Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

10.4. Configure the Dashboard

10.4.1. Configure Connections and Logging
复制链接

Before users connect to the dashboard for the first time, the following parameters must be configured in the /etc/openstack-dashboard/local_settings file (sample files are available in the Configuration Reference Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform):

Procedure 10.2. Configuring Connections and Logging for the Dashboard

  1. Set the ALLOWED_HOSTS parameter with a comma-separated list of host/domain names that the application can serve. For example: 
    ALLOWED_HOSTS = ['horizon.example.com', 'localhost', '192.168.20.254', ]
    Copy to Clipboard Toggle word wrap
  2. Update the CACHES settings with the memcached values: 
    SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
	'default': {
		'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
		'LOCATION' : 'memcacheURL:port',
	}
}
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace memcacheURL with IP address of the host on which memcached was installed.
    • Replace port with the value from the PORT parameter in the /etc/sysconfig/memcached file.
  3. Specify the host URL for the Identity service endpoint. For example: 
    OPENSTACK_KEYSTONE_URL="127.0.0.1"
    Copy to Clipboard Toggle word wrap
  4. Update the dashboard's time zone: 
    TIME_ZONE="UTC"
    Copy to Clipboard Toggle word wrap
    The time zone can also be updated using the dashboard GUI.
  5. To ensure the configuration changes take effect, restart the Apache service: 
    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

Note

The HORIZON_CONFIG dictionary contains all the settings for the dashboard. Whether or not a service is in the dashboard depends on the Service Catalog configuration in the Identity service.

Note

It is recommended that you use the django-secure module to ensure that most of the recommended practices and modern browser protection mechanisms are enabled. For more information http://django-secure.readthedocs.org/en/latest/ (django-secure).

10.4.2. Configure the Dashboard to Use HTTPS
复制链接

Although the default installation uses a non-encrypted channel (HTTP), it is possible to enable SSL support for the dashboard.

Procedure 10.3. Configuring the Dashboard to use HTTPS

  1. Open the /etc/openstack-dashboard/local_settings file in a text editor, and uncomment the following parameters: 
    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
    Copy to Clipboard Toggle word wrap
    The latter two settings instruct the browser to only send dashboard cookies over HTTPS connections, ensuring that sessions will not work over HTTP.
  2. Open the /etc/httpd/conf/httpd.conf file in a text editor, and add the following line: 
    NameVirtualHost *:443
    Copy to Clipboard Toggle word wrap
  3. Open the /etc/httpd/conf.d/openstack-dashboard.conf file in a text editor.
    1. Delete the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi

WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
Alias /static /usr/share/openstack-dashboard/static/

<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    <IfModule mod_deflate.c>
      SetOutputFilter DEFLATE
      <IfModule mod_headers.c>
        # Make sure proxies don’t deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
      </IfModule>
    </IfModule>

  Order allow,deny
  Allow from all
</Directory>
<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

  Order allow,deny
  Allow from all
</Directory>

  RedirectMatch permanent ^/$ https://xxx.xxx.xxx.xxx:443/dashboard
      Copy to Clipboard Toggle word wrap
    2. Add the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

Order allow,deny
Allow from all
</Directory>

RedirectMatch permanent ^/$ /dashboard/
      Copy to Clipboard Toggle word wrap
    In the new configuration, Apache listens on port 443 and redirects all non-secured requests to the HTTPS protocol. The <VirtualHost *:443> section defines the required options for this protocol, including private key, public key, and certificates.
  4. Restart the Apache service and the memcached service: 
    # systemctl restart httpd.service
# systemctl restart memcached.service
    Copy to Clipboard Toggle word wrap
When using the HTTP version of the dashboard (through the browser), the user is redirected to the HTTPS version of the page.

10.4.3. Change the Default Role for the Dashboard
复制链接

By default, the dashboard service uses the Identity role, _member_, which is created automatically by the Identity service. This is adequate for regular users. If you choose to create a different role and set the dashboard to use this role, you must create this role in the Identity service prior to using the dashboard, then configure the dashboard to use it.
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 10.4. Changing the Default Role for the Dashboard

  1. Set up the shell to access keystone as the administrative user: 
    # source ~/keystonerc_admin
    Copy to Clipboard Toggle word wrap
  2. Create the new role: 
    [(keystone_admin)]# keystone role-create --name NEW_ROLE
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | 8261ac4eabcc4da4b01610dbad6c038a |
| name     |              NEW_ROLE            |
+----------+----------------------------------+
    Copy to Clipboard Toggle word wrap
    Replace NEW_ROLE with a name for the role.
  3. Open the /etc/openstack-dashboard/local_settings file in a text editor, and change the value of the following parameter: 
    OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'NEW_ROLE'
    Copy to Clipboard Toggle word wrap
    Replace NEW_ROLE with the name of the role you created in the previous step.
  4. Restart the Apache service for the change to take effect: 
    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

10.4.4. Configure SELinux
复制链接

SELinux is a security feature of Red Hat Enterprise Linux that provides access control. SELinux status values are 'Enforcing', 'Permissive', and 'Disabled'. If SELinux is in 'Enforcing' mode, you must modify the SELinux policy to allow connections from the httpd service to the Identity server. This is also recommended if SELinux is configured in 'Permissive' mode.

Procedure 10.5. Configuring SELinux to Allow Connections from the Apache Service

  1. Check the status of SELinux on the system: 
    # getenforce
    Copy to Clipboard Toggle word wrap
  2. If the resulting value is 'Enforcing' or 'Permissive', allow connections between the httpd service and the Identity service: 
    # setsebool -P httpd_can_network_connect on
    Copy to Clipboard Toggle word wrap

10.4.5. Configure the Dashboard Firewall
复制链接

To allow users to connect to the dashboard, you must configure the system firewall to allow connections. The httpd service and the dashboard support both HTTP and HTTPS connections. All steps in this procedure must be performed on the server hosting the httpd service, while logged in as the root user.

Note

To protect authentication credentials and other data, it is highly recommended that you enable only HTTPS connections.

Procedure 10.6. Configuring the Firewall to Allow Dashboard Traffic

  1. Open the /etc/sysconfig/iptables configuration file in a text editor:
    • To allow incoming connections using only HTTPS, add the following firewall rule: 
      -A INPUT -p tcp --dport 443 -j ACCEPT
      Copy to Clipboard Toggle word wrap
    • To allow incoming connections using both HTTP and HTTPS, add the following firewall rule: 
      -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
      Copy to Clipboard Toggle word wrap
  2. Restart the iptables service for the changes to take effect: 
    # systemctl restart iptables.service
    Copy to Clipboard Toggle word wrap

Important

These rules allow communication on ports 80 and 443 from all remote hosts to the server running the dashboard service. For information regarding the creation of more restrictive firewall rules, see the Red Hat Enterprise Linux Security Guide at the following link:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat