openstack/openstack-manuals
Code Issues Proposed changes
7d5e0dd3ab
openstack-manuals/doc/common/section_dashboard-configure-https.xml
Lana Brindley c7101bbc9c Removed full path from conf file reference 
In the original text, the full path was shown, which was incorrect for some
distros. Patch 231028 gave distro-specific paths, but we do not give
distro-specific information in this guide, and that patch has been reverted.
This patch fixes the original text to remove the full path, and replace it
with the name of the config file only.

Change-Id: I65726323ca15e53dc8d25a4e93627dfc6005cb46
Closes-bug: #1502927
2015-10-06 17:42:47 +10:00

134 lines
6.0 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="dashboard-config-https">
<title>Configure the dashboard for HTTPS</title>
<para>You can configure the dashboard for a secured HTTPS
deployment. While the standard installation uses a
non-encrypted HTTP channel, you can enable SSL support for the
dashboard.</para>
<procedure>
<para>This example uses the
<literal>http://openstack.example.com</literal>
domain. Use a domain that fits your current setup.</para>
<step>
<para>In the <filename>local_settings</filename> file(on Fedora/RHEL/
CentOS: <filename>/etc/openstack-dashboard/local_settings</filename>,
on Ubuntu and Debian: <filename>/etc/openstack-dashboard/local_settings.py</filename>,
and on openSUSE: <filename>/srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename>),
update the following options:</para>
<programlisting language="python">USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True</programlisting>
<para>To enable HTTPS, the <code>USE_SSL = True</code>
option is required.</para>
<para>The other options require that HTTPS is enabled;
these options defend against cross-site
scripting.</para>
</step>
<step>
<para>Edit the <filename>openstack-dashboard.conf</filename>
file as shown in <xref linkend="after-example"/>:
</para>
<example>
<title>Before</title>
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
&lt;/Directory&gt;</programlisting>
</example>
<example xml:id="after-example">
<title>After</title>
<programlisting><?db-font-size 65%?>&lt;VirtualHost *:80&gt;
ServerName openstack.example.com
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
&lt;/IfModule&gt;
&lt;IfModule !mod_rewrite.c&gt;
RedirectPermanent / https://openstack.example.com
&lt;/IfModule&gt;
&lt;/VirtualHost&gt;
&lt;VirtualHost *:443&gt;
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
&lt;/Directory&gt;
&lt;/VirtualHost&gt;</programlisting>
</example>
<para>In this configuration, the Apache HTTP server
listens on port 443 and redirects all non-secure
requests to the HTTPS protocol. The secured section
defines the private key, public key, and certificate
to use.</para>
</step>
<step>
<para>Restart the Apache HTTP server.</para>
<para>For Debian, Ubuntu, or SUSE distributions:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
<para>For Fedora, RHEL, or CentOS distributions:</para>
<screen><prompt>#</prompt> <userinput>service httpd restart</userinput></screen>
</step>
<step>
<para>Restart <systemitem class="service"
>memcached</systemitem>:</para>
<screen><prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
<para>If you try to access the dashboard through HTTP, the
browser redirects you to the HTTPS page.</para>
</step>
</procedure>
<note>
<para>Configuring the dashboard for HTTPS also requires enabling SSL
for the noVNC proxy service.
On the controller node, add the following additional options to the
<filename>[DEFAULT]</filename>
section of the
<filename>/etc/nova/nova.conf</filename>
file:
<programlisting language="python">[DEFAULT]
...
ssl_only = true
cert = /etc/apache2/SSL/openstack.example.com.crt
key = /etc/apache2/SSL/openstack.example.com.key</programlisting></para>
<para>On the compute nodes, ensure the <code>nonvncproxy_base_url</code>
option points to a URL with an HTTPS scheme:</para>
<programlisting language="python">[DEFAULT]
...
novncproxy_base_url = https://controller:6080/vnc_auto.html</programlisting>
</note>
</section>
View Git Blame Copy Permalink