- Generate Certificate with OpenSSL
apt install -y apache2
apt install -y openssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout horizon.key -out horizon.crt
mv horizon.crt /etc/ssl/certs/
mv horizon.key /etc/ssl/certs/
- Just edit horizon.conf
- Assume
stack.bignetlab.com
are Endpoint for Openstack Cluster Node.
- Assume
nano /etc/apache2/sites-enabled/horizon.conf
<VirtualHost *:443>
Redirect "/" "https://stack.bignetlab.com/"
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/horizon.crt
SSLCertificateKeyFile /etc/ssl/private/horizon.key
WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi.py
WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 home=/opt/stack/horizon display-name=%{GROUP}
WSGIApplicationGroup %{GLOBAL}
SetEnv APACHE_RUN_USER stack
SetEnv APACHE_RUN_GROUP stack
WSGIProcessGroup horizon
DocumentRoot /opt/stack/horizon/.blackhole/
Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static
Alias /dashboard/static /opt/stack/horizon/static
RedirectMatch "^/$" "/dashboard/"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /opt/stack/horizon/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
# Apache 2.4 uses mod_authz_host for access control now (instead of
# "Allow")
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/horizon_error.log
LogLevel warn
CustomLog /var/log/apache2/horizon_access.log combined
</VirtualHost>
WSGISocketPrefix /var/run/apache2
service apache2 restart
Access on https://stack.bignetlab.com
- For example horizon is on VIP with IP
192.168.2.50
- You can forward to https://localhost
- Make sure you have comment on
/etc/kolla/horizon/local_settings
:#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
#OPENSTACK_SSL_CACERT = '/etc/kolla/certificates/ca/root.crt'
- Make sure you have uncomment on
OPENSTACK_SSL_NO_VERIFY = True
- Make sure you have generate your crt Horizon on
/etc/kolla/horizon/
nano /etc/nginx/sites-enabled/default
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;
location / {
proxy_pass https://192.168.2.50;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 6080;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name console.gbesar.com;
ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;
location / {
proxy_pass https://192.168.2.50:6080;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Origin http://$host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 6080;
ssl on;
server_name console.bignetlab.com;
ssl_certificate /etc/ssl/certs/console.bignetlab.com/key.crt;
ssl_certificate_key /etc/ssl/certs/console.bignetlab.com/priv.key;
location / {
proxy_pass http://10.8.0.5:6080;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Origin http://$host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}