Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

10.4. Configure the Dashboard

10.4.1. Configure Connections and Logging
Copia collegamento

Before users connect to the dashboard for the first time, the following parameters must be configured in the /etc/openstack-dashboard/local_settings file (sample files are available in the Configuration Reference Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform):

Procedure 10.2. Configuring Connections and Logging for the Dashboard

  1. Set the ALLOWED_HOSTS parameter with a comma-separated list of host/domain names that the application can serve. For example: 
    ALLOWED_HOSTS = ['horizon.example.com', 'localhost', '192.168.20.254', ]
    Copy to Clipboard Toggle word wrap
  2. Update the CACHES settings with the memcached values: 
    SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
	'default': {
		'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
		'LOCATION' : 'memcacheURL:port',
	}
}
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace memcacheURL with IP address of the host on which memcached was installed.
    • Replace port with the value from the PORT parameter in the /etc/sysconfig/memcached file.
  3. Specify the host URL for the Identity service endpoint. For example: 
    OPENSTACK_KEYSTONE_URL="127.0.0.1"
    Copy to Clipboard Toggle word wrap
  4. Update the dashboard's time zone: 
    TIME_ZONE="UTC"
    Copy to Clipboard Toggle word wrap
    The time zone can also be updated using the dashboard GUI.
  5. To ensure the configuration changes take effect, restart the Apache service: 
    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

Note

The HORIZON_CONFIG dictionary contains all the settings for the dashboard. Whether or not a service is in the dashboard depends on the Service Catalog configuration in the Identity service.

Note

It is recommended that you use the django-secure module to ensure that most of the recommended practices and modern browser protection mechanisms are enabled. For more information http://django-secure.readthedocs.org/en/latest/ (django-secure).

10.4.2. Configure the Dashboard to Use HTTPS
Copia collegamento

Although the default installation uses a non-encrypted channel (HTTP), it is possible to enable SSL support for the dashboard.

Procedure 10.3. Configuring the Dashboard to use HTTPS

  1. Open the /etc/openstack-dashboard/local_settings file in a text editor, and uncomment the following parameters: 
    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
    Copy to Clipboard Toggle word wrap
    The latter two settings instruct the browser to only send dashboard cookies over HTTPS connections, ensuring that sessions will not work over HTTP.
  2. Open the /etc/httpd/conf/httpd.conf file in a text editor, and add the following line: 
    NameVirtualHost *:443
    Copy to Clipboard Toggle word wrap
  3. Open the /etc/httpd/conf.d/openstack-dashboard.conf file in a text editor.
    1. Delete the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi

WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
Alias /static /usr/share/openstack-dashboard/static/

<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    <IfModule mod_deflate.c>
      SetOutputFilter DEFLATE
      <IfModule mod_headers.c>
        # Make sure proxies don’t deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
      </IfModule>
    </IfModule>

  Order allow,deny
  Allow from all
</Directory>
<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

  Order allow,deny
  Allow from all
</Directory>

  RedirectMatch permanent ^/$ https://xxx.xxx.xxx.xxx:443/dashboard
      Copy to Clipboard Toggle word wrap
    2. Add the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

Order allow,deny
Allow from all
</Directory>

RedirectMatch permanent ^/$ /dashboard/
      Copy to Clipboard Toggle word wrap
    In the new configuration, Apache listens on port 443 and redirects all non-secured requests to the HTTPS protocol. The <VirtualHost *:443> section defines the required options for this protocol, including private key, public key, and certificates.
  4. Restart the Apache service and the memcached service: 
    # systemctl restart httpd.service
# systemctl restart memcached.service
    Copy to Clipboard Toggle word wrap
When using the HTTP version of the dashboard (through the browser), the user is redirected to the HTTPS version of the page.

10.4.3. Change the Default Role for the Dashboard
Copia collegamento

By default, the dashboard service uses the Identity role, _member_, which is created automatically by the Identity service. This is adequate for regular users. If you choose to create a different role and set the dashboard to use this role, you must create this role in the Identity service prior to using the dashboard, then configure the dashboard to use it.
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 10.4. Changing the Default Role for the Dashboard

  1. Set up the shell to access keystone as the administrative user: 
    # source ~/keystonerc_admin
    Copy to Clipboard Toggle word wrap
  2. Create the new role: 
    [(keystone_admin)]# keystone role-create --name NEW_ROLE
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | 8261ac4eabcc4da4b01610dbad6c038a |
| name     |              NEW_ROLE            |
+----------+----------------------------------+
    Copy to Clipboard Toggle word wrap
    Replace NEW_ROLE with a name for the role.
  3. Open the /etc/openstack-dashboard/local_settings file in a text editor, and change the value of the following parameter: 
    OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'NEW_ROLE'
    Copy to Clipboard Toggle word wrap
    Replace NEW_ROLE with the name of the role you created in the previous step.
  4. Restart the Apache service for the change to take effect: 
    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

10.4.4. Configure SELinux
Copia collegamento

SELinux is a security feature of Red Hat Enterprise Linux that provides access control. SELinux status values are 'Enforcing', 'Permissive', and 'Disabled'. If SELinux is in 'Enforcing' mode, you must modify the SELinux policy to allow connections from the httpd service to the Identity server. This is also recommended if SELinux is configured in 'Permissive' mode.

Procedure 10.5. Configuring SELinux to Allow Connections from the Apache Service

  1. Check the status of SELinux on the system: 
    # getenforce
    Copy to Clipboard Toggle word wrap
  2. If the resulting value is 'Enforcing' or 'Permissive', allow connections between the httpd service and the Identity service: 
    # setsebool -P httpd_can_network_connect on
    Copy to Clipboard Toggle word wrap

10.4.5. Configure the Dashboard Firewall
Copia collegamento

To allow users to connect to the dashboard, you must configure the system firewall to allow connections. The httpd service and the dashboard support both HTTP and HTTPS connections. All steps in this procedure must be performed on the server hosting the httpd service, while logged in as the root user.

Note

To protect authentication credentials and other data, it is highly recommended that you enable only HTTPS connections.

Procedure 10.6. Configuring the Firewall to Allow Dashboard Traffic

  1. Open the /etc/sysconfig/iptables configuration file in a text editor:
    • To allow incoming connections using only HTTPS, add the following firewall rule: 
      -A INPUT -p tcp --dport 443 -j ACCEPT
      Copy to Clipboard Toggle word wrap
    • To allow incoming connections using both HTTP and HTTPS, add the following firewall rule: 
      -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
      Copy to Clipboard Toggle word wrap
  2. Restart the iptables service for the changes to take effect: 
    # systemctl restart iptables.service
    Copy to Clipboard Toggle word wrap

Important

These rules allow communication on ports 80 and 443 from all remote hosts to the server running the dashboard service. For information regarding the creation of more restrictive firewall rules, see the Red Hat Enterprise Linux Security Guide at the following link:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat