Use http_proxy_to_wsgi middleware

This sets up the HTTPProxyToWSGI middleware in front of Barbican. The purpose of thise middleware is to set up the request URL correctly in case there is a proxy (For instance, a loadbalancer such as HAProxy) in front of Barbican. The HTTPProxyToWSGI is off by default and needs to be enabled via a configuration value. Change-Id: Iad0151ca41684fa2d8eb60c343028e13c3719e66 Closes-bug: #1590608
2016-10-16 10:43:30 +08:00 · 2016-10-16 10:43:30 +08:00 · c7e824e0e7
commit c7e824e0e7
parent df0cb76466
3 changed files with 31 additions and 5 deletions
--- a/etc/barbican/barbican-api-paste.ini
+++ b/etc/barbican/barbican-api-paste.ini
@ -5,24 +5,24 @@ use = egg:Paste#urlmap

 # Use this pipeline for Barbican API - versions no authentication
 [pipeline:barbican_version]
-pipeline = cors versionapp
+pipeline = cors http_proxy_to_wsgi versionapp

 # Use this pipeline for Barbican API - DEFAULT no authentication
 [pipeline:barbican_api]
-pipeline = cors unauthenticated-context apiapp
+pipeline = cors http_proxy_to_wsgi unauthenticated-context apiapp

 #Use this pipeline to activate a repoze.profile middleware and HTTP port,
 #  to provide profiling information for the REST API processing.
 [pipeline:barbican-profile]
-pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+pipeline = cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp

 #Use this pipeline for keystone auth
 [pipeline:barbican-api-keystone]
-pipeline = cors authtoken context apiapp
+pipeline = cors http_proxy_to_wsgi authtoken context apiapp

 #Use this pipeline for keystone auth with audit feature
 [pipeline:barbican-api-keystone-audit]
-pipeline = authtoken context audit apiapp
+pipeline = http_proxy_to_wsgi authtoken context audit apiapp

 [app:apiapp]
 paste.app_factory = barbican.api.app:create_main_app
@ -58,3 +58,6 @@ unwind = false
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = barbican
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
--- a/etc/barbican/barbican.conf
+++ b/etc/barbican/barbican.conf
@ -396,3 +396,14 @@ subca_cert_key_directory=/etc/barbican/snakeoil-cas
 # Indicate which header field names may be used during the actual
 # request. (list value)
 #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+
+
+[oslo_middleware]
+
+#
+# From oslo.middleware.http_proxy_to_wsgi
+#
+
+# Wether the application is behind a proxy or not. This determines if
+# the middleware should parse the headers or not. (boolean value)
+#enable_proxy_headers_parsing = false
--- a/releasenotes/notes/http_proxy_to_wsgi-middleware-98dc4fe03eb362d3.yaml
+++ b/releasenotes/notes/http_proxy_to_wsgi-middleware-98dc4fe03eb362d3.yaml
@ -0,0 +1,12 @@
+---
+prelude: >
+    This release adds http_proxy_to_wsgi middleware to the pipeline.
+features:
+  - The 'http_proxy_to_wsgi' middleware can be used to help barbican
+    respond with the correct URL refs when it's put behind a TLS
+    proxy (such as HAProxy). This middleware is disabled by default,
+    but can be enabled via a configuration option in the oslo_middleware
+    group.
+upgrade:
+  - The barbican-api-paste.ini configuration file for the paste pipeline
+    was updated to add the http_proxy_to_wsgi middleware.