f2c5ffe7b1
In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's Apache SSL settings. In order to keep all Apache SSL settings uniformly configured, we also need to update Horizon's settings and centralize where we define the cipher suite that the server supports and the preferred protocol versions. We also explicitly disable SSLCompression even though we tend to only test against versions of Apache that have this off by default. If someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise have to explicitly turn this off. Preferring security by default, we disable it explicitly to prevent insecure installations anywhere. We also document how users can override specific service SSL settings in the event one service needs to support older clients that require certain protocols or ciphers. For example, it's very plausible that an organization may need to enable RC4 and SSLv3 for Horizon since their users are still using XP and an old version of Internet Explorer. Related-Bug: 1437481 Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
98 lines
2.4 KiB
YAML
98 lines
2.4 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Defines that the role will be deployed on a host machine
|
|
is_metal: true
|
|
|
|
## Verbosity Options
|
|
debug: False
|
|
verbose: True
|
|
|
|
## System info
|
|
horizon_system_user_name: horizon
|
|
horizon_system_group_name: www-data
|
|
horizon_system_shell: /bin/false
|
|
horizon_system_comment: horizon system user
|
|
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"
|
|
|
|
## Service Type and Data
|
|
horizon_service_region: RegionOne
|
|
horizon_service_name: horizon
|
|
|
|
## DB info
|
|
horizon_galera_database: dash
|
|
horizon_galera_user: dash
|
|
|
|
|
|
## Horizon Help URL Path
|
|
horizon_help_url: http://docs.openstack.org
|
|
|
|
## Installation directories
|
|
horizon_lib_dir: /usr/local/lib/python2.7/dist-packages
|
|
|
|
horizon_endpoint_type: internalURL
|
|
|
|
horizon_server_name: "horizon"
|
|
horizon_log_level: info
|
|
horizon_self_signed: true
|
|
horizon_self_signed_regen: false
|
|
horizon_dropdown_max_items: 30
|
|
horizon_time_zone: UTC
|
|
horizon_enforce_password_check: False
|
|
horizon_disable_password_reveal: False
|
|
horizon_enable_password_retrieve: False
|
|
|
|
## Horizon SSL
|
|
### Set the cacert pem if you'd like horizon to verify it.
|
|
# horizon_cacert_pem: /path/to/cacert.pem
|
|
horizon_ssl_cert: /etc/ssl/certs/apache.cert
|
|
horizon_ssl_key: /etc/ssl/private/apache.key
|
|
horizon_ssl_cert_path: /etc/ssl/certs
|
|
horizon_ssl_protocol: "{{ ssl_protocol }}"
|
|
horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
|
|
|
## Launch instance
|
|
horizon_launch_instance_legacy: True
|
|
horizon_launch_instance_ng: False
|
|
|
|
## Swift
|
|
horizon_swift_file_transfer_chunk_size: 524288
|
|
|
|
horizon_webroot: /
|
|
|
|
horizon_listen_ports:
|
|
- "80"
|
|
- "443"
|
|
|
|
horizon_apt_packages:
|
|
- apache2
|
|
- apache2-utils
|
|
- libapache2-mod-wsgi
|
|
- libssl-dev
|
|
- libxslt1.1
|
|
- openssl
|
|
|
|
horizon_pip_packages:
|
|
- django-appconf
|
|
- greenlet
|
|
- horizon
|
|
- keystonemiddleware
|
|
- MySQL-python
|
|
- oslo.config
|
|
- ply
|
|
- pycrypto
|
|
- python-memcached
|
|
- python-keystoneclient
|