OpenStack (Newton) enable SSL

Posted by Pavlo Khmel on Sun 29 January 2017

This post shows how to switch Horizon to HTTPS.
Before start you should have working OpenStack Horizon through HTTP.
My setup:
OS: CentOS 7.3
OpenStack: Newton

Changes on controller

Install mod_ssl for HTTPD:

yum -y install mod_ssl

Upload your certificate files:

/etc/pki/tls/certs/khmel.org.pem
/etc/pki/tls/private/privat.key

Uncomment these lines in /etc/openstack-dashboard/local_settings

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
ssl_only = true
cert = /etc/pki/tls/certs/khmel.org.pem
key = /etc/pki/tls/private/privat.key

File /etc/httpd/conf.d/openstack-dashboard.conf should look like this:

WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
<VirtualHost *:80>
  ServerName cloud.khmel.org
  RedirectPermanent /dashboard https://cloud.khmel.org/dashboard
</VirtualHost>
<VirtualHost *:443>
  ServerName cloud.khmel.org
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/khmel.org.pem
  SSLCertificateKeyFile /etc/pki/tls/private/privat.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  Header add Strict-Transport-Security "max-age=15768000"
  WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
  Alias /dashboard/static /usr/share/openstack-dashboard/static
  <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
  <Directory /usr/share/openstack-dashboard/static>
    Options All
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Reboot controller node.

Changes on compute nodes

Update /etc/nova/nova.conf. Add to [DEFAULT] section:

[DEFAULT]
novncproxy_base_url=https://cloud.khmel.org:6080/vnc_auto.html

Reboot compute nodes