Configuring SSL

MAAS doesn’t support SSL natively and needs to be enabled in web server software independently (e.g. Apache, Nginx) which users access directly.

Note that MAAS doesn’t bind to port 80; instead, MAAS binds to port 5240.

nginx example config

server {
 listen 443 ssl;

 server_name _;
 ssl_certificate /etc/nginx/ssl/nginx.crt;
 ssl_certificate_key /etc/nginx/ssl/nginx.key;

 location / {
  proxy_pass http://localhost:5240;
  include /etc/nginx/proxy_params;
 }

 location /MAAS/ws {
  proxy_pass http://localhost:5240/MAAS/ws;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
 }
}

apache2 example config

<VirtualHost *:443>
 SSLEngine On

 SSLCertificateFile /etc/apache2/ssl/apache2.crt
 SSLCertificateKeyFile /etc/apache2/ssl/apache2.key

 RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/MAAS/ws [NC]
        RewriteRule /(.*) ws://localhost:5240/MAAS/ws [P,L]

        ProxyPreserveHost On
        ProxyPass / http://localhost:5240/
        ProxyPassReverse / http://localhost:5240/
</VirtualHost>

So to be clear, the docs are suggesting running a separate local proxy to terminate ssl.
That’s fine, but the directions should also include how to stop having the non-SSL version of maas still reachable on the server.

Also, your documentation doesn’t spell out that the SSL configuration for NGINX/Apache is specifically to set up a proxy in front of maas. I found it confusing. Most people don’t know that Apache is not used for maas at all. The documentation above doesn’t specify itself as a separate configuration for a proxy so people will get confused about where to put the above-mentioned configuration.

In my case, I just placed the nginx server in the maas rackd-nginx.conf which should work afaik. Problem I’m getting is that, for the UI, if you don’t put the trailing / on the end of https://<hostname>/MAAS then a Method Not Allowed error occurs. That’s what I’m trying to fix right now.