Use http_proxy_to_wsgi middleware

This sets up the HTTPProxyToWSGI middleware in front of Barbican.
The purpose of thise middleware is to set up the request URL
correctly in case there is a proxy (For instance, a loadbalancer
such as HAProxy) in front of Barbican.

The HTTPProxyToWSGI is off by default and needs to be enabled
via a configuration value.

Change-Id: Iad0151ca41684fa2d8eb60c343028e13c3719e66
Closes-bug: #1590608
This commit is contained in:
Jeremy Liu 2016-10-16 10:43:30 +08:00
parent df0cb76466
commit c7e824e0e7
3 changed files with 31 additions and 5 deletions

View File

@ -5,24 +5,24 @@ use = egg:Paste#urlmap
# Use this pipeline for Barbican API - versions no authentication
[pipeline:barbican_version]
pipeline = cors versionapp
pipeline = cors http_proxy_to_wsgi versionapp
# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:barbican_api]
pipeline = cors unauthenticated-context apiapp
pipeline = cors http_proxy_to_wsgi unauthenticated-context apiapp
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
# to provide profiling information for the REST API processing.
[pipeline:barbican-profile]
pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
pipeline = cors http_proxy_to_wsgi unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
pipeline = cors authtoken context apiapp
pipeline = cors http_proxy_to_wsgi authtoken context apiapp
#Use this pipeline for keystone auth with audit feature
[pipeline:barbican-api-keystone-audit]
pipeline = authtoken context audit apiapp
pipeline = http_proxy_to_wsgi authtoken context audit apiapp
[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app
@ -58,3 +58,6 @@ unwind = false
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = barbican
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory

View File

@ -396,3 +396,14 @@ subca_cert_key_directory=/etc/barbican/snakeoil-cas
# Indicate which header field names may be used during the actual
# request. (list value)
#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
[oslo_middleware]
#
# From oslo.middleware.http_proxy_to_wsgi
#
# Wether the application is behind a proxy or not. This determines if
# the middleware should parse the headers or not. (boolean value)
#enable_proxy_headers_parsing = false

View File

@ -0,0 +1,12 @@
---
prelude: >
This release adds http_proxy_to_wsgi middleware to the pipeline.
features:
- The 'http_proxy_to_wsgi' middleware can be used to help barbican
respond with the correct URL refs when it's put behind a TLS
proxy (such as HAProxy). This middleware is disabled by default,
but can be enabled via a configuration option in the oslo_middleware
group.
upgrade:
- The barbican-api-paste.ini configuration file for the paste pipeline
was updated to add the http_proxy_to_wsgi middleware.