Configure the dashboard for HTTPS
You can configure the dashboard for a secured HTTPS
deployment. While the standard installation uses a
non-encrypted HTTP channel, you can enable SSL support for the
dashboard.
This example uses the
http://openstack.example.com
domain. Use a domain that fits your current setup.
In the
/etc/openstack-dashboard/local_settings.py
file, update the following options:
USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
To enable HTTPS, the USE_SSL = True
option is required.
The other options require that HTTPS is enabled;
these options defend against cross-site
scripting.
Edit the
/etc/apache2/ports.conf file
and add the following line:
NameVirtualHost *:443
Edit the
/etc/apache2/conf.d/openstack-dashboard.conf
file as shown in :
Before
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
After
<VirtualHost *:80>
ServerName openstack.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://openstack.example.com
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
</VirtualHost>
In this configuration, the Apache HTTP server
listens on port 443 and redirects all non-secure
requests to the HTTPS protocol. The secured section
defines the private key, public key, and certificate
to use.
Restart the Apache HTTP server.
For Debian, Ubuntu, or SUSE distributions:
# service apache2 restart
For Fedora, RHEL, or CentOS distributions:
# service httpd restart
Restart memcached:
# service memcached restart
If you try to access the dashboard through HTTP, the
browser redirects you to the HTTPS page.