Browse Source

SSL implementation for horizon

- Updated Docker file for gorizon, which remove list of ports to listen.
- Add certificates
- Update service definition by extra nginx container and all necessary
  files.

Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647
changes/92/428192/6
Sergey Kraynev 2 years ago
parent
commit
ea004df7ea

+ 1
- 0
docker/horizon/Dockerfile.j2 View File

@@ -5,6 +5,7 @@ RUN apt-get update \
&& apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
apache2 \
libapache2-mod-wsgi \
&& echo > /etc/apache2/ports.conf \
&& ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load

{{ copy_sources("openstack/horizon", "/horizon") }}

+ 1
- 0
service/files/ca-cert.pem.j2 View File

@@ -0,0 +1 @@
{{ security.tls.ca_cert }}

+ 1
- 1
service/files/local_settings.j2 View File

@@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
#OPENSTACK_SSL_NO_VERIFY = True

# The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'

# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.

+ 8
- 0
service/files/openstack-dashboard.conf.j2 View File

@@ -1,6 +1,14 @@
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}

{% if security.tls.enabled %}
Listen 127.0.0.1:{{ horizon.port.cont }}

<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
{% else %}
Listen {{ horizon.port.cont }}

<VirtualHost *:{{ horizon.port.cont }}>
{% endif %}
WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}

+ 1
- 0
service/files/server-cert.pem.j2 View File

@@ -0,0 +1 @@
{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
{{ security.tls.server_key }}

+ 18
- 0
service/files/servers.conf.j2 View File

@@ -0,0 +1,18 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ nginx.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;

location / {
proxy_pass http://horizon;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

+ 3
- 0
service/files/upstreams.conf.j2 View File

@@ -0,0 +1,3 @@
upstream horizon {
server 127.0.0.1:{{ horizon.port.cont }};
}

+ 35
- 0
service/horizon.yaml View File

@@ -26,7 +26,21 @@ service:
files:
- horizon-local-settings
- openstack-dashboard-conf
# {% if security.tls.enabled %}
- ca_cert
# {% endif %}
command: daemon.sh
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- servers
- upstreams
- server-cert
- server-key
command: nginx
# {% endif %}

files:
horizon-local-settings:
@@ -35,3 +49,24 @@ files:
openstack-dashboard-conf:
path: /etc/apache2/conf-enabled/openstack-dashboard.conf
content: openstack-dashboard.conf.j2
# {% if security.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: servers.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}

Loading…
Cancel
Save