I'm trying to get a grip on what the HTTPD configuration should be for Horizon in order for it to use HTTPS. This rally should be the default, but the devstack and puppet choice of putting the Horizon config inside a Virtualhoat *:80 section in the config file makes it tricky. If I remove the

<VirtualHost *:80>
and corresponding
</VirtualHost>

Then I can enable HTTPS in devstack by:

running with SSLrequireSSL and It inherits all of the VirstualHost *:443 configuration.

For Keystone, we do:

<VirtualHost *:5000>  (and 35357)

 SSLEngine On
    SSLCertificateFile /opt/stack/data/CA/int-ca/devstack-cert.crt
SSLCertificateKeyFile /opt/stack/data/CA/int-ca/private/devstack-cert.key
</VirtualHost>


I'd like to drop port 5000 all-together, as we are using a port assigned to a different service. 35357 is also problematic as it is in the middle of the Ephemeral range. Since we are talking about running everything in one web server anywya, using port 80/443 for all web stuff is the right approach.

Yeah, I might have mentioned this a time or two before.

So, assuming we want to be able to make both Horizon and Keystone run on port 443 by default, what is the right abstraction for the HTTPD configuration? I am assuming we still want separate values for the environment:

    WSGIDaemonProcess
    WSGIProcessGroup
    WSGIApplicationGroup
    WSGIPassAuthorization


In Devstack, we set

    SetEnv APACHE_RUN_USER ayoung
    SetEnv APACHE_RUN_GROUP ayoung

For the Horizon Servcie ,and making this match for all HTTPD service makes sense, but probably want to be able to allow for separation of he users on Production deployments. How should we scope these? Or does it really matter?

We want to make sure we have an extensible approach that will support other services running on 443.



Probably time to update https://wiki.openstack.org/wiki/URLs with the other services.

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to