kienita · August 6, 2025 22:04 · May 18, 2022 · May 18, 2022 · May 18, 2022 · May 18, 2022
diff --git a/README.md b/README.md
@@ -114,7 +114,7 @@ location / {
 }
 ```
 
-## NoVNC noTLS Nginx Reverse Proxy
+## NoVNC TLS Nginx Reverse Proxy
 ```
 server {
   listen 6080;
@@ -143,3 +143,30 @@ server {
 ```
 
 - [Reference](https://serverfault.com/questions/787075/openstack-horizon-behind-reverse-proxy-nginx-preferred)
+
+## NoVNC TLS on Nginx Reverse Proxy
+```
+server {
+    listen 6080;
+    ssl on;
+
+    server_name console.bignetlab.com;
+    ssl_certificate /etc/ssl/certs/console.bignetlab.com/key.crt;
+    ssl_certificate_key /etc/ssl/certs/console.bignetlab.com/priv.key;
+
+    location / {  
+    proxy_pass http://10.8.0.5:6080;  
+    proxy_request_buffering off;  
+    proxy_http_version 1.1;  
+    proxy_set_header Upgrade $http_upgrade;  
+    proxy_set_header Connection "upgrade";  
+    proxy_set_header Host $host;  
+    proxy_set_header Origin http://$host;  
+    proxy_set_header X-Real-IP $remote_addr;  
+    proxy_set_header X-Forwarded-Host $host;  
+    proxy_set_header X-Forwarded-Server $host;  
+    proxy_set_header X-Forwarded-Proto $scheme;  
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
+    }  
+}
+```
diff --git a/README.md b/README.md
@@ -122,8 +122,8 @@ server {
   listen [::]:443 ssl http2;   
 
   server_name console.gbesar.com;
-  ssl_certificate /etc/ssl/certs/console.gbesar.com/key.crt;
-  ssl_certificate_key /etc/ssl/certs/console.gbesar.com/priv.key;
+  ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
+  ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;
 
   location / {  
   proxy_pass https://192.168.2.50:6080;  

diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ service apache2 restart
 ## Access
 Access on https://stack.bignetlab.com
 
-## Nginx Conf for Horizon TLS behing Nginx Proxy
+## Nginx Conf for Horizon TLS behind Nginx Proxy
 - For example horizon is on VIP with IP `192.168.2.50`
 - You can forward to https://localhost
 - Make sure you have comment on `/etc/kolla/horizon/local_settings`:

diff --git a/README.md b/README.md
@@ -140,4 +140,6 @@ server {
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
   }  
 }
-```
+```
+
+- [Reference](https://serverfault.com/questions/787075/openstack-horizon-behind-reverse-proxy-nginx-preferred)
diff --git a/README.md b/README.md
@@ -112,4 +112,32 @@ location / {
     proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;  
     }
 }
+```
+
+## NoVNC noTLS Nginx Reverse Proxy
+```
+server {
+  listen 6080;
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;   
+
+  server_name console.gbesar.com;
+  ssl_certificate /etc/ssl/certs/console.gbesar.com/key.crt;
+  ssl_certificate_key /etc/ssl/certs/console.gbesar.com/priv.key;
+
+  location / {  
+  proxy_pass https://192.168.2.50:6080;  
+  proxy_request_buffering off;  
+  proxy_http_version 1.1;  
+  proxy_set_header Upgrade $http_upgrade;  
+  proxy_set_header Connection "upgrade";  
+  proxy_set_header Host $host;  
+  proxy_set_header Origin http://$host;  
+  proxy_set_header X-Real-IP $remote_addr;  
+  proxy_set_header X-Forwarded-Host $host;  
+  proxy_set_header X-Forwarded-Server $host;  
+  proxy_set_header X-Forwarded-Proto $scheme;  
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
+  }  
+}
 ```
diff --git a/README.md b/README.md
@@ -78,6 +78,12 @@ Access on https://stack.bignetlab.com
 ## Nginx Conf for Horizon TLS behing Nginx Proxy
 - For example horizon is on VIP with IP `192.168.2.50`
 - You can forward to https://localhost
+- Make sure you have comment on `/etc/kolla/horizon/local_settings`:
+  - `#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')` 
+  - `#CSRF_COOKIE_SECURE = True`
+  - `#SESSION_COOKIE_SECURE = True` 
+  - `#OPENSTACK_SSL_CACERT = '/etc/kolla/certificates/ca/root.crt'`
+- Make sure you have uncomment on `OPENSTACK_SSL_NO_VERIFY = True`
 - Make sure you have generate your crt Horizon on `/etc/kolla/horizon/`
 
 ```

diff --git a/README.md b/README.md
@@ -73,4 +73,37 @@ service apache2 restart
 ```
 
 ## Access
-Access on https://stack.bignetlab.com
+Access on https://stack.bignetlab.com
+
+## Nginx Conf for Horizon TLS behing Nginx Proxy
+- For example horizon is on VIP with IP `192.168.2.50`
+- You can forward to https://localhost
+- Make sure you have generate your crt Horizon on `/etc/kolla/horizon/`
+
+```
+nano /etc/nginx/sites-enabled/default
+```
+```
+server {
+    listen 80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2; 
+
+    ssl_certificate /etc/ssl/certs/ssl/horizon-cert.pem;
+    ssl_certificate_key /etc/ssl/certs/ssl/horizon-key.pem;
+
+location / {
+    proxy_pass https://192.168.2.50;
+    proxy_request_buffering  off;  
+    proxy_http_version       1.1;  
+    proxy_set_header         Upgrade            $http_upgrade;  
+    proxy_set_header         Connection         "upgrade";  
+    proxy_set_header         Host               $host;  
+    proxy_set_header         X-Real-IP          $remote_addr;  
+    proxy_set_header         X-Forwarded-Host   $host;  
+    proxy_set_header         X-Forwarded-Server $host;  
+    proxy_set_header         X-Forwarded-Proto  $scheme;  
+    proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;  
+    }
+}
+```
diff --git a/README.md b/README.md
@@ -67,4 +67,10 @@ nano /etc/apache2/sites-enabled/horizon.conf
 </VirtualHost>
 
 WSGISocketPrefix /var/run/apache2
-```
+```
+```
+service apache2 restart
+```
+
+## Access
+Access on https://stack.bignetlab.com
diff --git a/README.md b/README.md
@@ -0,0 +1,70 @@
+# Make Horizon Dashboard over TLS
+
+## Configuration
+- Generate Certificate with OpenSSL
+```
+apt install -y apache2
+apt install -y openssl
+
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout horizon.key -out horizon.crt
+mv horizon.crt /etc/ssl/certs/
+mv horizon.key /etc/ssl/certs/
+```
+
+- Just edit horizon.conf
+  - Assume `stack.bignetlab.com` are Endpoint for Openstack Cluster Node.
+```
+nano /etc/apache2/sites-enabled/horizon.conf
+```
+```
+<VirtualHost *:443>
+  Redirect "/" "https://stack.bignetlab.com/"
+</VirtualHost>
+
+<VirtualHost *:443>
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/certs/horizon.crt
+    SSLCertificateKeyFile /etc/ssl/private/horizon.key
+
+    WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi.py
+    WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 home=/opt/stack/horizon display-name=%{GROUP}
+    WSGIApplicationGroup %{GLOBAL}
+
+    SetEnv APACHE_RUN_USER stack
+    SetEnv APACHE_RUN_GROUP stack
+    WSGIProcessGroup horizon
+
+    DocumentRoot /opt/stack/horizon/.blackhole/
+    Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static
+    Alias /dashboard/static /opt/stack/horizon/static
+
+    RedirectMatch "^/$" "/dashboard/"
+
+    <Directory />
+        Options FollowSymLinks
+        AllowOverride None
+    </Directory>
+
+    <Directory /opt/stack/horizon/>
+        Options Indexes FollowSymLinks MultiViews
+        AllowOverride None
+        # Apache 2.4 uses mod_authz_host for access control now (instead of
+        #  "Allow")
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+    </Directory>
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog /var/log/apache2/horizon_error.log
+    LogLevel warn
+    CustomLog /var/log/apache2/horizon_access.log combined
+</VirtualHost>
+
+WSGISocketPrefix /var/run/apache2
+```
No results found