Configuring TLS encryption

MAAS doesn’t support TLS encryption natively. If you are not interested in setting up an HAProxy, you can enable TLS independently in the web server software (e.g. Apache, Nginx) which users access directly. The examples below explain how to create this configuration.

Note that MAAS doesn’t bind to port 80; instead, MAAS binds to port 5240.

nginx example config

server {
 listen 443 ssl;

 server_name _;
 ssl_certificate /etc/nginx/ssl/nginx.crt;
 ssl_certificate_key /etc/nginx/ssl/nginx.key;

 location / {
  proxy_pass http://localhost:5240;
  include /etc/nginx/proxy_params;

 location /MAAS/ws {
  proxy_pass http://localhost:5240/MAAS/ws;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";

apache2 example config

<VirtualHost *:443>
 SSLEngine On

 SSLCertificateFile /etc/apache2/ssl/apache2.crt
 SSLCertificateKeyFile /etc/apache2/ssl/apache2.key

 RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/MAAS/ws [NC]
        RewriteRule /(.*) ws://localhost:5240/MAAS/ws [P,L]

        ProxyPreserveHost On
        ProxyPass / http://localhost:5240/
        ProxyPassReverse / http://localhost:5240/

So to be clear, the docs are suggesting running a separate local proxy to terminate ssl.
That’s fine, but the directions should also include how to stop having the non-SSL version of maas still reachable on the server.

1 Like

Also, your documentation doesn’t spell out that the SSL configuration for NGINX/Apache is specifically to set up a proxy in front of maas. I found it confusing. Most people don’t know that Apache is not used for maas at all. The documentation above doesn’t specify itself as a separate configuration for a proxy so people will get confused about where to put the above-mentioned configuration.

In my case, I just placed the nginx server in the maas rackd-nginx.conf which should work afaik. Problem I’m getting is that, for the UI, if you don’t put the trailing / on the end of https://<hostname>/MAAS then a Method Not Allowed error occurs. That’s what I’m trying to fix right now.

I have setup the proposed SSL configuration via the NGINX reverse proxy. It works fine with regard to the GUI access, but I have the feeling that something is missing to allow the SSL connection from the maas-cli and the rack-controller. Are they supposed to work also with the proposed SSL setup ?

To get this to work with Apache, I had to enable the following Apache mods:

I hope this helps someone, or me later in the future when I forget.