Configuring mod_nss for Horizon

Posted on by

Horizon is the Web Dashboard for OpenStack. Since it manages some very sensitive information, it should be accessed via SSL. I’ve written up in the past how to do this for a generic web server. Here is how to apply that approach to Horizon.

These instructions are based on a Fedora 20 and packstack install.

As a sanity check, point a browser at your Horizon server before making any changes. If hostname is not set before you installed packstack, you might get an exception about bad request header suggesting you might need to set ALLOWED_HOSTS: If so, you have to edit /etc/openstack-dashboard/local_settings

ALLOWED_HOSTS = ['192.168.187.13','ayoungf20packstack.cloudlab.freeipa.org', 'localhost', ]

Once Horizon has been shown to work on port 80, proceed to install the Apache HTTPD module for NSS:

sudo yum install mod_nss

While this normally works for HTTPD, something is different with packstack; all of the HTTPD module loading is done with files in /etc/httpd/conf.d/ whereas the mod_nss RPM assumes the Fedora approach of putting them in /etc/httpd/conf.modules.d/. I suspect it has to do with the use of Puppet. To adapt mod_nss to the packstack format, after installing mod_nss, you need to mv the file:

sudo mv /etc/httpd/conf.modules.d/10-nss.conf   /etc/httpd/conf.d/nss.load

Note that mv keeps SELinux Happy, but cp does not: ls -Z to confirm

$ ls -Z /etc/httpd/conf.d/nss.load 
-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/nss.load

If you get a bad context there, the cheating way is to fix is yum erase mod_nss and rerun yum install mod_nss and then do the mv. That is what I did.

edit /etc/httpd/conf.d/nss.conf:

#Listen 8443
Listen 443

and in the virtual host entry change 8443 to 443

Add the following to /etc/httpd/conf.d/openstack-dashboard.conf


   ServerName ayoungf20packstack.cloudlab.freeipa.org
   Redirect permanent / https://ayoungf20packstack.cloudlab.freeipa.org/dashboard/

replacing ayoungf20packstack.cloudlab.freeipa.org with your hostname.

Lower in the same file, in the section

add

  NSSRequireSSL

To enable SSL.

SSL certificates really should not be self signed. To have a real security strategy, your X509 certificates should be managed via a Certificate Authority. Dogtag PKI provides one, and is deployed with FreeIPA. So, for this setup, the Horizon server is registered as an IPA client.

There will be a selfsigned certificate in the nss database from the install. We need to remove that:

sudo certutil -d /etc/httpd/alias/ -D -n Server-Cert

In order to fetch the certificates for this server, we use the IPA command that tells certmonger to fetch and track the certificate. 

ipa service-add HTTP/`hostname`
sudo ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=cloudlab.freeipa.org

If you forgot to add the service before requesting the cert, as I did on my first iteration, the request is on hold: it will be serviced in 12 (I think) hours by certmonger resubmitting it, but you can speed up the process:

sudo getcert resubmit -n Server-Cert  -d /etc/httpd/alias

You can now see the certificate with:

 sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert

Now, if you restart the HTTPD server,

sudo systemctl restart httpd.service

and point a browser at http://hostname, it should get redirected to https://hostname/dashboard and a functioning Horizon application.

Note that for devstack, the steps are comparable, but different:

  • No need to mv the 10-nss.conf file from modules
  • The Horizon application is put into /etc/httpd/conf.d/horizon.conf
  • The horizon app is in a virtual host of <VirtualHost *:80> you can’t just change this to 443, or you lose all of the config from nss.conf. The two VirtualHost sections should probably be merged.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.