How to enable TLS encryption (snap/3.1/UI)

2.9 3.0 3.1
DEB CLI ~ UI CLI ~ UI CLI ~ UI
SNAP CLI ~ UI CLI ~ UI CLI ~ UI

MAAS doesn’t support TLS encryption natively. If you are not interested in setting up an HAProxy, you can enable TLS independently in the web server software (e.g. Apache, Nginx) which users access directly. The examples below explain how to create this configuration.

Note that MAAS doesn’t bind to port 80; instead, MAAS binds to port 5240.

nginx example config

server {
 listen 443 ssl;

 server_name _;
 ssl_certificate /etc/nginx/ssl/nginx.crt;
 ssl_certificate_key /etc/nginx/ssl/nginx.key;

 location / {
  proxy_pass http://localhost:5240;
  include /etc/nginx/proxy_params;
 }

 location /MAAS/ws {
  proxy_pass http://localhost:5240/MAAS/ws;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
 }
}

apache2 example config

<VirtualHost *:443>
 SSLEngine On

 SSLCertificateFile /etc/apache2/ssl/apache2.crt
 SSLCertificateKeyFile /etc/apache2/ssl/apache2.key

 RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/MAAS/ws [NC]
        RewriteRule /(.*) ws://localhost:5240/MAAS/ws [P,L]

        ProxyPreserveHost On
        ProxyPass / http://localhost:5240/
        ProxyPassReverse / http://localhost:5240/
</VirtualHost>

Please include the name and standard paths for these config files. (Not everyone is using Linux for webservices)
Or just add: You can find the webservice config file by:
ps -ef | grep http
my output
nginx: master process /snap/maas/17913/usr/sbin/nginx -c /var/snap/maas/17913/http/nginx.conf
There is an include in this:
include /var/snap/maas/current/http/*.nginx.conf;
If I just add that in the rackd.nginx.conf before the standard server entry (with adapted paths for the certificate and proxy_params)

the ssl server gives “connection refused” after reload of maas.

So there is more needed to it.

suggestions welcome.