Horizon HTTPS化

前回インストールしたOpenstackのダッシュボードのHTTPS化についてのメモ。

流れ

1. mod_ssl インストール
2. 自己証明書作成
3. httpd.conf編集
4. nova.conf編集
5. iptables設定編集
6. サービス再起動

mod_sslインストール

# dnf install mod_ssl

証明書作成

# openssl req -new -key ./server.key > server.csr
# openssl x509 -req -signkey server.key < server.csr > server.crt

Apache設定ファイル編集

sslを読み込むように /etc/httpd/conf.module.d 配下に ssl.conf と ssl.load を作成。

# ssl.conf
<IfModule mod_ssl.c>
  SSLRandomSeed startup builtin
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect builtin
  SSLRandomSeed connect file:/dev/urandom 512

  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl

  SSLPassPhraseDialog builtin
  SSLSessionCache "shmcb:/var/cache/mod_ssl/scache(512000)"
  SSLSessionCacheTimeout 300
  Mutex default
  SSLCryptoDevice builtin
  SSLHonorCipherOrder On
  SSLUseStapling Off
  SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES
  SSLProtocol all
  SSLOptions StdEnvVars
</IfModule>

#ssl.load
LoadModule ssl_module modules/mod_ssl.so

httpsで受けるように /etc/httpd/conf.d 配下の15-horizon_vhost.conf を編集。 15-horizon_ssl_vhost.conf を作成。

# 15-horizon_vhost.conf 編集箇所はリダイレクトのみ
  ## RedirectMatch rules
  RedirectMatch permanent  (.*) https://192.168.1.10

# 15-horizon_ssl_vhost.conf 
<VirtualHost *:443>
  ServerName 192.168.1.10

  ## Vhost docroot
  DocumentRoot "/var/www/"
  ## Alias declarations for resources outside the DocumentRoot
  Alias /dashboard/static "/usr/share/openstack-dashboard/static"


  ## Directories, there should at least be a declaration for /var/www/

  <Directory "/var/www/">
    Options -Indexes +FollowSymLinks +MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/horizon_ssl_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/horizon_ssl_access.log" combined

  ## RedirectMatch rules
  RedirectMatch permanent  ^/$ /dashboard

  ## Server aliases
  ServerAlias 192.168.1.10
  ServerAlias localhost


  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/tls/certs/server.crt"
  SSLCertificateKeyFile   "/etc/pki/tls/private/server.key"

  ## WSGI configuration
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess horizon-ssl display-name=horizon group=apache processes=4 threads=1 user=apache
  WSGIProcessGroup horizon-ssl
  WSGIScriptAlias /dashboard "/usr/share/openstack-dashboard/openstack_dashboard/wsgi.py"
</VirtualHost>

nova.conf編集

ダッシュボード上のバーチャルコンソールもhttpsに対応させる。証明書は同じ物を転用した。/etc/nova/nova.conf の以下部分を編集。

# Disallow non-encrypted connections. For more information, refer to the
# documentation. (boolean value)
#ssl_only=false
ssl_only=True

# Set to True if source host is addressed with IPv6 (boolean value)
#source_is_ipv6=false

#
# Path to SSL certificate file. For more information, refer to the
# documentation. (string value)
#cert=self.pem
cert=/etc/pki/tls/certs/server.crt

#
# SSL key file (if separate from cert). For more information, refer to the
# documentation. (string value)
#key=<None>
key=/etc/pki/tls/private/server.key


# /etc/nova/nova.conf:novncproxy_base_url=http://192.168.1.100:6080/vnc_auto.html
/etc/nova/nova.conf:novncproxy_base_url=https://192.168.1.100:6080/vnc_auto.html

通信許可設定

packstack install時点でhttpsにしておかないとiptablesでtcp443が空いていないため，443の通信許可設定をiptablesに入れる。/etc/sysconfig/iptables に次の1行を追加。(ついでに80番は削除)

-A INPUT -p tcp -m multiport --dports 443 -m comment --comment "001 horizon 443 incoming" -j ACCEPT
# -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT

サービス再起動

# systemctl restart httpd memcached
# systemctl restart *-nova-*

ここまでやればダッシュボードのHTTPS化完了。