SSL implementation for horizon
- Updated Docker file for gorizon, which remove list of ports to listen. - Add certificates - Update service definition by extra nginx container and all necessary files. Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647
This commit is contained in:
parent
a284222df4
commit
c211c106a3
|
@ -5,6 +5,7 @@ RUN apt-get update \
|
||||||
&& apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
|
&& apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
|
||||||
apache2 \
|
apache2 \
|
||||||
libapache2-mod-wsgi \
|
libapache2-mod-wsgi \
|
||||||
|
&& echo > /etc/apache2/ports.conf \
|
||||||
&& ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
|
&& ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
|
||||||
|
|
||||||
{{ copy_sources("openstack/horizon", "/horizon") }}
|
{{ copy_sources("openstack/horizon", "/horizon") }}
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.ca_cert }}
|
|
@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
|
||||||
#OPENSTACK_SSL_NO_VERIFY = True
|
#OPENSTACK_SSL_NO_VERIFY = True
|
||||||
|
|
||||||
# The CA certificate to use to verify SSL connections
|
# The CA certificate to use to verify SSL connections
|
||||||
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
|
OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'
|
||||||
|
|
||||||
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
||||||
# capabilities of the auth backend for Keystone.
|
# capabilities of the auth backend for Keystone.
|
||||||
|
|
|
@ -1,6 +1,14 @@
|
||||||
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
|
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
|
||||||
|
|
||||||
|
{% if security.tls.enabled %}
|
||||||
|
Listen 127.0.0.1:{{ horizon.port.cont }}
|
||||||
|
|
||||||
|
<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
|
||||||
|
{% else %}
|
||||||
|
Listen {{ horizon.port.cont }}
|
||||||
|
|
||||||
<VirtualHost *:{{ horizon.port.cont }}>
|
<VirtualHost *:{{ horizon.port.cont }}>
|
||||||
|
{% endif %}
|
||||||
WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
|
WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
|
||||||
WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
|
WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
|
||||||
WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}
|
WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
||||||
|
{{ security.tls.server_key }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
server {
|
||||||
|
listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }};
|
||||||
|
ssl on;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_ciphers {{ security.tls.ciphers }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_certificate /etc/nginx/ssl/certs/server-cert.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/private/server-key.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://horizon;
|
||||||
|
proxy_set_header Host $host:$server_port;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
upstream horizon {
|
||||||
|
server 127.0.0.1:{{ horizon.port.cont }};
|
||||||
|
}
|
|
@ -26,7 +26,21 @@ service:
|
||||||
files:
|
files:
|
||||||
- horizon-local-settings
|
- horizon-local-settings
|
||||||
- openstack-dashboard-conf
|
- openstack-dashboard-conf
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- ca_cert
|
||||||
|
# {% endif %}
|
||||||
command: daemon.sh
|
command: daemon.sh
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
- name: nginx
|
||||||
|
image: nginx
|
||||||
|
daemon:
|
||||||
|
files:
|
||||||
|
- servers
|
||||||
|
- upstreams
|
||||||
|
- server-cert
|
||||||
|
- server-key
|
||||||
|
command: nginx
|
||||||
|
# {% endif %}
|
||||||
|
|
||||||
files:
|
files:
|
||||||
horizon-local-settings:
|
horizon-local-settings:
|
||||||
|
@ -35,3 +49,24 @@ files:
|
||||||
openstack-dashboard-conf:
|
openstack-dashboard-conf:
|
||||||
path: /etc/apache2/conf-enabled/openstack-dashboard.conf
|
path: /etc/apache2/conf-enabled/openstack-dashboard.conf
|
||||||
content: openstack-dashboard.conf.j2
|
content: openstack-dashboard.conf.j2
|
||||||
|
# {% if security.tls.enabled %}
|
||||||
|
servers:
|
||||||
|
path: /etc/nginx/conf.d/servers.conf
|
||||||
|
content: servers.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
upstreams:
|
||||||
|
path: /etc/nginx/conf.d/upstreams.conf
|
||||||
|
content: upstreams.conf.j2
|
||||||
|
perm: "0400"
|
||||||
|
ca_cert:
|
||||||
|
path: /opt/ccp/etc/tls/ca.pem
|
||||||
|
content: ca-cert.pem.j2
|
||||||
|
server-cert:
|
||||||
|
path: /etc/nginx/ssl/certs/server-cert.pem
|
||||||
|
content: server-cert.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
server-key:
|
||||||
|
path: /etc/nginx/ssl/private/server-key.pem
|
||||||
|
content: server-key.pem.j2
|
||||||
|
perm: "0400"
|
||||||
|
# {% endif %}
|
||||||
|
|
Loading…
Reference in New Issue