Allow ssl ciphers to be optionally configured for horizon
Add the SSLCipherSuite to the dash-site template. Change-Id: I7b87761dd1ab0618e6ae6de428ec0b736e4aa483 Closes-Bug: #1447668
This commit is contained in:
parent
9a68087e76
commit
7ccbfe76a6
|
@ -52,6 +52,9 @@ default['openstack']['dashboard']['ssl']['cert'] = 'horizon.pem'
|
||||||
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
default['openstack']['dashboard']['ssl']['key'] = 'horizon.key'
|
||||||
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
# Which versions of the SSL/TLS protocol will be accepted in new connections.
|
||||||
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
||||||
|
# Which ciphers to use with the SSL/TLS protocol.
|
||||||
|
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
|
||||||
|
default['openstack']['dashboard']['ssl']['ciphers'] = nil
|
||||||
|
|
||||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||||
# allows everything
|
# allows everything
|
||||||
|
|
|
@ -218,17 +218,23 @@ describe 'openstack-dashboard::apache2-server' do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'shows ssl certificate related directives overrides' do
|
it 'has no ssl ciphers configured by default' do
|
||||||
|
expect(chef_run).not_to render_file(file.name).with_content(/^\s*SSLCipherSuite.*$/)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'shows ssl related directives overrides' do
|
||||||
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
node.set['openstack']['dashboard']['ssl']['dir'] = 'ssl_dir_value'
|
||||||
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
node.set['openstack']['dashboard']['ssl']['cert'] = 'ssl_cert_value'
|
||||||
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
node.set['openstack']['dashboard']['ssl']['key'] = 'ssl_key_value'
|
||||||
node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
|
node.set['openstack']['dashboard']['ssl']['protocol'] = 'ssl_protocol_value'
|
||||||
|
node.set['openstack']['dashboard']['ssl']['ciphers'] = 'ssl_ciphers_value'
|
||||||
|
|
||||||
[/^\s*SSLEngine on$/,
|
[/^\s*SSLEngine on$/,
|
||||||
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
%r(^\s*SSLCertificateFile ssl_dir_value/certs/ssl_cert_value$),
|
||||||
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
|
%r(^\s*SSLCertificateKeyFile ssl_dir_value/private/ssl_key_value$),
|
||||||
/^\s*SSLProtocol ssl_protocol_value$/].each do |ssl_certificate_directive|
|
/^\s*SSLProtocol ssl_protocol_value$/,
|
||||||
expect(chef_run).to render_file(file.name).with_content(ssl_certificate_directive)
|
/^\s*SSLCipherSuite ssl_ciphers_value$/].each do |ssl_directive|
|
||||||
|
expect(chef_run).to render_file(file.name).with_content(ssl_directive)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -63,12 +63,15 @@ NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<% if node["openstack"]["dashboard"]["use_ssl"] %>
|
<% if node["openstack"]["dashboard"]["use_ssl"] -%>
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile <%= @ssl_cert_file %>
|
SSLCertificateFile <%= @ssl_cert_file %>
|
||||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||||
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
SSLProtocol <%= node["openstack"]["dashboard"]["ssl"]["protocol"] %>
|
||||||
<% end %>
|
<% if node["openstack"]["dashboard"]["ssl"]["ciphers"] -%>
|
||||||
|
SSLCipherSuite <%= node["openstack"]["dashboard"]["ssl"]["ciphers"] %>
|
||||||
|
<% end -%>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# Allow custom files to overlay the site (such as logo.png)
|
# Allow custom files to overlay the site (such as logo.png)
|
||||||
RewriteEngine On
|
RewriteEngine On
|
||||||
|
|
Loading…
Reference in New Issue