SSL implementation for horizon

- Updated Docker file for gorizon, which remove list of ports to listen.
- Add certificates
- Update service definition by extra nginx container and all necessary
  files.

Change-Id: If0be618c4fd584941e21bba44e62cb9b96cc1647
This commit is contained in:
Sergey Kraynev 2017-02-02 14:56:24 +00:00
parent a284222df4
commit ea004df7ea
9 changed files with 69 additions and 1 deletions

View File

@ -5,6 +5,7 @@ RUN apt-get update \
&& apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ && apt-get install --no-install-recommends -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
apache2 \ apache2 \
libapache2-mod-wsgi \ libapache2-mod-wsgi \
&& echo > /etc/apache2/ports.conf \
&& ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load && ln -s ../mods-available/headers.load /etc/apache2/mods-enabled/headers.load
{{ copy_sources("openstack/horizon", "/horizon") }} {{ copy_sources("openstack/horizon", "/horizon") }}

View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -190,7 +190,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
#OPENSTACK_SSL_NO_VERIFY = True #OPENSTACK_SSL_NO_VERIFY = True
# The CA certificate to use to verify SSL connections # The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' OPENSTACK_SSL_CACERT = '/opt/ccp/etc/tls/ca.pem'
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone. # capabilities of the auth backend for Keystone.

View File

@ -1,6 +1,14 @@
{% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %} {% set venv_path = '/var/lib/microservices/venv/lib/python2.7/site-packages' %}
{% if security.tls.enabled %}
Listen 127.0.0.1:{{ horizon.port.cont }}
<VirtualHost 127.0.0.1:{{ horizon.port.cont }}>
{% else %}
Listen {{ horizon.port.cont }}
<VirtualHost *:{{ horizon.port.cont }}> <VirtualHost *:{{ horizon.port.cont }}>
{% endif %}
WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIScriptAlias / {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi WSGIScriptAlias /horizon {{ venv_path }}/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }} WSGIDaemonProcess horizon user=horizon group=horizon processes={{ horizon.wsgi.processes }} threads={{ horizon.wsgi.threads }} python-path={{ venv_path }}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1,18 @@
server {
listen {{ network_topology["private"]["address"] }}:{{ horizon.port.cont }};
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_ciphers {{ nginx.ciphers }};
ssl_prefer_server_ciphers on;
ssl_certificate /opt/ccp/etc/tls/server-cert.pem;
ssl_certificate_key /opt/ccp/etc/tls/server-key.pem;
location / {
proxy_pass http://horizon;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@ -0,0 +1,3 @@
upstream horizon {
server 127.0.0.1:{{ horizon.port.cont }};
}

View File

@ -26,7 +26,21 @@ service:
files: files:
- horizon-local-settings - horizon-local-settings
- openstack-dashboard-conf - openstack-dashboard-conf
# {% if security.tls.enabled %}
- ca_cert
# {% endif %}
command: daemon.sh command: daemon.sh
# {% if security.tls.enabled %}
- name: nginx
image: nginx
daemon:
files:
- servers
- upstreams
- server-cert
- server-key
command: nginx
# {% endif %}
files: files:
horizon-local-settings: horizon-local-settings:
@ -35,3 +49,24 @@ files:
openstack-dashboard-conf: openstack-dashboard-conf:
path: /etc/apache2/conf-enabled/openstack-dashboard.conf path: /etc/apache2/conf-enabled/openstack-dashboard.conf
content: openstack-dashboard.conf.j2 content: openstack-dashboard.conf.j2
# {% if security.tls.enabled %}
servers:
path: /etc/nginx/conf.d/servers.conf
content: servers.conf.j2
perm: "0400"
upstreams:
path: /etc/nginx/conf.d/upstreams.conf
content: upstreams.conf.j2
perm: "0400"
ca_cert:
path: /opt/ccp/etc/tls/ca.pem
content: ca-cert.pem.j2
server-cert:
path: /opt/ccp/etc/tls/server-cert.pem
content: server-cert.pem.j2
perm: "0400"
server-key:
path: /opt/ccp/etc/tls/server-key.pem
content: server-key.pem.j2
perm: "0400"
# {% endif %}