Dashboard

Dashboard

The OpenStack Dashboard service security includes:

  • Linux node security

  • Django security

  • Application security (Horizon)

  • Apache httpd web application container and its AppArmor/SELinux profiles

  • Apache httpd and mod_wsgi configuration

  • Apache TLS and cipher suite configuration

To secure the OpenStack Dashboard service:

  • Do not deploy OpenStack Dashboard on a shared subdomain with user-generated content (EoP).

  • Disable local image uploads through Horizon by setting HORIZON_IMAGES_ALLOW_UPLOAD to False in your local_settings.py file to protect against a DoS attack.

  • Configure the ALLOWED_HOSTS setting with the fully qualified host name(s) that are served by the OpenStack Dashboard (EoP).

  • Deploy the OpenStack Dashboard service behind the HTTPS web server with TLS v1.2.

    Note

    A user should set up a local DNS resolver to resolve hostnames (FQDN) of TLS-wrapped endpoints to corresponding IP addresses of these endpoints to mitigate the spoofing threat.

  • For HTTPS set session cookie to HTTPONLY.

  • To secure the session and the CSRF cookie, update the following options in the /etc/openstack-dashboard/local_settings.py file:

    SESSION_COOKIE_HTTPONLY = True
    CSRF_COOKIE_SECURE = True
    SESSION_COOKIE_SECURE = True
    
  • Configure your web server to send a restrictive Cross Origin Resource Sharing (CORS) header with each response allowing only the dashboard domain and protocol:

    Access-Control-Allow-Origin: https://example.com/
    

    Note

    Do not allow the wild card origin to mitigate DoS threat.

  • Deploy the OpenStack Dashboard service to a dedicated virtual machine or container, in a demilitarized zone (DMZ) separated from other services.

  • Protect a Linux host and Apache web server following security best practices.

  • To store as a session state, use dedicated Memcache servers, not shared with other OpenStack services (EoP).

  • Disable HTTP methods you do not need.

  • Use TFA for a Web access to mitigate EoP.

  • Follow OWASP security guidelines for web application security.

  • To mitigate EoP and DoS threats, place the OpenStack Dashboard service beyond a Web Application Firewall (WAF).

  • To mitigate EoP, use IDPS along with real time threat monitoring software.

  • Prior to deploying the OpenStack Dashboard service into production, perform security assessment:

    1. Scan all publicly exposed IPs with a vulnerability assessment tool.

    2. Run a penetration test according to the OWASP top ten guideline.