1015509 – [Doc] In section 11.4.2, configuration block for HTTPS deployment is not valid on RHEL

Bug 1015509 - [Doc] In section 11.4.2, configuration block for HTTPS deployment is not valid on RHEL

Summary: [Doc] In section 11.4.2, configuration block for HTTPS deployment is not vali...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	doc-Installation_and_Configuration_Guide
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.0
Assignee:	Scott Radvan
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1011085
TreeView+	depends on / blocked

Reported:	2013-10-04 12:17 UTC by Javier Peña
Modified:	2015-04-07 03:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:	Build Name: 15807, Installation and Configuration Guide-3-1 Build Date: 25-09-2013 09:53:16 Topic ID: 16119-460418 [Latest]
Last Closed:	2014-01-06 00:03:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Javier Peña 2013-10-04 12:17:11 UTC

Title: Configuring Secured Deployment (HTTPS)

Describe the issue:

Section 11.4.2 describes the HTTPS configuration for Dashboard. The "After" block has some issues:

- it sets www-data as user/group for the WSGI processes. This is valid in Debian/Ubuntu, but on RHEL it should be apache

- with the block as defined, there are some minor annoyances with redirections (failure after log-in when accessing /dashboard, failure on disconnection). I have a working configuration, but I think it could be improved.

Suggestions for improvement:

A proposed configuration for "After" is:

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>
                      
<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

I think the second "RedirectPermanent" directive could be improved, but it works as-is.

Additional information:

Note You need to log in before you can comment on or make changes to this bug.