server API/UI service on port 8080.

Here's example of how you can secure console proxy's port 8080 (here 192.168.1.20 is the CPVM public IP):

  listen 8080  ssl http2;
  location /websockify {
        proxy_pass http://192.168.1.20:8080/websockify;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_cache_bypass $http_upgrade;
        proxy_buffering off;
        proxy_ignore_client_abort off;
        proxy_read_timeout 86400;
  }

You may adapt/test this as necessary.

Refer:
https://www.mail-archive.com/users@cloudstack.apache.org/msg32064.html

[rohityadavcloud]

Closing as answered, pl re-open if you've further issues. Usually nginx-reverse proxy setup is outside of CloudStack and this is highly environment-specific. Some people using haproxy with letsencrypt too.