Bug 1015509 - [Doc] In section 11.4.2, configuration block for HTTPS deployment is not valid on RHEL
Summary: [Doc] In section 11.4.2, configuration block for HTTPS deployment is not vali...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide
Version: 3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.0
Assignee: Scott Radvan
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks: 1011085
TreeView+ depends on / blocked
 
Reported: 2013-10-04 12:17 UTC by Javier Peña
Modified: 2015-04-07 03:21 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Build Name: 15807, Installation and Configuration Guide-3-1 Build Date: 25-09-2013 09:53:16 Topic ID: 16119-460418 [Latest]
Last Closed: 2014-01-06 00:03:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Javier Peña 2013-10-04 12:17:11 UTC
Title: Configuring Secured Deployment (HTTPS)

Describe the issue:

Section 11.4.2 describes the HTTPS configuration for Dashboard. The "After" block has some issues:

- it sets www-data as user/group for the WSGI processes. This is valid in Debian/Ubuntu, but on RHEL it should be apache

- with the block as defined, there are some minor annoyances with redirections (failure after log-in when accessing /dashboard, failure on disconnection). I have a working configuration, but I think it could be improved.

Suggestions for improvement:

A proposed configuration for "After" is:

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>
                      
<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

I think the second "RedirectPermanent" directive could be improved, but it works as-is.

Additional information:


Note You need to log in before you can comment on or make changes to this bug.