diff --git a/docker/horizon/Dockerfile.j2 b/docker/horizon/Dockerfile.j2 index 4b5dac2..66bc8d3 100644 --- a/docker/horizon/Dockerfile.j2 +++ b/docker/horizon/Dockerfile.j2 @@ -5,6 +5,7 @@ RUN apt-get update \ && apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ apache2 \ libapache2-mod-wsgi \ + && echo > /etc/apache2/ports.conf \ && ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load {{ copy_sources("openstack/horizon", "/horizon") }} diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.ca_cert }} diff --git a/service/files/local_settings.j2 b/service/files/local_settings.j2 index 219307b..8f82570 100644 --- a/service/files/local_settings.j2 +++ b/service/files/local_settings.j2 @@ -149,7 +149,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' #] OPENSTACK_HOST = "{{ address('keystone') }}" -OPENSTACK_KEYSTONE_URL = "{{ address('keystone', keystone.public_port, with_scheme=True) }}/v3" +OPENSTACK_KEYSTONE_URL = "{{ address('keystone', keystone.public_port, with_scheme=True, tls=True) }}/v3" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" # Enables keystone web single-sign-on if set to True. @@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" #OPENSTACK_SSL_NO_VERIFY = True # The CA certificate to use to verify SSL connections -#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' +OPENSTACK_SSL_CACERT = '/etc/horizon/certs/ca-cert.pem' # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone. diff --git a/service/files/openstack-dashboard.conf.j2 b/service/files/openstack-dashboard.conf.j2 index 1f0bb78..7f8b031 100644 --- a/service/files/openstack-dashboard.conf.j2 +++ b/service/files/openstack-dashboard.conf.j2 @@ -1,6 +1,14 @@ {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %} +{% if security.tls.enabled %} +Listen 127.0.0.1:{{ horizon.port.cont }} + + +{% else %} +Listen {{ horizon.port.cont }} + +{% endif %} WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }} diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server-cert.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_cert }} diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_key }} diff --git a/service/files/servers.conf.j2 b/service/files/servers.conf.j2 new file mode 100644 index 0000000..acd4f09 --- /dev/null +++ b/service/files/servers.conf.j2 @@ -0,0 +1,18 @@ +server { + listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }}; + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + ssl_ciphers {{ security.tls.ciphers }}; + ssl_prefer_server_ciphers on; + ssl_certificate /etc/nginx/ssl/certs/server-cert.pem; + ssl_certificate_key /etc/nginx/ssl/private/server-key.pem; + + location / { + proxy_pass http://horizon; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2 new file mode 100644 index 0000000..90a6ea2 --- /dev/null +++ b/service/files/upstreams.conf.j2 @@ -0,0 +1,3 @@ +upstream horizon { + server 127.0.0.1:{{ horizon.port.cont }}; +} diff --git a/service/horizon.yaml b/service/horizon.yaml index bc26657..4d7b813 100644 --- a/service/horizon.yaml +++ b/service/horizon.yaml @@ -26,7 +26,21 @@ service: files: - horizon-local-settings - openstack-dashboard-conf + # {% if security.tls.enabled %} + - ca_cert_client + # {% endif %} command: daemon.sh + # {% if security.tls.enabled %} + - name: nginx + image: nginx + daemon: + files: + - servers + - upstreams + - server-cert + - server-key + command: nginx + # {% endif %} files: horizon-local-settings: @@ -35,3 +49,24 @@ files: openstack-dashboard-conf: path: /etc/apache2/conf-enabled/openstack-dashboard.conf content: openstack-dashboard.conf.j2 + # {% if security.tls.enabled %} + ca_cert_client: + path: /etc/horizon/certs/ca-cert.pem + content: ca-cert.pem.j2 + servers: + path: /etc/nginx/conf.d/servers.conf + content: servers.conf.j2 + perm: "0400" + upstreams: + path: /etc/nginx/conf.d/upstreams.conf + content: upstreams.conf.j2 + perm: "0400" + server-cert: + path: /etc/nginx/ssl/certs/server-cert.pem + content: server-cert.pem.j2 + perm: "0400" + server-key: + path: /etc/nginx/ssl/private/server-key.pem + content: server-key.pem.j2 + perm: "0400" + # {% endif %}