diff --git a/etc/barbican/barbican-api-paste.ini b/etc/barbican/barbican-api-paste.ini index 63d595a80..915b017d8 100644 --- a/etc/barbican/barbican-api-paste.ini +++ b/etc/barbican/barbican-api-paste.ini @@ -5,24 +5,24 @@ use = egg:Paste#urlmap # Use this pipeline for Barbican API - versions no authentication [pipeline:barbican_version] -pipeline = cors versionapp +pipeline = cors http_proxy_to_wsgi versionapp # Use this pipeline for Barbican API - DEFAULT no authentication [pipeline:barbican_api] -pipeline = cors unauthenticated-context apiapp +pipeline = cors http_proxy_to_wsgi unauthenticated-context apiapp #Use this pipeline to activate a repoze.profile middleware and HTTP port, # to provide profiling information for the REST API processing. [pipeline:barbican-profile] -pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp +pipeline = cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] -pipeline = cors authtoken context apiapp +pipeline = cors http_proxy_to_wsgi authtoken context apiapp #Use this pipeline for keystone auth with audit feature [pipeline:barbican-api-keystone-audit] -pipeline = authtoken context audit apiapp +pipeline = http_proxy_to_wsgi authtoken context audit apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app @@ -58,3 +58,6 @@ unwind = false [filter:cors] paste.filter_factory = oslo_middleware.cors:filter_factory oslo_config_project = barbican + +[filter:http_proxy_to_wsgi] +paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory diff --git a/etc/barbican/barbican.conf b/etc/barbican/barbican.conf index 94cc50b76..48f1b05b2 100644 --- a/etc/barbican/barbican.conf +++ b/etc/barbican/barbican.conf @@ -396,3 +396,14 @@ subca_cert_key_directory=/etc/barbican/snakeoil-cas # Indicate which header field names may be used during the actual # request. (list value) #allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles + + +[oslo_middleware] + +# +# From oslo.middleware.http_proxy_to_wsgi +# + +# Wether the application is behind a proxy or not. This determines if +# the middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false diff --git a/releasenotes/notes/http_proxy_to_wsgi-middleware-98dc4fe03eb362d3.yaml b/releasenotes/notes/http_proxy_to_wsgi-middleware-98dc4fe03eb362d3.yaml new file mode 100644 index 000000000..f48acd943 --- /dev/null +++ b/releasenotes/notes/http_proxy_to_wsgi-middleware-98dc4fe03eb362d3.yaml @@ -0,0 +1,12 @@ +--- +prelude: > + This release adds http_proxy_to_wsgi middleware to the pipeline. +features: + - The 'http_proxy_to_wsgi' middleware can be used to help barbican + respond with the correct URL refs when it's put behind a TLS + proxy (such as HAProxy). This middleware is disabled by default, + but can be enabled via a configuration option in the oslo_middleware + group. +upgrade: + - The barbican-api-paste.ini configuration file for the paste pipeline + was updated to add the http_proxy_to_wsgi middleware.