{"id":691,"date":"2021-09-12T17:04:51","date_gmt":"2021-09-12T08:04:51","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=691"},"modified":"2021-09-12T17:04:51","modified_gmt":"2021-09-12T08:04:51","slug":"horizon-https%e5%8c%96","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=691","title":{"rendered":"Horizon HTTPS\u5316"},"content":{"rendered":"\n<p><a href=\"https:\/\/wp.zassoul.com\/?p=672\" data-type=\"URL\" data-id=\"https:\/\/wp.zassoul.com\/?p=672\" target=\"_blank\" rel=\"noreferrer noopener\">\u524d\u56de<\/a>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305fOpenstack\u306e\u30c0\u30c3\u30b7\u30e5\u30dc\u30fc\u30c9\u306eHTTPS\u5316\u306b\u3064\u3044\u3066\u306e\u30e1\u30e2\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6d41\u308c<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>mod_ssl \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/li><li>\u81ea\u5df1\u8a3c\u660e\u66f8\u4f5c\u6210<\/li><li>httpd.conf\u7de8\u96c6<\/li><li>nova.conf\u7de8\u96c6<\/li><li>iptables\u8a2d\u5b9a\u7de8\u96c6<\/li><li>\u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">mod_ssl\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code># dnf install mod_ssl<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u8a3c\u660e\u66f8\u4f5c\u6210<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code># openssl req -new -key .\/server.key > server.csr\n# openssl x509 -req -signkey server.key &lt; server.csr > server.crt<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Apache\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6<\/h2>\n\n\n\n<p>ssl\u3092\u8aad\u307f\u8fbc\u3080\u3088\u3046\u306b \/etc\/httpd\/conf.module.d \u914d\u4e0b\u306b ssl.conf \u3068 ssl.load \u3092\u4f5c\u6210\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># ssl.conf\n&lt;IfModule mod_ssl.c>\r\n  SSLRandomSeed startup builtin\r\n  SSLRandomSeed startup file:\/dev\/urandom 512\r\n  SSLRandomSeed connect builtin\r\n  SSLRandomSeed connect file:\/dev\/urandom 512\r\n\r\n  AddType application\/x-x509-ca-cert .crt\r\n  AddType application\/x-pkcs7-crl    .crl\r\n\r\n  SSLPassPhraseDialog builtin\r\n  SSLSessionCache \"shmcb:\/var\/cache\/mod_ssl\/scache(512000)\"\r\n  SSLSessionCacheTimeout 300\r\n  Mutex default\r\n  SSLCryptoDevice builtin\r\n  SSLHonorCipherOrder On\r\n  SSLUseStapling Off\r\n  SSLStaplingCache \"shmcb:\/run\/httpd\/ssl_stapling(32768)\"\r\n  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES\r\n  SSLProtocol all\r\n  SSLOptions StdEnvVars\r\n&lt;\/IfModule>\r\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>#ssl.load\nLoadModule ssl_module modules\/mod_ssl.so\r\n<\/code><\/pre>\n\n\n\n<p>https\u3067\u53d7\u3051\u308b\u3088\u3046\u306b \/etc\/httpd\/conf.d \u914d\u4e0b\u306e15-horizon_vhost.conf \u3092\u7de8\u96c6\u3002 15-horizon_ssl_vhost.conf \u3092\u4f5c\u6210\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 15-horizon_vhost.conf \u7de8\u96c6\u7b87\u6240\u306f\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u306e\u307f\n  ## RedirectMatch rules\r\n  RedirectMatch permanent  (.*) https:\/\/192.168.1.10<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># 15-horizon_ssl_vhost.conf \n&lt;VirtualHost *:443>\r\n  ServerName 192.168.1.10\r\n\r\n  ## Vhost docroot\r\n  DocumentRoot \"\/var\/www\/\"\r\n  ## Alias declarations for resources outside the DocumentRoot\r\n  Alias \/dashboard\/static \"\/usr\/share\/openstack-dashboard\/static\"\r\n\r\n\r\n  ## Directories, there should at least be a declaration for \/var\/www\/\r\n\r\n  &lt;Directory \"\/var\/www\/\">\r\n    Options -Indexes +FollowSymLinks +MultiViews\r\n    AllowOverride None\r\n    Require all granted\r\n  &lt;\/Directory>\r\n\r\n  ## Logging\r\n  ErrorLog \"\/var\/log\/httpd\/horizon_ssl_error.log\"\r\n  ServerSignature Off\r\n  CustomLog \"\/var\/log\/httpd\/horizon_ssl_access.log\" combined\r\n\r\n  ## RedirectMatch rules\r\n  RedirectMatch permanent  ^\/$ \/dashboard\r\n\r\n  ## Server aliases\r\n  ServerAlias 192.168.1.10\n  ServerAlias localhost\r\n\r\n\r\n  ## SSL directives\r\n  SSLEngine on\r\n  SSLCertificateFile      \"\/etc\/pki\/tls\/certs\/server.crt\"\r\n  SSLCertificateKeyFile   \"\/etc\/pki\/tls\/private\/server.key\"\r\n\r\n  ## WSGI configuration\r\n  WSGIApplicationGroup %{GLOBAL}\r\n  WSGIDaemonProcess horizon-ssl display-name=horizon group=apache processes=4 threads=1 user=apache\r\n  WSGIProcessGroup horizon-ssl\r\n  WSGIScriptAlias \/dashboard \"\/usr\/share\/openstack-dashboard\/openstack_dashboard\/wsgi.py\"\r\n&lt;\/VirtualHost><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">nova.conf\u7de8\u96c6<\/h2>\n\n\n\n<p>\u30c0\u30c3\u30b7\u30e5\u30dc\u30fc\u30c9\u4e0a\u306e\u30d0\u30fc\u30c1\u30e3\u30eb\u30b3\u30f3\u30bd\u30fc\u30eb\u3082https\u306b\u5bfe\u5fdc\u3055\u305b\u308b\u3002\u8a3c\u660e\u66f8\u306f\u540c\u3058\u7269\u3092\u8ee2\u7528\u3057\u305f\u3002\/etc\/nova\/nova.conf \u306e\u4ee5\u4e0b\u90e8\u5206\u3092\u7de8\u96c6\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Disallow non-encrypted connections. For more information, refer to the\r\n# documentation. (boolean value)\r\n#ssl_only=false\r\nssl_only=True\r\n\r\n# Set to True if source host is addressed with IPv6 (boolean value)\r\n#source_is_ipv6=false\r\n\r\n#\r\n# Path to SSL certificate file. For more information, refer to the\r\n# documentation. (string value)\r\n#cert=self.pem\r\ncert=\/etc\/pki\/tls\/certs\/server.crt\r\n\r\n#\r\n# SSL key file (if separate from cert). For more information, refer to the\r\n# documentation. (string value)\r\n#key=&lt;None>\r\nkey=\/etc\/pki\/tls\/private\/server.key\n\n\n# \/etc\/nova\/nova.conf:novncproxy_base_url=http:\/\/192.168.1.100:6080\/vnc_auto.html\r\n\/etc\/nova\/nova.conf:novncproxy_base_url=https:\/\/192.168.1.100:6080\/vnc_auto.html\r\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u901a\u4fe1\u8a31\u53ef\u8a2d\u5b9a<\/h2>\n\n\n\n<p>packstack install\u6642\u70b9\u3067https\u306b\u3057\u3066\u304a\u304b\u306a\u3044\u3068iptables\u3067tcp443\u304c\u7a7a\u3044\u3066\u3044\u306a\u3044\u305f\u3081\uff0c443\u306e\u901a\u4fe1\u8a31\u53ef\u8a2d\u5b9a\u3092iptables\u306b\u5165\u308c\u308b\u3002\/etc\/sysconfig\/iptables \u306b\u6b21\u306e1\u884c\u3092\u8ffd\u52a0\u3002(\u3064\u3044\u3067\u306b80\u756a\u306f\u524a\u9664)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-A INPUT -p tcp -m multiport --dports 443 -m comment --comment \"001 horizon 443 incoming\" -j ACCEPT\n# -A INPUT -p tcp -m multiport --dports 80 -m comment --comment \"001 horizon 80 incoming\" -j ACCEPT<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u30b5\u30fc\u30d3\u30b9\u518d\u8d77\u52d5<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code># systemctl restart httpd memcached\n# systemctl restart *-nova-*<\/code><\/pre>\n\n\n\n<p>\u3053\u3053\u307e\u3067\u3084\u308c\u3070\u30c0\u30c3\u30b7\u30e5\u30dc\u30fc\u30c9\u306eHTTPS\u5316\u5b8c\u4e86\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"815\" src=\"https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/09\/openstackhttps-1024x815.png\" alt=\"\" class=\"wp-image-693\" srcset=\"https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/09\/openstackhttps-1024x815.png 1024w, https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/09\/openstackhttps-300x239.png 300w, https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/09\/openstackhttps-768x611.png 768w, https:\/\/wp.zassoul.com\/wp-content\/uploads\/2021\/09\/openstackhttps.png 1350w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u524d\u56de\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305fOpenstack\u306e\u30c0\u30c3\u30b7\u30e5\u30dc\u30fc\u30c9\u306eHTTPS\u5316\u306b\u3064\u3044\u3066\u306e\u30e1\u30e2\u3002 \u6d41\u308c mod_ssl \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb \u81ea\u5df1\u8a3c\u660e\u66f8\u4f5c\u6210 httpd.conf\u7de8\u96c6 nova.conf\u7de8\u96c6 iptables\u8a2d\u5b9a\u7de8\u96c6 \u30b5\u30fc\u30d3\u2026 <span class=\"read-more\"><a href=\"https:\/\/wp.zassoul.com\/?p=691\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45,53],"tags":[83,78,82],"class_list":["post-691","post","type-post","status-publish","format-standard","hentry","category-openstack","category-oss","tag-horizon","tag-it","tag-openstack"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=691"}],"version-history":[{"count":2,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/691\/revisions"}],"predecessor-version":[{"id":694,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/691\/revisions\/694"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}