Horizon is the Web Dashboard for OpenStack. Since it manages some very sensitive information, it should be accessed via SSL. I’ve written up in the past how to do this for a generic web server. Here is how to apply that approach to Horizon.
These instructions are based on a Fedora 20 and packstack install.
As a sanity check, point a browser at your Horizon server before making any changes. If hostname is not set before you installed packstack, you might get an exception about bad request header suggesting you might need to set ALLOWED_HOSTS: If so, you have to edit /etc/openstack-dashboard/local_settings
ALLOWED_HOSTS = ['192.168.187.13','ayoungf20packstack.cloudlab.freeipa.org', 'localhost', ]
Once Horizon has been shown to work on port 80, proceed to install the Apache HTTPD module for NSS:
sudo yum install mod_nss
While this normally works for HTTPD, something is different with packstack; all of the HTTPD module loading is done with files in /etc/httpd/conf.d/ whereas the mod_nss RPM assumes the Fedora approach of putting them in /etc/httpd/conf.modules.d/. I suspect it has to do with the use of Puppet. To adapt mod_nss to the packstack format, after installing mod_nss, you need to mv the file:
sudo mv /etc/httpd/conf.modules.d/10-nss.conf /etc/httpd/conf.d/nss.load
Note that mv keeps SELinux Happy, but cp does not: ls -Z to confirm
$ ls -Z /etc/httpd/conf.d/nss.load -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/nss.load
If you get a bad context there, the cheating way is to fix is yum erase mod_nss and rerun yum install mod_nss and then do the mv. That is what I did.
#Listen 8443 Listen 443
and in the virtual host entry change 8443 to 443
Add the following to /etc/httpd/conf.d/openstack-dashboard.conf
ServerName ayoungf20packstack.cloudlab.freeipa.org Redirect permanent / https://ayoungf20packstack.cloudlab.freeipa.org/dashboard/
replacing ayoungf20packstack.cloudlab.freeipa.org with your hostname.
Lower in the same file, in the section
To enable SSL.
SSL certificates really should not be self signed. To have a real security strategy, your X509 certificates should be managed via a Certificate Authority. Dogtag PKI provides one, and is deployed with FreeIPA. So, for this setup, the Horizon server is registered as an IPA client.
There will be a selfsigned certificate in the nss database from the install. We need to remove that:
sudo certutil -d /etc/httpd/alias/ -D -n Server-Cert
In order to fetch the certificates for this server, we use the IPA command that tells certmonger to fetch and track the certificate.
ipa service-add HTTP/`hostname` sudo ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=cloudlab.freeipa.org
If you forgot to add the service before requesting the cert, as I did on my first iteration, the request is on hold: it will be serviced in 12 (I think) hours by certmonger resubmitting it, but you can speed up the process:
sudo getcert resubmit -n Server-Cert -d /etc/httpd/alias
You can now see the certificate with:
sudo certutil -d /etc/httpd/alias/ -L -n Server-Cert
Now, if you restart the HTTPD server,
sudo systemctl restart httpd.service
and point a browser at http://hostname, it should get redirected to https://hostname/dashboard and a functioning Horizon application.
Note that for devstack, the steps are comparable, but different:
- No need to mv the 10-nss.conf file from modules
- The Horizon application is put into /etc/httpd/conf.d/horizon.conf
- The horizon app is in a virtual host of <VirtualHost *:80> you can’t just change this to 443, or you lose all of the config from nss.conf. The two VirtualHost sections should probably be merged.