Bug 1015509 - [Doc] In section 11.4.2, configuration block for HTTPS deployment is not valid on RHEL
[Doc] In section 11.4.2, configuration block for HTTPS deployment is not vali...
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 4.0
Assigned To: Scott Radvan
: Documentation
Depends On:
Blocks: 1011085
  Show dependency treegraph
Reported: 2013-10-04 08:17 EDT by Javier Peña
Modified: 2015-04-06 23:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Build Name: 15807, Installation and Configuration Guide-3-1 Build Date: 25-09-2013 09:53:16 Topic ID: 16119-460418 [Latest]
Last Closed: 2014-01-05 19:03:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Javier Peña 2013-10-04 08:17:11 EDT
Title: Configuring Secured Deployment (HTTPS)

Describe the issue:

Section 11.4.2 describes the HTTPS configuration for Dashboard. The "After" block has some issues:

- it sets www-data as user/group for the WSGI processes. This is valid in Debian/Ubuntu, but on RHEL it should be apache

- with the block as defined, there are some minor annoyances with redirections (failure after log-in when accessing /dashboard, failure on disconnection). I have a working configuration, but I think it could be improved.

Suggestions for improvement:

A proposed configuration for "After" is:

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all

I think the second "RedirectPermanent" directive could be improved, but it works as-is.

Additional information:

Note You need to log in before you can comment on or make changes to this bug.