Bug 1015509

Summary: [Doc] In section 11.4.2, configuration block for HTTPS deployment is not valid on RHEL
Product: Red Hat OpenStack Reporter: Javier Peña <javier.pena>
Component: doc-Installation_and_Configuration_GuideAssignee: Scott Radvan <sradvan>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0CC: alyoung, hateya, rlandman, yeylon
Target Milestone: ---Keywords: Documentation
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build Name: 15807, Installation and Configuration Guide-3-1 Build Date: 25-09-2013 09:53:16 Topic ID: 16119-460418 [Latest]
Last Closed: 2014-01-06 00:03:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1011085    

Description Javier Peña 2013-10-04 12:17:11 UTC 
Title: Configuring Secured Deployment (HTTPS)

Describe the issue:

Section 11.4.2 describes the HTTPS configuration for Dashboard. The "After" block has some issues:

- it sets www-data as user/group for the WSGI processes. This is valid in Debian/Ubuntu, but on RHEL it should be apache

- with the block as defined, there are some minor annoyances with redirections (failure after log-in when accessing /dashboard, failure on disconnection). I have a working configuration, but I think it could be improved.

Suggestions for improvement:

A proposed configuration for "After" is:

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>
                      
<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

I think the second "RedirectPermanent" directive could be improved, but it works as-is.

Additional information: