openstack-manuals/doc/common/section_dashboard-configure-https.xml
Christian Berendt b2235bf3fb Unified the syntax of the XML root element (common)
Execluded all XML files in the directory doc/common/tables because
they are autogenerated.

The XML root element of Docbook XML files should match the following
format:

<ELEMENT xmlns="http://docbook.org/ns/docbook"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="THE_XML_ID_OF_THE_ELEMENT">

Change-Id: If12091be81ec8b2e6e53bfcb4c3a883a65e24736
2014-07-09 22:23:03 +02:00

120 lines
5.2 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="dashboard-config-https">
<title>Configure the dashboard for HTTPS</title>
<para>You can configure the dashboard for a secured HTTPS
deployment. While the standard installation uses a
non-encrypted HTTP channel, you can enable SSL support for the
dashboard.</para>
<procedure>
<para>This example uses the
<literal>http://openstack.example.com</literal>
domain. Use a domain that fits your current setup.</para>
<step>
<para>In the
<filename>/etc/openstack-dashboard/local_settings.py</filename>
file, update the following options:</para>
<programlisting language="python">USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True</programlisting>
<para>To enable HTTPS, the <code>USE_SSL = True</code>
option is required.</para>
<para>The other options require that HTTPS is enabled;
these options defend against cross-site
scripting.</para>
</step>
<step>
<para>Edit the
<filename>/etc/apache2/ports.conf</filename> file
and add the following line:</para>
<programlisting>NameVirtualHost *:443</programlisting>
</step>
<step>
<para>Edit the
<filename>/etc/apache2/conf.d/openstack-dashboard.conf</filename>
file as shown in <xref linkend="after-example"
/>:</para>
<example>
<title>Before</title>
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
&lt;/Directory&gt;</programlisting>
</example>
<example xml:id="after-example">
<title>After</title>
<programlisting><?db-font-size 65%?>&lt;VirtualHost *:80&gt;
ServerName openstack.example.com
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
&lt;/IfModule&gt;
&lt;IfModule !mod_rewrite.c&gt;
RedirectPermanent / https://openstack.example.com
&lt;/IfModule&gt;
&lt;/VirtualHost&gt;
&lt;VirtualHost *:443&gt;
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
&lt;/Directory&gt;
&lt;/VirtualHost&gt;</programlisting>
</example>
<para>In this configuration, the Apache HTTP server
listens on port 443 and redirects all non-secure
requests to the HTTPS protocol. The secured section
defines the private key, public key, and certificate
to use.</para>
</step>
<step>
<para>Restart the Apache HTTP server.</para>
<para>For Debian, Ubuntu, or SUSE distributions:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
<para>For Fedora, RHEL, or CentOS distributions:</para>
<screen><prompt>#</prompt> <userinput>service httpd restart</userinput></screen>
</step>
<step>
<para>Restart <systemitem class="service"
>memcached</systemitem>:</para>
<screen><prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
<para>If you try to access the dashboard through HTTP, the
browser redirects you to the HTTPS page.</para>
</step>
</procedure>
</section>