Berikut ini catatan deploy nginx sebagai reverse proxy untuk OpenStack Dashboard (horizon). Ceritanya punya 2 node openstack yang dideploy menggunakan kolla-ansible, sudah diset menggunakan TLS, namun ingin set loadbalancer di depan menggunakan nginx. Berikut kira-kira caranya.

Nah, pertama pada konfigurasi kolla-ansible tambahkan teks berikut pada /etc/kolla/config/horizon/custom_local_settings:

CSRF_TRUSTED_ORIGINS = ["http://langit.nacita.tld", "https://langit.nacita.tld"]

lalu deploy ulang OpenStack-nya:

kolla-ansible -i multinode deploy

Lalu, pada nginx-nya, gunakan konfigurasi virtualhost-nya /etc/nginx/conf.d/vhost.conf sebagai berikut kurang lebih:

upstream horizon {
        server 10.11.11.106:443;
        server 10.11.11.105:443;
}
 
map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}
 
map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $host;
}
 
map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}
 
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Origin http://$host;
 
server {
  server_name langit.nacita.tld;
  #listen [::]:80 default_server;
  server_tokens off;
 
  location / {
    proxy_pass https://horizon/;
    proxy_ssl_verify       off;
    #proxy_ssl_verify_depth 2;
    proxy_ssl_session_reuse on;
    #proxy_ssl_server_name on;
    proxy_http_version 1.1;
    #proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
 
 
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/langit.nacita.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/langit.nacita.tld/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
}
 
 
server {
    if ($host = langit.nacita.tld) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
  listen 0.0.0.0:80;
  server_name langit.nacita.tld;
    return 404; # managed by Certbot
 
}

dan, tadaaa… jadi deh. Btw ini tshoot-nya seharian loh… hehehe.

• https://docs.openstack.org/kolla-ansible/latest/reference/shared-services/horizon-guide.html
• https://docs.openstack.org/kolla-ansible/xena/admin/tls.html
• https://docs.openstack.org/kolla-ansible/xena/admin/advanced-configuration.html