Once Xen Orchestra is installed, you can configure some parameters in the configuration file. Let's see how to do that.
The configuration file is located at
By default, XO-server runs as 'root'. You can change that by uncommenting these lines and choose whatever user/group you want:
user = 'nobody' group = 'nogroup'
Warning! A non-privileged user requires the use of
sudo to mount NFS shares. See installation from the sources.
By default, XO-server listens on all addresses (0.0.0.0) and runs on port 80. If you need to, you can change this in the
# Basic HTTP section:
hostname = '0.0.0.0' port = 80
XO-server can also run in HTTPS (you can run HTTP and HTTPS at the same time) - just modify what's needed in the
# Basic HTTPS section, this time with the certificates/keys you need and their path:
hostname = '0.0.0.0' port = 443 certificate = './certificate.pem' key = './key.pem'
If a chain of certificates authorities is needed, you may bundle them directly in the certificate. Note: the order of certificates does matter, your certificate should come first followed by the certificate of the above certificate authority up to the root.
If you want to redirect everything to HTTPS, you can modify the configuration like this:
# If set to true, all HTTP traffic will be redirected to the first HTTPs configuration. redirectToHttps = true
This should be written just before the
mount option, inside the
You shouldn't have to change this. It's the path where
xo-web files are served by
[http.mounts] '/' = '../xo-web/dist/'
If you use certificates signed by an in-house CA for your XenServer hosts, and want to have Xen Orchestra connect to them without rejection, you need to add the
--use-openssl-ca option in Node, but also add the CA to your trust store (
update-ca-certificates in your XOA).
To enable this option in your XOA, edit the
/etc/systemd/system/xo-server.service file and add this:
Don't forget to reload
systemd conf and restart
# systemctl daemon-reload # systemctl restart xo-server.service
--use-openssl-ca option is ignored by Node if Xen-Orchestra is run with Linux capabilities. Capabilities are commonly used to bind applications to privileged ports (<1024) (i.e.
CAP_NET_BIND_SERVICE). Local NAT rules (
iptables) or a reverse proxy would be required to use privileged ports and a custom certficate authority.
By default, XO-server will try to contact Redis server on
localhost, with the port
6379. But you can define whatever you want:
uri = 'tcp://db:password@hostname:port'
To check if your hosts are up-to-date, we need to access
And to download the patches, we need access to
To do that behind a corporate proxy, just add the
httpProxy variable to match your current proxy configuration.
You can add this at the end of your config file:
# HTTP proxy configuration used by xo-server to fetch resources on the Internet. # # See: https://github.com/TooTallNate/node-proxy-agent#maps-proxy-protocols-to-httpagent-implementations httpProxy = 'http://username:password@proxyAddress:port'
On XOA, the log file for XO-server is in
/var/log/syslog. It contains all the server information returned and can be a real help when you have trouble.