Configure the dashboard for HTTPS

Configure the dashboard for HTTPS You can configure the dashboard for a secured HTTPS deployment. While the standard installation uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard. This example uses the http://openstack.example.com domain. Use a domain that fits your current setup. In the /etc/openstack-dashboard/local_settings.py file, update the following options: USE_SSL = True CSRF_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True SESSION_COOKIE_HTTPONLY = True To enable HTTPS, the USE_SSL = True option is required. The other options require that HTTPS is enabled; these options defend against cross-site scripting. Edit the /etc/apache2/conf.d/openstack-dashboard.conf file as shown in : Before WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> # For Apache http server 2.2 and earlier: Order allow,deny Allow from all # For Apache http server 2.4 and later: # Require all granted </Directory> After <VirtualHost *:80> ServerName openstack.example.com <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> <IfModule !mod_rewrite.c> RedirectPermanent / https://openstack.example.com </IfModule> </VirtualHost> <VirtualHost *:443> ServerName openstack.example.com SSLEngine On # Remember to replace certificates and keys with valid paths in your environment SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown # HTTP Strict Transport Security (HSTS) enforces that all communications # with a server go over SSL. This mitigates the threat from attacks such # as SSL-Strip which replaces links on the wire, stripping away https prefixes # and potentially allowing an attacker to view confidential information on the # wire Header add Strict-Transport-Security "max-age=15768000" WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> # For Apache http server 2.2 and earlier: Order allow,deny Allow from all # For Apache http server 2.4 and later: # Require all granted </Directory> </VirtualHost> In this configuration, the Apache HTTP server listens on port 443 and redirects all non-secure requests to the HTTPS protocol. The secured section defines the private key, public key, and certificate to use. Restart the Apache HTTP server. For Debian, Ubuntu, or SUSE distributions: # service apache2 restart For Fedora, RHEL, or CentOS distributions: # service httpd restart Restart memcached: # service memcached restart If you try to access the dashboard through HTTP, the browser redirects you to the HTTPS page.