πŸ” How to Secure OpenStack Horizon Dashboard with SSL/TLS

Openstack Ankit Sharma November 30, 2025 2 mins read

Protect your OpenStack Horizon dashboard with HTTPS using Apache SSL configuration and Let’s Encrypt certificates to ensure encrypted, secure access for administrators and cloud users.

Back to Blog Posts

1. Why SSL/TLS Matters

The Horizon dashboard provides administrative access to your OpenStack cloud—meaning any unencrypted traffic could expose:

  • User credentials

  • Keystone tokens

  • Sensitive API calls

  • Configuration data

Using SSL/TLS ensures:

  • πŸ”’ Encrypted communication

  • πŸ›‘οΈ Mitigation against MITM attacks

  • βœ”οΈ Compliance with security standards (SOC2, ISO, CIS Benchmarks)

HTTPS is mandatory for any production OpenStack deployment.

2. Prerequisites

Before proceeding, ensure you have:

  • βœ”οΈ A working OpenStack deployment with Horizon

  • βœ”οΈ Apache web server (default for Horizon)

  • βœ”οΈ A domain name pointing to the Horizon server

  • βœ”οΈ Root or sudo access

  • βœ”οΈ (Optional) Public IP for Let’s Encrypt

3. Option A: Secure With Let’s Encrypt (Recommended)

This is ideal for public-facing or internet-accessible dashboards.

Step-by-Step

 
# Step 1: Install Certbot & Apache plugin sudo apt update && sudo apt install certbot python3-certbot-apache -y # Step 2: Request and install an SSL certificate sudo certbot --apache -d dashboard.rshnetwork.com # Step 3: Enable auto-renewal sudo systemctl enable certbot.timer

What this does:

  • Automatically configures Apache HTTPS

  • Sets up 90-day certificates (auto-renewed)

  • Redirects all HTTP → HTTPS

4. Option B: Manual SSL/TLS Configuration (Self-Signed)

Use this for offline, internal, or air-gapped environments.

Step-by-Step

βœ”οΈ Step 1: Generate a self-signed certificate

 
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/horizon.key \ -out /etc/ssl/certs/horizon.crt

βœ”οΈ Step 2: Update the Horizon Apache configuration

 
sudo nano /etc/apache2/sites-available/horizon.conf

Add the HTTPS VirtualHost:

 
<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/ssl/certs/horizon.crt SSLCertificateKeyFile /etc/ssl/private/horizon.key # Horizon WSGI settings WSGIDaemonProcess horizon user=horizon group=horizon processes=3 threads=10 WSGIProcessGroup horizon WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi.py <Directory /usr/share/openstack-dashboard/openstack_dashboard> Require all granted </Directory> </VirtualHost>

βœ”οΈ Step 3: Enable SSL and restart Apache

 
sudo a2enmod ssl sudo a2ensite horizon.conf sudo systemctl restart apache2

5. Verification & Hardening

βœ”οΈ Verify access

Open:
https://dashboard.rshnetwork.com

You should see a secure lock icon.

βœ”οΈ Test SSL strength

Use SSL Labs or Nessus/SIEM security plugins.

βœ”οΈ Recommended hardening (Apache SSL)

Disable weak protocols like TLS 1.0/1.1:

 
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5 SSLHonorCipherOrder on

Reload Apache:

 
sudo systemctl reload apache2 

Advertisement

A
Ankit Sharma

9 posts published

Sign in to subscribe to blog updates