bea76dc740
Added required options to enable SSL for noVNC proxy service when configuring the dashboard for HTTPS. Change-Id: I8b2cafe1186c569d7c9b1f0f152fb8a9daf5d597 Closes-Bug: 1481972
133 lines
5.8 KiB
XML
133 lines
5.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="dashboard-config-https">
|
|
<title>Configure the dashboard for HTTPS</title>
|
|
<para>You can configure the dashboard for a secured HTTPS
|
|
deployment. While the standard installation uses a
|
|
non-encrypted HTTP channel, you can enable SSL support for the
|
|
dashboard.</para>
|
|
<procedure>
|
|
<para>This example uses the
|
|
<literal>http://openstack.example.com</literal>
|
|
domain. Use a domain that fits your current setup.</para>
|
|
<step>
|
|
<para>In the
|
|
<filename>/etc/openstack-dashboard/local_settings.py</filename>
|
|
file, update the following options:</para>
|
|
<programlisting language="python">USE_SSL = True
|
|
CSRF_COOKIE_SECURE = True
|
|
SESSION_COOKIE_SECURE = True
|
|
SESSION_COOKIE_HTTPONLY = True</programlisting>
|
|
<para>To enable HTTPS, the <code>USE_SSL = True</code>
|
|
option is required.</para>
|
|
<para>The other options require that HTTPS is enabled;
|
|
these options defend against cross-site
|
|
scripting.</para>
|
|
</step>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/apache2/conf.d/openstack-dashboard.conf</filename>
|
|
file as shown in <xref linkend="after-example"
|
|
/>:</para>
|
|
<example>
|
|
<title>Before</title>
|
|
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
|
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
|
|
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
|
|
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
|
# For Apache http server 2.2 and earlier:
|
|
Order allow,deny
|
|
Allow from all
|
|
|
|
# For Apache http server 2.4 and later:
|
|
# Require all granted
|
|
</Directory></programlisting>
|
|
</example>
|
|
<example xml:id="after-example">
|
|
<title>After</title>
|
|
<programlisting><?db-font-size 65%?><VirtualHost *:80>
|
|
ServerName openstack.example.com
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
</IfModule>
|
|
<IfModule !mod_rewrite.c>
|
|
RedirectPermanent / https://openstack.example.com
|
|
</IfModule>
|
|
</VirtualHost>
|
|
<VirtualHost *:443>
|
|
ServerName openstack.example.com
|
|
|
|
SSLEngine On
|
|
# Remember to replace certificates and keys with valid paths in your environment
|
|
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
|
|
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
|
|
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
|
|
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
|
|
|
# HTTP Strict Transport Security (HSTS) enforces that all communications
|
|
# with a server go over SSL. This mitigates the threat from attacks such
|
|
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
|
|
# and potentially allowing an attacker to view confidential information on the
|
|
# wire
|
|
Header add Strict-Transport-Security "max-age=15768000"
|
|
|
|
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
|
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
|
|
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
|
|
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
|
# For Apache http server 2.2 and earlier:
|
|
Order allow,deny
|
|
Allow from all
|
|
|
|
# For Apache http server 2.4 and later:
|
|
# Require all granted
|
|
</Directory>
|
|
</VirtualHost></programlisting>
|
|
</example>
|
|
<para>In this configuration, the Apache HTTP server
|
|
listens on port 443 and redirects all non-secure
|
|
requests to the HTTPS protocol. The secured section
|
|
defines the private key, public key, and certificate
|
|
to use.</para>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Apache HTTP server.</para>
|
|
<para>For Debian, Ubuntu, or SUSE distributions:</para>
|
|
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
|
|
<para>For Fedora, RHEL, or CentOS distributions:</para>
|
|
<screen><prompt>#</prompt> <userinput>service httpd restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Restart <systemitem class="service"
|
|
>memcached</systemitem>:</para>
|
|
<screen><prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
|
|
<para>If you try to access the dashboard through HTTP, the
|
|
browser redirects you to the HTTPS page.</para>
|
|
</step>
|
|
</procedure>
|
|
<note>
|
|
<para>Configuring the dashboard for HTTPS also requires enabling SSL
|
|
for the noVNC proxy service.
|
|
On the controller node, add the following additional options to the
|
|
<filename>[DEFAULT]</filename>
|
|
section of the
|
|
<filename>/etc/nova/nova.conf</filename>
|
|
file:
|
|
<programlisting language="python">[DEFAULT]
|
|
...
|
|
ssl_only = true
|
|
cert = /etc/apache2/SSL/openstack.example.com.crt
|
|
key = /etc/apache2/SSL/openstack.example.com.key</programlisting></para>
|
|
<para>On the compute nodes, ensure the <code>nonvncproxy_base_url</code>
|
|
option points to a URL with an HTTPS scheme:</para>
|
|
<programlisting language="python">[DEFAULT]
|
|
...
|
|
novncproxy_base_url = https://controller:6080/vnc_auto.html</programlisting>
|
|
</note>
|
|
</section>
|