Configure the dashboard for HTTPS
You can configure the dashboard for a secured HTTPS
deployment. While the standard installation uses a
non-encrypted HTTP channel, you can enable SSL support for the
dashboard.
This example uses the
http://openstack.example.com
domain. Use a domain that fits your current setup.
In the local_settings file(on Fedora/RHEL/
CentOS: /etc/openstack-dashboard/local_settings,
on Ubuntu and Debian: /etc/openstack-dashboard/local_settings.py,
and on openSUSE: /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py),
update the following options:
USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
To enable HTTPS, the USE_SSL = True
option is required.
The other options require that HTTPS is enabled;
these options defend against cross-site
scripting.
Edit the openstack-dashboard.conf
file as shown in :
Before
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
After
<VirtualHost *:80>
ServerName openstack.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://openstack.example.com
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
</VirtualHost>
In this configuration, the Apache HTTP server
listens on port 443 and redirects all non-secure
requests to the HTTPS protocol. The secured section
defines the private key, public key, and certificate
to use.
Restart the Apache HTTP server.
For Debian, Ubuntu, or SUSE distributions:
# service apache2 restart
For Fedora, RHEL, or CentOS distributions:
# service httpd restart
Restart memcached:
# service memcached restart
If you try to access the dashboard through HTTP, the
browser redirects you to the HTTPS page.
Configuring the dashboard for HTTPS also requires enabling SSL
for the noVNC proxy service.
On the controller node, add the following additional options to the
[DEFAULT]
section of the
/etc/nova/nova.conf
file:
[DEFAULT]
...
ssl_only = true
cert = /etc/apache2/SSL/openstack.example.com.crt
key = /etc/apache2/SSL/openstack.example.com.key
On the compute nodes, ensure the nonvncproxy_base_url
option points to a URL with an HTTPS scheme:
[DEFAULT]
...
novncproxy_base_url = https://controller:6080/vnc_auto.html