Cluster wide reverse proxy for OpenStack

A nginx based reverse proxy configuration is installed on each bare metal node. It helps when the OpenStack cluster is made of nodes located on various hosting providers ( such as eNovance, Hetzner, etc. ). Each machine to which the IP for a given web site is routed is able to find the actual virtual machine supporting it. The configuration is pulled from the git repository by the puppet agent running on each node.

nginx configuration repository

The reverse proxy configuration project is created and associated with a git repository. It can be checked out read-only with

git clone

from each bare metal machine within the OpenStack cluster hosting the virtual machine. Editing the configuration files is done on the virtual machine itself, in a read/write clone of the repository located in the /root directory:

git clone /srv/repos/git/proxy.git

The author of the commit should use the same email address as the user registered in so that the commit is associated to the redmine user.

git commit --author='Loic Dachary <>' -a -m 'proxy pass configuration for horizon'

proxy pass for horizon

When following the Debian GNU/Linux puppet HOWTO horizon is installed on a bare metal node and uses the default http port. It is moved to port 8080

diff --git a/apache2/ports.conf b/apache2/ports.conf
index 0693a44..9a73ab1 100644
--- a/apache2/ports.conf
+++ b/apache2/ports.conf
@@ -5,8 +5,8 @@
 # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
 # README.Debian.gz

-NameVirtualHost *:80
-Listen 80
+NameVirtualHost *:8080
+Listen 8080

 <IfModule mod_ssl.c>
     # If you add NameVirtualHost *:443 here, you will also have to change
diff --git a/apache2/sites-available/openstack-dashboard b/apache2/sites-available/openstack-dashboard
index 38aa206..a194386 100644
--- a/apache2/sites-available/openstack-dashboard
+++ b/apache2/sites-available/openstack-dashboard
@@ -1,4 +1,4 @@
-<VirtualHost *:80>
+<VirtualHost *:8080>
     WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
     WSGIDaemonProcess openstack-dashboard user=horizon group=horizon
     WSGIProcessGroup openstack-dashboard

and configured in nginx:

server {
       location / {

multiple entry points

An OpenStack cluster is usually within a single Autonomous System. When a packet is targeted to a Hetzner IP address, it will be routed thru their AS and the entry point of the cluster will be different than if it was routed to an eNovance IP address.
By duplicating the nginx configuration and installation on each bare metal machine of the OpenStack cluster, each incoming packet will be routed to the appropriate virtual machine no matter where it comes from.
The nginx configuration is installed on each bare metal machine with the following puppet snippet.

  package { 'nginx':
    ensure => present,

  file { '/etc/nginx/sites-enabled':
    ensure      => 'directory',
    owner       => root,
    group       => root,
    mode        => '0755',
    before      => Exec['nginx_clone'],

  service { 'nginx':
    ensure      => running,
    enable      => true

  exec { "nginx_clone":
    command => "bash -c 'rm -f /etc/nginx/sites-enabled/default ; git clone git://redmine.the/git/public/proxy.git /etc/nginx/sites-enabled'",
    unless  => "test -d /etc/nginx/sites-enabled/.git",
    notify  => Service['nginx'],
    require => Package['nginx'],

  exec { "nginx_pull":
    command => "bash -c 'cd /etc/nginx/sites-enabled ; git pull'",
    notify  => Service['nginx'],
    require => Exec['nginx_clone'],