Configure the dashboard for HTTPS You can configure the dashboard for a secured HTTPS deployment. While the standard installation uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard. This example uses the http://openstack.example.com domain. Use a domain that fits your current setup. In the local_settings file(on Fedora/RHEL/ CentOS: /etc/openstack-dashboard/local_settings, on Ubuntu and Debian: /etc/openstack-dashboard/local_settings.py, and on openSUSE: /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py), update the following options: USE_SSL = True CSRF_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True SESSION_COOKIE_HTTPONLY = True To enable HTTPS, the USE_SSL = True option is required. The other options require that HTTPS is enabled; these options defend against cross-site scripting. Edit the openstack-dashboard.conf file as shown in : Before WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> # For Apache http server 2.2 and earlier: Order allow,deny Allow from all # For Apache http server 2.4 and later: # Require all granted </Directory> After <VirtualHost *:80> ServerName openstack.example.com <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> <IfModule !mod_rewrite.c> RedirectPermanent / https://openstack.example.com </IfModule> </VirtualHost> <VirtualHost *:443> ServerName openstack.example.com SSLEngine On # Remember to replace certificates and keys with valid paths in your environment SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown # HTTP Strict Transport Security (HSTS) enforces that all communications # with a server go over SSL. This mitigates the threat from attacks such # as SSL-Strip which replaces links on the wire, stripping away https prefixes # and potentially allowing an attacker to view confidential information on the # wire Header add Strict-Transport-Security "max-age=15768000" WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> # For Apache http server 2.2 and earlier: Order allow,deny Allow from all # For Apache http server 2.4 and later: # Require all granted </Directory> </VirtualHost> In this configuration, the Apache HTTP server listens on port 443 and redirects all non-secure requests to the HTTPS protocol. The secured section defines the private key, public key, and certificate to use. Restart the Apache HTTP server. For Debian, Ubuntu, or SUSE distributions: # service apache2 restart For Fedora, RHEL, or CentOS distributions: # service httpd restart Restart memcached: # service memcached restart If you try to access the dashboard through HTTP, the browser redirects you to the HTTPS page. Configuring the dashboard for HTTPS also requires enabling SSL for the noVNC proxy service. On the controller node, add the following additional options to the [DEFAULT] section of the /etc/nova/nova.conf file: [DEFAULT] ... ssl_only = true cert = /etc/apache2/SSL/openstack.example.com.crt key = /etc/apache2/SSL/openstack.example.com.key On the compute nodes, ensure the nonvncproxy_base_url option points to a URL with an HTTPS scheme: [DEFAULT] ... novncproxy_base_url = https://controller:6080/vnc_auto.html