Categories

ID #1416

How do I configure HTTPS access for the Horizon Dashboard in Bright OpenStack?

How do I configure HTTPS access for the Horizon Dashboard in Bright OpenStack?


The following procedure was tested on Bright 8.0 with OpenStack Newton.


In the following procedure the administrator configures the cluster to accept HTTPS connections to the Openstack Horizon Dashboard on port 10081, and to also enable use of the VNC console over HTTPS on port 6081. The administrator can change these ports for more convenient ones if needed.


On the head node, the following lines are added to the file /etc/shorewall/rules:


ACCEPT net fw tcp 10081

ACCEPT net fw tcp 6081


The shorewall rules on the head node are then reloaded:


# cmsh -c "device use master; services; restart shorewall"


On the head node, the following sections are placed at the end of  /etc/haproxy/haproxy.cfg, outside of the AUTOGENERATED SECTION:


listen dashboard-horizon-https

 mode http

 bind 0.0.0.0:10081 ssl crt /etc/haproxy/cert-bundle.pem

 reqadd X-Forwarded-Proto:\ https

 server auto-node001::10.141.0.1:80 10.141.0.1:80 check

 server auto-node002::10.141.0.2:80 10.141.0.2:80 check

 server auto-node003::10.141.0.3:80 10.141.0.3:80 check


listen VNC-https

 mode http

 bind 0.0.0.0:6081 ssl crt /etc/haproxy/cert-bundle.pem

 server auto-node001::10.141.0.1:16080 10.141.0.1:16080 check

 server auto-node002::10.141.0.2:16080 10.141.0.2:16080 check

 server auto-node003::10.141.0.3:16080 10.141.0.3:16080 check


The bind line of each section must specify the SSL certificate that is going to be used. HAProxy requires that a PEM file with both the certificate and associated keys be included in it. More details on this can be found at https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1.


The lines in which the backend server are specified should be substituted for the hostnames and IP addresses of the controller nodes as specified in the other sections of /etc/haproxy/haproxy.cfg.


The haproxy service is then restarted by running the following command on the head node:


# cmsh -c "device use master; services; restart haproxy"


The following commands are then run on the head node:

# cmsh

% configurationoverlay

% use openstackhypervisors

% customizations

% add /etc/nova/nova.conf

% entries

% add vnc novncproxy_base_url=https://HEADNODE_HOSTNAME:6081/vnc_auto.html

% commit


In the above commands, the hostname used to reach the head node is substituted for HEADNODE_HOSTNAME. A couple of minutes of waiting allows the Nova services to restart automatically.


The Horizon Dashboard can now be accessed via HTTPS on port 10081 of the head node. However, it is still recommended to modify the link in the landing page of the head node. The /var/www/html/index.php file in the head node can be edited by changing a line that looks like the following one:


 $settings['openstack']['url'] = 'http://' . $_SERVER[HTTP_HOST] . ':10080/';


The line is modified to point to https in port 10081. For example the line could become:


 $settings['openstack']['url'] = 'https://' . $_SERVER[HTTP_HOST] . ':10081/';



Tags: -

Related entries:

You cannot comment on this entry