Openstack keystone、dashboard、swift（Mitaka版本、Ubuntu系统）启用SSL

1.Keystone启用SSL修改endpoint修改admin-openrc环境变量文件 2.对象存储Swift启用SSL修改endpoint 3.DashBoard启用SSL*注意：请自行替换配置文件中的证书文件名称以及域名

1.Keystone启用SSL

创建存放SSL证书的文件夹，将证书相关文件放入

mkdir -p /etc/keystone/ssl

mkdir -p /etc/keystone/ssl/private

mkdir -p /etc/keystone/ssl/certs

编辑/etc/apache2/sites-available/wsgi-keystone.conf文件

vim /etc/apache2/sites-available/wsgi-keystone.conf

新增以下代码

SSLEngine onSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4SSLCertificateKeyFile /etc/keystone/ssl/private/私钥文件.keySSLCertificateFile /etc/keystone/ssl/certs/SSL证书.crtSSLCACertificateFile /etc/keystone/ssl/certs/CABundle.crt

完整配置文件如下

Listen 5000Listen 35357<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnSSLEngine onSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4SSLCertificateKeyFile /etc/keystone/ssl/private/私钥文件.keySSLCertificateFile /etc/keystone/ssl/certs/SSL证书.crtSSLCACertificateFile /etc/keystone/ssl/certs/CABundle.crtErrorLogFormat "%{cu}t %M"ErrorLog /var/log/apache2/keystone.logCustomLog /var/log/apache2/keystone_access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost><VirtualHost *:35357>WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-adminWSGIScriptAlias / /usr/bin/keystone-wsgi-adminWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnErrorLogFormat "%{cu}t %M"ErrorLog /var/log/apache2/keystone.logCustomLog /var/log/apache2/keystone_access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost>

启用Apache的SSL模块

sudo a2enmod ssl

重启apache服务

service apache2 restart

修改endpoint

登入mysql并输入密码

mysql -u keystone -p

切换数据库

use keystone;

select * from endpoint;

返回以下信息：

+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+| 2b0b93da9f1f4571b646754b78032b52 | NULL| admin| 4f6397c99bea44da8fb1da58132f139f | http://controller:35357/v3 | {} | 1 | RegionOne || 2d490fc0c65849b094c1b0087371b233 | NULL| internal | 4f6397c99bea44da8fb1da58132f139f | http://controller:5000/v3 | {} | 1 | RegionOne || 4c7dc876a1774b61b5b5b48ce85453ed | NULL| admin| fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1 | {} | 1 | RegionOne || 783dc4289cc94f8c8a09820ba78c0763 | NULL| public | fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1/AUTH_%(tenant_id)s | {} | 1 | RegionOne || d747b4d3db4e4992a8b4825a0577c377 | NULL| public | 4f6397c99bea44da8fb1da58132f139f | http://controller:5000/v3| {} | 1 | RegionOne || e5306b43eae3404bbfc09cba46a69075 | NULL| internal | fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1/AUTH_%(tenant_id)s | {} | 1 | RegionOne |+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+

更新keystone认证服务的对外API地址

update endpoint set url=‘https://域名:5000/v3’ where id=‘d747b4d3db4e4992a8b4825a0577c377’;

查看是否更新成功

select * from endpoint;

退出mysql

修改admin-openrc环境变量文件

vim admin-openrc

将认证地址改为https协议下的5000端口

export OS_AUTH_URL=https://域名:5000/v3export OS_CACERT=/etc/keystone/ssl/certs/CABundle.crt

完整配置如下

export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_AUTH_URL=https://域名:5000/v3export OS_CACERT=/etc/keystone/ssl/certs/CABundle.crtexport OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

测试是否配置成功

执行如下命令

. admin-openrc

openstack token issue

如果能拿到token就表明配置成功，例如

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field| Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | -06-03T11:32:51+0000|| id | gAAAAABc9PdTCwYA82n4GzJG5eFPKCexojyflhZyGIE4kW2HZ5EJ3Z0wy3WuPNw7tbUTe9w_awchRU4FvmEyds9hRVkVTRROH59UZuRFqvX-zuoBmAJU3pzEx-5f8ZMaRP4cWpUmHZ24llLDIFXE0FfnOGhOnuyrLltYWrHuCuklEr5O71V5doQ || project_id | ed85d7cedc524172bc1c8527aff0da24 || user_id | 5c5fa2fcd0284e9e8f50f872ab8b0a2c |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

2.对象存储Swift启用SSL

由于官方文档上面说proxy-server.conf里面的SSL配置只用于测试，所以我们使用另一种方式：Apache代理，当然也可以用其他的代理服务器（例如Nginx），官方文档传送门: /security-guide/secure-communication/tls-proxies-and-http-services.html

首先在/etc/apache2/sites-available目录下新建一个swift_proxy.conf文件并编辑

touch /etc/apache2/sites-available/swift_proxy.conf

vim /etc/apache2/sites-available/swift_proxy.conf

Listen 9000<VirtualHost *:9000>ServerName SSLEngine onSSLProxyEngine OnSSLProxyVerify noneSSLProxyCheckPeerCN offSSLProxyCheckPeerName offSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4SSLCertificateKeyFile /etc/keystone/ssl/private/私钥文件.keySSLCertificateFile /etc/keystone/ssl/certs/SSL证书文件.crtSSLCACertificateFile /etc/keystone/ssl/certs/CABundle.crtErrorLogFormat "%{cu}t %M"ErrorLog /var/log/apache2/proxy.logCustomLog /var/log/apache2/proxy.log combinedProxyRequests OffProxyPreserveHost OnProxyPass / http://100.0.25.21:8301/ #此处替换成你本机的IP地址 + proxyserver服务的端口地址ProxyPassReverse / http://100.0.25.21:8301/ #此处替换成你本机的IP地址 + proxyserver服务的端口地址</VirtualHost>

启用代理模块

sudo a2enmod proxy

sudo a2enmod proxy_ajp

sudo a2enmod proxy_balancer

sudo a2enmod proxy_connect

sudo a2enmod proxy_http

启用站点

sudo a2ensite swift_proxy.conf

重启apache服务

service apache2 reload

service apache2 restart

修改endpoint

登入mysql并输入密码

mysql -u keystone -p

切换数据库

use keystone;

select * from endpoint;

返回以下信息：

+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+| 2b0b93da9f1f4571b646754b78032b52 | NULL| admin| 4f6397c99bea44da8fb1da58132f139f | http://controller:35357/v3 | {} | 1 | RegionOne || 2d490fc0c65849b094c1b0087371b233 | NULL| internal | 4f6397c99bea44da8fb1da58132f139f | http://controller:5000/v3 | {} | 1 | RegionOne || 4c7dc876a1774b61b5b5b48ce85453ed | NULL| admin| fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1 | {} | 1 | RegionOne || 783dc4289cc94f8c8a09820ba78c0763 | NULL| public | fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1/AUTH_%(tenant_id)s | {} | 1 | RegionOne || d747b4d3db4e4992a8b4825a0577c377 | NULL| public | 4f6397c99bea44da8fb1da58132f139f | https://域名:5000/v3 | {} | 1 | RegionOne || e5306b43eae3404bbfc09cba46a69075 | NULL| internal | fc78981cad8d4fe28aba6372bb6e5009 | http://controller:8301/v1/AUTH_%(tenant_id)s | {} | 1 | RegionOne |+----------------------------------+--------------------+-----------+----------------------------------+------------------------------------------------+-------+---------+-----------+

更新swift存储服务的对外API地址

update endpoint set url=‘https://域名:9000/v1/AUTH_%(tenant_id)s’ where id=‘783dc4289cc94f8c8a09820ba78c0763’;

查看是否更新成功

select * from endpoint;

退出mysql

以上配置完成之后将之前的StorageUrl改成https协议下的9000端口即可实现https访问

3.DashBoard启用SSL

启用SSL站点

sudo a2ensite default-ssl

修改/etc/apache2/sites-available/default-ssl.conf文件

vim /etc/apache2/sites-available/default-ssl.conf

新增以下代码

SSLEngine onSSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUMSSLCertificateKeyFile /etc/keystone/ssl/private/私钥文件.keySSLCertificateFile /etc/keystone/ssl/certs/SSL证书.crtSSLCACertificateFile /etc/keystone/ssl/certs/CABundle.crt

完整配置文件如下

<IfModule mod_ssl.c><VirtualHost _default_:443>ServerAdmin webmaster@localhostDocumentRoot /var/www/htmlErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.conf# SSL Engine Switch:# Enable/Disable SSL for this virtual host.SSLEngine onSSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUMSSLCertificateKeyFile /etc/keystone/ssl/private/私钥文件.keySSLCertificateFile /etc/keystone/ssl/certs/SSL证书.crtSSLCACertificateFile /etc/keystone/ssl/certs/CABundle.crt# Server Certificate Chain:# Point SSLCertificateChainFile at a file containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. Alternatively# the referenced file can be the same as SSLCertificateFile# when the CA certificates are directly appended to the server# certificate for convinience.#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt# Certificate Authority (CA):# Set the CA certificate verification path where to find CA# certificates for client authentication or alternatively one# huge file containing all of them (file must be PEM encoded)# Note: Inside SSLCACertificatePath you need hash symlinks#to point to the certificate files. Use the provided#Makefile to update the hash symlinks after changes.#SSLCACertificatePath /etc/ssl/certs/#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt# Certificate Revocation Lists (CRL):# Set the CA revocation path where to find CA CRLs for client# authentication or alternatively one huge file containing all# of them (file must be PEM encoded)# Note: Inside SSLCARevocationPath you need hash symlinks#to point to the certificate files. Use the provided#Makefile to update the hash symlinks after changes.#SSLCARevocationPath /etc/apache2/ssl.crl/#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl# Client Authentication (Type):# Client certificate verification type and depth. Types are# none, optional, require and optional_no_ca. Depth is a# number which specifies how deeply to verify the certificate# issuer chain before deciding the certificate is not valid.#SSLVerifyClient require#SSLVerifyDepth 10# SSL Engine Options:# Set various options for the SSL engine.# o FakeBasicAuth:# Translate the client X.509 into a Basic Authorisation. This means that# the standard Auth/DBMAuth methods can be used for access control. The# user name is the `one line' version of the client's X.509 certificate.# Note that no password is obtained from the user. Every entry in the user# file needs this password: `xxj31ZMTZzkVA'.# o ExportCertData:# This exports two additional environment variables: SSL_CLIENT_CERT and# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the# server (always existing) and the client (only existing when client# authentication is used). This can be used to import the certificates# into CGI scripts.# o StdEnvVars:# This exports the standard SSL/TLS related `SSL_*' environment variables.# Per default this exportation is switched off for performance reasons,# because the extraction step is an expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# o OptRenegotiate:# This enables optimized SSL connection renegotiation handling when SSL# directives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory># SSL Protocol Adjustments:# The safe and default but still SSL/TLS standard compliant shutdown# approach is that mod_ssl sends the close notify alert but doesn't wait for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces an unclean shutdown when the connection is closed, i.e. no# SSL close notify alert is send or allowed to received. This violates# the SSL/TLS standard but is needed for some brain-dead browsers. Use# this when you receive I/O errors because of the standard approach where# mod_ssl sends the close notify alert.# o ssl-accurate-shutdown:# This forces an accurate shutdown when the connection is closed, i.e. a# SSL close notify alert is send and mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. Use# this only for browsers where you know that their SSL implementation# works correctly.# Notice: Most problems of broken clients are also related to the HTTP# keep-alive facility, so you usually additionally want to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one has to force some clients to use HTTP/1.0 to workaround# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this.# BrowserMatch "MSIE [2-6]" \#nokeepalive ssl-unclean-shutdown \#downgrade-1.0 force-response-1.0</VirtualHost></IfModule>

然后将80端口强制重定向到443端口

编辑/etc/apache2/sites-available/000-default.conf文件

vim /etc/apache2/sites-available/000-default.conf

新增如下代码

RewriteEngine onRewriteCond %{HTTPS} !=onRewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]

完整配置文件如下

<VirtualHost *:80># The ServerName directive sets the request scheme, hostname and port that# the server uses to identify itself. This is used when creating# redirection URLs. In the context of virtual hosts, the ServerName# specifies what hostname must appear in the request's Host: header to# match this virtual host. For the default virtual host (this file) this# value is not decisive as it is used as a last resort host regardless.# However, you must set it for any further virtual host explicitly.#ServerName ServerAdmin webmaster@localhostDocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.confRewriteEngine onRewriteCond %{HTTPS} !=onRewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]</VirtualHost>

使配置生效

启动 rewrite mod

sudo a2enmod rewrite

编辑DashBoard的配置文件/etc/openstack-dashboard/local_settings.py

vim /etc/openstack-dashboard/local_settings.py

在DEBUG = False后面新增配置项

USE_SSL = TrueCSRF_COOKIE_SECURE = TrueSESSION_COOKIE_SECURE = TrueSESSION_COOKIE_HTTPONLY = TrueTEMPLATE_DEBUG = DEBUG

重启 apache

service apache2 reload

service apache2 restart

*注意：请自行替换配置文件中的证书文件名称以及域名