work in progress: ssl configuration for Tendrl [blocked]

[mbukatov]

Implementing #30

[dahorak]

I think, there should be FQDN, instead of IP address.

[mbukatov]

Good point, let's discuss it here: Tendrl/api#302

[mbukatov]

@dahorak here it is

[dahorak]

Is there any reason not to use just <VirtualHost *:443> (or <VirtualHost _default_:443>) - simply do not specify any IP address?

From my point of view, it make sense to serve Tendrl related pages on all available IPs/interfaces on the Tendrl server and if somebody want's to restrict it, he or she should know why and how to do it... But default could be with _default_ (or *) and it might avoid some unexpected issues with Tendrl server connected into multiple networks or with access from localhost...

If it make sense, it might be worth to change also the default in the tendrl-api package (https://github.com/Tendrl/api/blob/master/config/apache.vhost-ssl.sample#L8).

[mbukatov]

@brainfunked @anivargi see previous comment from @dahorak

[brainfunked]

@dahorak your solution is correct. Ideally, we should use the default vhost for ssl. However, that requires the vhost in the ssl configuration file shipped with the package to be modified. In the long run, this would involve tracking changes to the file in every rpm update.

The idea behind the sample configuration files is that they could be dropped into an existing apache setup without having to modify any of the default configuration files shipped in various packages.

[mbukatov]

@dahorak I rechecked your suggestion and when I modify the tendrl-ssl.conf file as you suggested (using * instead of ip address for VirtualHosts):

<VirtualHost *:443>
  # Adjust the ServerName directive to reflect the FQDN for your host. Add
  # additional ServerAlias directives if required.
  ServerName mbukatov-usm1-server.usmqe.lab.eng.brq.redhat.com

The appache starts serving me testing page instead of tendrl web ui ... so I don't think that is a good idea.

[dahorak]

@mbukatov yep, I understand it from the previous comment. To be able to use this approach, we should modify the default config file shipped with mod_ssl package... which is not good idea.
So there is remaining question, how to deal with situation, when Tendrl server is connected to more than one network?

[r0h4n]

Are you still working on this ?

[mbukatov]

@r0h4n I'm not working on this right now, and I don't plan to work on this during the time our team is focused on dowsntream work. When I have time on the upstream work again, I will need to test multiple possible configurations to test which one makes sense, rebase this pull request and restart the upstream review.

[mbukatov]

Status update: this is not part of short term work plan (next 2 milestones) right now.