From 15bd4920ed5fc766d857b7ccc42c2c525397f401 Mon Sep 17 00:00:00 2001 From: James Gibson Date: Wed, 22 Dec 2021 12:10:54 +0000 Subject: [PATCH] Update notes on how to enable TLS for VNC Add warning to security docs about enabling TLS for VNC on existing deployments, as this can prevent console access to existing virtual machines. Change-Id: Ib9e6a9fc4de2e3013e19f7eb252aacd5ae70d4d4 --- doc/source/user/security/ssl-certificates.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/doc/source/user/security/ssl-certificates.rst b/doc/source/user/security/ssl-certificates.rst index d62224b6cf..4ff69fc080 100644 --- a/doc/source/user/security/ssl-certificates.rst +++ b/doc/source/user/security/ssl-certificates.rst @@ -347,8 +347,14 @@ detail. .. _OpenStack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security -In OpenStack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is -not currently enabled and TLS to Compute nodes is enabled by default. +In OpenStack-Ansible TLS to haproxy is configured in haproxy, TLS from +haproxy to noVNC is not currently enabled and TLS from nVNC to Compute nodes +is enabled by default. + +Changes will not apply to any existing running guests on the compute node, +so this configuration should be done before launching any instances. For +existing deployments it is recommended that you migrate instances off the +compute node before enabling. To help with the transition from unencrypted VNC to VeNCrypt, initially noVNC proxy auth scheme allows for both encrypted and