Allow ssl ciphers to be optionally configured for horizon
Add the SSLCipherSuite to the dash-site template. Change-Id: I7b87761dd1ab0618e6ae6de428ec0b736e4aa483 Closes-Bug: #1447668
This commit is contained in:
parent
9a68087e76
commit
7ccbfe76a6
|
@ -52,6 +52,9 @@ default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
|||
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
||||
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
||||
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||
# Which ciphers to use with the SSL/TLS protocol.
|
||||
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
|
||||
default['openstack']['dashboard']['ssl']['ciphers'] = nil
|
||||
|
||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||
# allows everything
|
||||
|
|
|
@ -218,17 +218,23 @@ describe 'openstack-dashboard::apache2-server' do
|
|||
end
|
||||
end
|
||||
|
||||
it 'shows ssl certificate related directives overrides' do
|
||||
it 'has no ssl ciphers configured by default' do
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/)
|
||||
end
|
||||
|
||||
it 'shows ssl related directives overrides' do
|
||||
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
||||
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
||||
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
||||
node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
|
||||
node.set['openstack']['dashboard']['ssl']['ciphers'] = 'ssl_ciphers_value'
|
||||
|
||||
[/^\s*SSLEngine on$/,
|
||||
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
||||
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
|
||||
/^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
|
||||
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
||||
/^\s*SSLProtocol ssl_protocol_value$/,
|
||||
/^\s*SSLCipherSuite ssl_ciphers_value$/].each do |ssl_directive|
|
||||
expect(chef_run).to render_file(file.name).with_content(ssl_directive)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -63,12 +63,15 @@ NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %>
|
|||
<% end -%>
|
||||
</Directory>
|
||||
|
||||
<% if node["openstack"]["dashboard"]["use_ssl"] %>
|
||||
<% if node["openstack"]["dashboard"]["use_ssl"] -%>
|
||||
SSLEngine on
|
||||
SSLCertificateFile <%= @ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
||||
<% end %>
|
||||
<% if node["openstack"]["dashboard"]["ssl"]["ciphers"] -%>
|
||||
SSLCipherSuite <%= node["openstack"]["dashboard"]["ssl"]["ciphers"] %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Allow custom files to overlay the site (such as logo.png)
|
||||
RewriteEngine On
|
||||
|
|
Loading…
Reference in New Issue