The following procedure was tested on Bright 8.0 with OpenStack Newton.
In the following procedure the administrator configures the cluster to accept HTTPS connections to the Openstack Horizon Dashboard on port 10081, and to also enable use of the VNC console over HTTPS on port 6081. The administrator can change these ports for more convenient ones if needed.
On the head node, the following lines are added to the file /etc/shorewall/rules:
ACCEPT net fw tcp 10081
ACCEPT net fw tcp 6081
The shorewall rules on the head node are then reloaded:
# cmsh -c "device use master; services; restart shorewall"
On the head node, the following sections are placed at the end of
/etc/haproxy/haproxy.cfg
, outside of the AUTOGENERATED SECTION:
listen dashboard-horizon-https
mode http
bind 0.0.0.0:10081 ssl crt /etc/haproxy/cert-bundle.pem
reqadd X-Forwarded-Proto:\ https
server auto-node001::10.141.0.1:80 10.141.0.1:80 check
server auto-node002::10.141.0.2:80 10.141.0.2:80 check
server auto-node003::10.141.0.3:80 10.141.0.3:80 check
listen VNC-https
mode http
bind 0.0.0.0:6081 ssl crt /etc/haproxy/cert-bundle.pem
server auto-node001::10.141.0.1:16080 10.141.0.1:16080 check
server auto-node002::10.141.0.2:16080 10.141.0.2:16080 check
server auto-node003::10.141.0.3:16080 10.141.0.3:16080 check
The bind line of each section must specify the SSL certificate that is going to be used. HAProxy requires that a PEM file with both the certificate and associated keys be included in it. More details on this can be found at https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1.
The lines in which the backend server are specified should be substituted for the hostnames and IP addresses of the controller nodes as specified in the other sections of /etc/haproxy/haproxy.cfg
.
The haproxy service is then restarted by running the following command on the head node:
# cmsh -c "device use master; services; restart haproxy"
The following commands are then run on the head node:
# cmsh
% configurationoverlay
% use openstackhypervisors
% customizations
% add /etc/nova/nova.conf
% entries
% add vnc novncproxy_base_url=https://HEADNODE_HOSTNAME:6081/vnc_auto.html
% commit
In the above commands, the hostname used to reach the head node is substituted for HEADNODE_HOSTNAME. A couple of minutes of waiting allows the Nova services to restart automatically.
The Horizon Dashboard can now be accessed via HTTPS on port 10081 of the head node. However, it is still recommended to modify the link in the landing page of the head node. The /var/www/html/index.php file in the head node can be edited by changing a line that looks like the following one:
$settings['openstack']['url'] = 'http://' . $_SERVER[HTTP_HOST] . ':10080/';
The line is modified to point to https in port 10081. For example the line could become:
$settings['openstack']['url'] = 'https://' . $_SERVER[HTTP_HOST] . ':10081/';