Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana

gilangvperdana/README.md

Last active May 18, 2022 09:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gilangvperdana/a035a0c2ab7ad259dc06afcd0f166cde to your computer and use it in GitHub Desktop.
Save gilangvperdana/a035a0c2ab7ad259dc06afcd0f166cde to your computer and use it in GitHub Desktop.
Download ZIP
OpenStack Horizon over TLS
Raw
README.md

Make Horizon Dashboard over TLS

Configuration

  • Generate Certificate with OpenSSL
apt install -y apache2
apt install -y openssl

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout horizon.key -out horizon.crt
mv horizon.crt /etc/ssl/certs/
mv horizon.key /etc/ssl/certs/
  • Just edit horizon.conf
    • Assume stack.bignetlab.com are Endpoint for Openstack Cluster Node.
nano /etc/apache2/sites-enabled/horizon.conf

<VirtualHost *:443>
  Redirect "/" "https://stack.bignetlab.com/"
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/horizon.crt
    SSLCertificateKeyFile /etc/ssl/private/horizon.key

    WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi.py
    WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 home=/opt/stack/horizon display-name=%{GROUP}
    WSGIApplicationGroup %{GLOBAL}

    SetEnv APACHE_RUN_USER stack
    SetEnv APACHE_RUN_GROUP stack
    WSGIProcessGroup horizon

    DocumentRoot /opt/stack/horizon/.blackhole/
    Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static
    Alias /dashboard/static /opt/stack/horizon/static

    RedirectMatch "^/$" "/dashboard/"

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory /opt/stack/horizon/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        # Apache 2.4 uses mod_authz_host for access control now (instead of
        #  "Allow")
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </Directory>
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/horizon_error.log
    LogLevel warn
    CustomLog /var/log/apache2/horizon_access.log combined
</VirtualHost>

WSGISocketPrefix /var/run/apache2

service apache2 restart

Access

Access on https://stack.bignetlab.com

Nginx Conf for Horizon TLS behind Nginx Proxy

  • For example horizon is on VIP with IP 192.168.2.50
  • You can forward to https://localhost
  • Make sure you have comment on /etc/kolla/horizon/local_settings:
    • #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
    • #CSRF_COOKIE_SECURE = True
    • #SESSION_COOKIE_SECURE = True
    • #OPENSTACK_SSL_CACERT = '/etc/kolla/certificates/ca/root.crt'
  • Make sure you have uncomment on OPENSTACK_SSL_NO_VERIFY = True
  • Make sure you have generate your crt Horizon on /etc/kolla/horizon/
nano /etc/nginx/sites-enabled/default

server {
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2; 

    ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
    ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;

location / {
    proxy_pass https://192.168.2.50;
    proxy_request_buffering  off;  
    proxy_http_version       1.1;  
    proxy_set_header         Upgrade            $http_upgrade;  
    proxy_set_header         Connection         "upgrade";  
    proxy_set_header         Host               $host;  
    proxy_set_header         X-Real-IP          $remote_addr;  
    proxy_set_header         X-Forwarded-Host   $host;  
    proxy_set_header         X-Forwarded-Server $host;  
    proxy_set_header         X-Forwarded-Proto  $scheme;  
    proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;  
    }
}

NoVNC TLS Nginx Reverse Proxy

server {
  listen 6080;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;   

  server_name console.gbesar.com;
  ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
  ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;

  location / {  
  proxy_pass https://192.168.2.50:6080;  
  proxy_request_buffering off;  
  proxy_http_version 1.1;  
  proxy_set_header Upgrade $http_upgrade;  
  proxy_set_header Connection "upgrade";  
  proxy_set_header Host $host;  
  proxy_set_header Origin http://$host;  
  proxy_set_header X-Real-IP $remote_addr;  
  proxy_set_header X-Forwarded-Host $host;  
  proxy_set_header X-Forwarded-Server $host;  
  proxy_set_header X-Forwarded-Proto $scheme;  
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
  }  
}

NoVNC TLS on Nginx Reverse Proxy

server {
    listen 6080;
    ssl on;

    server_name console.bignetlab.com;
    ssl_certificate /etc/ssl/certs/console.bignetlab.com/key.crt;
    ssl_certificate_key /etc/ssl/certs/console.bignetlab.com/priv.key;

    location / {  
    proxy_pass http://10.8.0.5:6080;  
    proxy_request_buffering off;  
    proxy_http_version 1.1;  
    proxy_set_header Upgrade $http_upgrade;  
    proxy_set_header Connection "upgrade";  
    proxy_set_header Host $host;  
    proxy_set_header Origin http://$host;  
    proxy_set_header X-Real-IP $remote_addr;  
    proxy_set_header X-Forwarded-Host $host;  
    proxy_set_header X-Forwarded-Server $host;  
    proxy_set_header X-Forwarded-Proto $scheme;  
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
    }  
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment