Openstack Glance Configutarion on HTTPS RESTAPI + Nginx Reverse Proxy

Hoodad Tabibi

10/31/23, 12:25 PM

I am trying to install openstack Using ssl certs i am able to run keystone (on port 5000) but when i try to connect to glance api (port 9292) it fails it is only accessible with http not https i feel like keystone works because it has seperate configuration file in "/etc/apache2/site-enabled/keystone.conf" but glance(and other services) has different story you create endpoints via openstack cli (apache2) and add this configuration to the end of nginx.conf

stream {
    upstream glance-api {
        server 127.0.0.1:9292;
    }
    server {
        listen <public_ip>:9292 ssl;
        proxy_pass glance-api;
    }
    ssl_certificate "/etc/letsencrypt/live/hoodadcloud.ir/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/hoodadcloud.ir/privkey.pem"; }

when i add this to configuration it failes to restart nginx service by running "journalctl -xeu nginx.service" i get

controller nginx[44254]: nginx: [emerg] bind() to <public_ip>:9292 failed (98: Unknown error)
controller nginx[44254]: nginx: [emerg] bind() to <public_ip>:9292 failed (98: Unknown error) 
controller nginx[44254]: nginx: [emerg] bind() to <public_ip>:9292 failed (98: Unknown error) 
controller nginx[44254]: nginx: [emerg] bind() to <public_ip>:9292 failed (98: Unknown error)    
controller nginx[44254]: nginx: [emerg] bind() to <public_ip>:9292 failed (98: Unknown error)  
controller nginx[44254]: nginx: [emerg] still could not bind() 
controller systemd[1]: nginx.service:Control process exited, code=exited, status=1/FAILURE Subject: Unit process exited DefinedBy:systemd

i am 90% sure it's because port 9292 work on http not on https using ubuntu server 22.04 LTS minimal

openstack user list works fine (keystone)

openstack image list (glance)

Failed to contact the endpoint at https://hoodadcloud.ir:9292 for discovery. Fallback to using that endpoint as the base url. 
Failed to contact the endpoint at https://hoodadcloud.ir:9292 for discovery. Fallback to using that endpoint as the base url. 
The image service for : exists but does not have any supported versions.

net-state -ntlp

tcp        0      0 0.0.0.0:9292          0.0.0.0:*               LISTEN      292411/python3

373

1 + 1

ssl

nginx

openstack

apache2

nginx-reverse-proxy

diya

10/31/23, 1:48 PM

The problem is probably that glance is configured to listen on all interfaces and is not only bound to the loopback interface. When you then attempt to configure nginx to listen on your public IP-address that same port number, port 9292 is already in use and can't be used by nginx.

Score:1

Server

Hoodad Tabibi

11/1/23, 9:54 AM

Thanks to diya the problem is port 9292 or any other openstack services is running on all ip addresses (0.0.0.0) the solution is to set

bind_host = 127.0.0.1

in /etc/glance/glance-api.conf then the nginx proxy will start without problem and you can resolve api

tcp        0      0 127.0.0.1:9292          0.0.0.0:*               LISTEN      292411/python3

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Openstack Glance Configutarion on HTTPS RESTAPI + Nginx Reverse Proxy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.