b2235bf3fb
Execluded all XML files in the directory doc/common/tables because they are autogenerated. The XML root element of Docbook XML files should match the following format: <ELEMENT xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="THE_XML_ID_OF_THE_ELEMENT"> Change-Id: If12091be81ec8b2e6e53bfcb4c3a883a65e24736
120 lines
5.2 KiB
XML
120 lines
5.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="dashboard-config-https">
|
|
<title>Configure the dashboard for HTTPS</title>
|
|
<para>You can configure the dashboard for a secured HTTPS
|
|
deployment. While the standard installation uses a
|
|
non-encrypted HTTP channel, you can enable SSL support for the
|
|
dashboard.</para>
|
|
<procedure>
|
|
<para>This example uses the
|
|
<literal>http://openstack.example.com</literal>
|
|
domain. Use a domain that fits your current setup.</para>
|
|
<step>
|
|
<para>In the
|
|
<filename>/etc/openstack-dashboard/local_settings.py</filename>
|
|
file, update the following options:</para>
|
|
<programlisting language="python">USE_SSL = True
|
|
CSRF_COOKIE_SECURE = True
|
|
SESSION_COOKIE_SECURE = True
|
|
SESSION_COOKIE_HTTPONLY = True</programlisting>
|
|
<para>To enable HTTPS, the <code>USE_SSL = True</code>
|
|
option is required.</para>
|
|
<para>The other options require that HTTPS is enabled;
|
|
these options defend against cross-site
|
|
scripting.</para>
|
|
</step>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/apache2/ports.conf</filename> file
|
|
and add the following line:</para>
|
|
<programlisting>NameVirtualHost *:443</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/apache2/conf.d/openstack-dashboard.conf</filename>
|
|
file as shown in <xref linkend="after-example"
|
|
/>:</para>
|
|
<example>
|
|
<title>Before</title>
|
|
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
|
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
|
|
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
|
|
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
|
# For Apache http server 2.2 and earlier:
|
|
Order allow,deny
|
|
Allow from all
|
|
|
|
# For Apache http server 2.4 and later:
|
|
# Require all granted
|
|
</Directory></programlisting>
|
|
</example>
|
|
<example xml:id="after-example">
|
|
<title>After</title>
|
|
<programlisting><?db-font-size 65%?><VirtualHost *:80>
|
|
ServerName openstack.example.com
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
</IfModule>
|
|
<IfModule !mod_rewrite.c>
|
|
RedirectPermanent / https://openstack.example.com
|
|
</IfModule>
|
|
</VirtualHost>
|
|
<VirtualHost *:443>
|
|
ServerName openstack.example.com
|
|
|
|
SSLEngine On
|
|
# Remember to replace certificates and keys with valid paths in your environment
|
|
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
|
|
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
|
|
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
|
|
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
|
|
|
# HTTP Strict Transport Security (HSTS) enforces that all communications
|
|
# with a server go over SSL. This mitigates the threat from attacks such
|
|
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
|
|
# and potentially allowing an attacker to view confidential information on the
|
|
# wire
|
|
Header add Strict-Transport-Security "max-age=15768000"
|
|
|
|
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
|
|
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
|
|
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
|
|
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
|
|
# For Apache http server 2.2 and earlier:
|
|
Order allow,deny
|
|
Allow from all
|
|
|
|
# For Apache http server 2.4 and later:
|
|
# Require all granted
|
|
</Directory>
|
|
</VirtualHost></programlisting>
|
|
</example>
|
|
<para>In this configuration, the Apache HTTP server
|
|
listens on port 443 and redirects all non-secure
|
|
requests to the HTTPS protocol. The secured section
|
|
defines the private key, public key, and certificate
|
|
to use.</para>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Apache HTTP server.</para>
|
|
<para>For Debian, Ubuntu, or SUSE distributions:</para>
|
|
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
|
|
<para>For Fedora, RHEL, or CentOS distributions:</para>
|
|
<screen><prompt>#</prompt> <userinput>service httpd restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Restart <systemitem class="service"
|
|
>memcached</systemitem>:</para>
|
|
<screen><prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
|
|
<para>If you try to access the dashboard through HTTP, the
|
|
browser redirects you to the HTTPS page.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|