cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From France <mailingli...@isg.si>
Subject Re: ACS 4.3.1 disable realhostip.com or SSL
Date Sat, 20 Sep 2014 19:01:31 GMT
Hi Amogh,

thank you for your suggestions and instructions on disabling. 

We will not run a wildcard DNS resolver on certain subdomain as required for this option.
Once ACS supports single domain for console proxy access, we shall enable https once again
with our signed/bought certificate.

In the mean time, we either have to move to http from https making access to whole admin interface
insecure or hack the code to display a link to console instead of iframe.
I would rather go for the latter option. Does anyone who is following this, know where is
the code for that iframe link?

Thank you.

F.

On 20 Sep 2014, at 20:33, Amogh Vasekar <amogh.vasekar@citrix.com> wrote:

> Hi,
> 
> I believe this is by design for SSL - a user would see a HTTPS site
> thinking everything is secure and encrypted, only to realize later that
> some part is in fact insecure. Hence, instead of trying to circumvent the
> security mechanism, you can try the steps at :
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace
> +realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.comw
> ithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate?
> 
> This would help create your own certificate chain. The downside being your
> users would need to add the custom root CA in the browser (a practice
> followed by many companies for internal network), or simply accept the
> security warning the first time they access your domain.
> Please note that this would still need a publicly resolvable domain (or
> add the mappings directly in /etc/hosts if it is more convenient)
> 
> Thanks,
> Amogh
> 
> On 9/20/14 11:22 AM, "France" <mailinglists@isg.si> wrote:
> 
>> It worked for us. Well kind of.
>> 
>> The problem is now, that we have https for default admin interface, while
>> console opens as iframe to http content and browsers such as firefox will
>> not load content, because it is not on https.
>> They call it: "Mixed Content Blocking Enabled²:
>> https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-i
>> n-firefox-23/
>> 
>> Do you have any recommendations what to do in order to get around this?
>> 
>> We will not buy a wildcard certificate, because it is to expensive for us.
>> 
>> Regards,
>> F.
>> 
>> On 20 Sep 2014, at 15:21, France <mailinglists@isg.si> wrote:
>> 
>>> I will just empty these two fields in global config:
>>> 
>>> secstorage.ssl.cert.domain
>>> consoleproxy.url.domain
>>> 
>>> restart CS and restart the console proxy..
>>> 
>>> ҆ and hope for the best. :-)
>>> 
>>> If you do not hear from me on this, then this worked and others can do
>>> it too.
>>> 
>>> Regards,
>>> F.
>>> 
>>> 
>>> On 20 Sep 2014, at 15:16, Aldis Gerhards <aldis@hostnet.lv> wrote:
>>> 
>>>> We got the same problem. It seemed like a bug :) we downgraded back to
>>>> 4.3.0 because pf this issue.
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On 2014. gada 20. sept., at 15:39, France <mailinglists@isg.si>
wrote:
>>>>> 
>>>>> Hi guys,
>>>>> 
>>>>> how do we disable realhostip.com service with its certificates on ACS
>>>>> 4.3.1, to get consoleproxy working without ties to realhostip.com
>>>>> service?
>>>>> We are happy with HTTP only for now.
>>>>> 
>>>>> Regards,
>>>>> F.
>>> 
>> 
> 


Mime
View raw message