diff --git a/source/_static/images/ssl-certificate-account.png b/source/_static/images/ssl-certificate-account.png new file mode 100644 index 0000000000..78e2dc018f Binary files /dev/null and b/source/_static/images/ssl-certificate-account.png differ diff --git a/source/_static/images/ssl-certificate-list.png b/source/_static/images/ssl-certificate-list.png new file mode 100644 index 0000000000..5aa3fe74c1 Binary files /dev/null and b/source/_static/images/ssl-certificate-list.png differ diff --git a/source/_static/images/ssl-certificate-new-lb-rule-select.png b/source/_static/images/ssl-certificate-new-lb-rule-select.png new file mode 100644 index 0000000000..682a96172c Binary files /dev/null and b/source/_static/images/ssl-certificate-new-lb-rule-select.png differ diff --git a/source/_static/images/ssl-certificate-new-lb-rule.png b/source/_static/images/ssl-certificate-new-lb-rule.png new file mode 100644 index 0000000000..7dd5043744 Binary files /dev/null and b/source/_static/images/ssl-certificate-new-lb-rule.png differ diff --git a/source/_static/images/ssl-certificate-project.png b/source/_static/images/ssl-certificate-project.png new file mode 100644 index 0000000000..ff97b318ac Binary files /dev/null and b/source/_static/images/ssl-certificate-project.png differ diff --git a/source/_static/images/ssl-certificate-update-lb-rule-protocol.png b/source/_static/images/ssl-certificate-update-lb-rule-protocol.png new file mode 100644 index 0000000000..e6637e57c9 Binary files /dev/null and b/source/_static/images/ssl-certificate-update-lb-rule-protocol.png differ diff --git a/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png b/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png new file mode 100644 index 0000000000..183c89ee8a Binary files /dev/null and b/source/_static/images/ssl-certificate-update-lb-rule-ssl-cert.png differ diff --git a/source/_static/images/ssl-certificate-upload.png b/source/_static/images/ssl-certificate-upload.png new file mode 100644 index 0000000000..52eef23423 Binary files /dev/null and b/source/_static/images/ssl-certificate-upload.png differ diff --git a/source/adminguide/networking/external_firewalls_and_load_balancers.rst b/source/adminguide/networking/external_firewalls_and_load_balancers.rst index eae69281b8..a753886c6c 100644 --- a/source/adminguide/networking/external_firewalls_and_load_balancers.rst +++ b/source/adminguide/networking/external_firewalls_and_load_balancers.rst @@ -291,6 +291,11 @@ Adding a Load Balancer Rule algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules. + - **Protocol**: The protocol for the Load Balancer Rule such as tcp, udp, tcp-proxy or ssl. + + - **SSL Certificate**: The SSL certificate assigned to the Load Balancer Rule. + This is visible only when protocol is ssl. See :ref:`conf-ssl-cert`. + - **AutoScale**: Click Configure and complete the AutoScale configuration as explained in :ref:`conf-autoscale`. @@ -470,6 +475,70 @@ For details on how to set a health check policy using the UI, see :ref:`adding-lb-rule`. +.. _conf-ssl-cert: + +Configuring SSL Certificate for Load Balancer Rules +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SSL Offloading allows load balancers to handle encryption and decryption of +HTTP(s) traffic giving plain text HTTP to the back end servers freeing them +from the resource intensive task of handling encryption and decryption. +SSL Offloading supports CloudStack Virtual Router since Apache CloudStack 4.22.0. + +- Upload SSL certificates + +SSL certificate is required for SSL offloading feature. As the first step, users +need to upload SSL certificates for the accounts or projects. + +|ssl-certificate-account.png| + +Click "Upload SSL Certificate" button, input the following fields in the dialog, click "Submit" + + * Name: the name of the SSL certificate. This is required. + * Certificate: the SSL certificate. This is required. + * Private Key: the private key of the SSL certificate. This is required. + * Certificate chain: the ROOT CA and intermediate certificate(s) of the SSL certificate. Please input if exist, otherwise the SSL certificate might not work. + * Password: the password of the private key. Currently it is unsupported when use CloudStack Virtual Router for SSL offloading. + * Revocation check: Whether enables revocation checking for certificates. Please do not check if self-signed SSL certificate. + +|ssl-certificate-upload.png| + +Users can view or remove the SSL certificates on the same page. + +|ssl-certificate-list.png| + +For projects, go to the project page and click "Certificates" tab + +|ssl-certificate-project.png| + +- Create Load balancer rule with SSL Certificate + +SSL certificate can be configured only when the protocol of load balancer rule is ssl. + +|ssl-certificate-new-lb-rule.png| + +Click "SSL certificate" button, select a SSL certificate, click "OK" + +|ssl-certificate-new-lb-rule-select.png| + +- Assign SSL certificate to existing Load balancer rule + +If the load balancer rule has been created without SSL certificate, update protocol to SSL if it is not + +|ssl-certificate-update-lb-rule-protocol.png| + +Click "Manage" button under the "SSL certificate" field, select a SSL certificate, +click "Replace" or "Assign" button to assign a new SSL certificate. + +|ssl-certificate-update-lb-rule-ssl-cert.png| + +User can remove the SSL certificate from load balancer rule by clicking "Remove" button. + +.. note:: + Since SSL offloading increases CPU utilization on the load balancer, + please allocate more resources to the Virtual Router when expecting high traffic. + + .. _conf-autoscale: Configuring AutoScale @@ -735,3 +804,19 @@ Runtime Considerations :alt: Configuring AutoScale. .. |EnableDisable.png| image:: /_static/images/enable-disable-autoscale.png :alt: button to enable or disable AutoScale. +.. |ssl-certificate-account.png| image:: /_static/images/ssl-certificate-account.png + :alt: Manage certificates for account. +.. |ssl-certificate-upload.png| image:: /_static/images/ssl-certificate-upload.png + :alt: Upload SSL certificate for account. +.. |ssl-certificate-list.png| image:: /_static/images/ssl-certificate-list.png + :alt: List of certificates for account. +.. |ssl-certificate-project.png| image:: /_static/images/ssl-certificate-project.png + :alt: Manage certificates for project. +.. |ssl-certificate-new-lb-rule.png| image:: /_static/images/ssl-certificate-new-lb-rule.png + :alt: Create load balancer rule with SSL protocol +.. |ssl-certificate-new-lb-rule-select.png| image:: /_static/images/ssl-certificate-new-lb-rule-select.png + :alt: Select SSL certificate for new load balancer rule. +.. |ssl-certificate-update-lb-rule-protocol.png| image:: /_static/images/ssl-certificate-update-lb-rule-protocol.png + :alt: Update protocol of load balancer rule to SSL. +.. |ssl-certificate-update-lb-rule-ssl-cert.png| image:: /_static/images/ssl-certificate-update-lb-rule-ssl-cert.png + :alt: Manage certificates of load balancer rule. diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst b/source/adminguide/networking/virtual_private_cloud_config.rst index bf3ec5b375..219f4ea7f4 100644 --- a/source/adminguide/networking/virtual_private_cloud_config.rst +++ b/source/adminguide/networking/virtual_private_cloud_config.rst @@ -1123,6 +1123,12 @@ Creating an External LB Rule algorithm for the stickiness policy. See Sticky Session Policies for Load Balancer Rules. + - **Protocol**: The protocol for the Load Balancer Rule such as tcp, udp, tcp-proxy or ssl. + + - **SSL Certificate**: The SSL certificate assigned to the Load Balancer Rule. + This is visible only when protocol is ssl. see `"Configuring SSL Certificate for Load Balancer + Rules" `_. + - **Add Instances**: Click Add Instances, then select two or more Instances that will divide the load of incoming traffic, and click Apply.