Rely on HTTP_HOST sent by clients for redirection
The dashboard may have multiple networks and IP addresses. We never be able to determine where to redirect reliably. Also, redirecting an access from internal network to a public IP address may not be what users want. Instead, use HTTP_HOST sent by the client and let the client's browser reveal SSL related errors if any. Change-Id: I9f4c734a61d3ab07f3f7c9a1a073eede73ae4651 Closes-Bug: #1710930 Closes-Bug: #1713198
This commit is contained in:
parent
d4c0d5f91f
commit
289d5bb66b
@ -31,9 +31,6 @@ from charmhelpers.contrib.openstack.context import (
|
||||
HAProxyContext,
|
||||
context_complete
|
||||
)
|
||||
from charmhelpers.contrib.openstack.ip import (
|
||||
resolve_address,
|
||||
)
|
||||
from charmhelpers.contrib.openstack.utils import (
|
||||
git_default_repos,
|
||||
git_pip_venv_dir,
|
||||
@ -211,13 +208,14 @@ class ApacheContext(OSContextGenerator):
|
||||
''' Grab cert and key from configuraton for SSL config '''
|
||||
ctxt = {
|
||||
'http_port': 70,
|
||||
'https_port': 433
|
||||
'https_port': 433,
|
||||
'enforce_ssl': False
|
||||
}
|
||||
|
||||
if config('enforce-ssl'):
|
||||
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
|
||||
if all(get_cert()):
|
||||
ctxt['ssl_addr'] = resolve_address()
|
||||
ctxt['enforce_ssl'] = True
|
||||
else:
|
||||
log("Enforce ssl redirect requested but ssl not configured - "
|
||||
"skipping redirect", level=WARNING)
|
||||
|
@ -263,6 +263,7 @@ def enable_ssl():
|
||||
''' Enable SSL support in local apache2 instance '''
|
||||
subprocess.call(['a2ensite', 'default-ssl'])
|
||||
subprocess.call(['a2enmod', 'ssl'])
|
||||
subprocess.call(['a2enmod', 'rewrite'])
|
||||
|
||||
|
||||
def determine_packages():
|
||||
|
@ -1,8 +1,9 @@
|
||||
<VirtualHost *:{{ http_port }}>
|
||||
|
||||
{% if ssl_addr -%}
|
||||
RedirectPermanent / https://{{ ssl_addr }}:443/
|
||||
{%- endif %}
|
||||
{% if enforce_ssl %}
|
||||
RewriteEngine On
|
||||
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
||||
{% endif %}
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
DocumentRoot /var/www
|
||||
|
@ -32,7 +32,6 @@ TO_PATCH = [
|
||||
'local_unit',
|
||||
'unit_get',
|
||||
'pwgen',
|
||||
'resolve_address',
|
||||
]
|
||||
|
||||
|
||||
@ -63,14 +62,22 @@ class TestHorizonContexts(CharmTestCase):
|
||||
|
||||
def test_Apachecontext(self):
|
||||
self.assertEqual(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433})
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
'enforce_ssl': False})
|
||||
|
||||
def test_Apachecontext_enforce_ssl(self):
|
||||
self.test_config.set('enforce-ssl', True)
|
||||
self.resolve_address.return_value = 'horizon.example.stack'
|
||||
self.assertEqual(horizon_contexts.ApacheContext()(),
|
||||
self.get_cert.return_value = ('cert', 'key')
|
||||
self.assertEquals(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
'ssl_addr': 'horizon.example.stack'})
|
||||
'enforce_ssl': True})
|
||||
|
||||
def test_Apachecontext_enforce_ssl_no_cert(self):
|
||||
self.test_config.set('enforce-ssl', True)
|
||||
self.get_cert.return_value = (None, 'key')
|
||||
self.assertEquals(horizon_contexts.ApacheContext()(),
|
||||
{'http_port': 70, 'https_port': 433,
|
||||
'enforce_ssl': False})
|
||||
|
||||
@patch.object(horizon_contexts, 'get_ca_cert', lambda: None)
|
||||
@patch('os.chmod')
|
||||
|
@ -80,7 +80,8 @@ class TestHorizohorizon_utils(CharmTestCase):
|
||||
horizon_utils.enable_ssl()
|
||||
_call.assert_has_calls([
|
||||
call(['a2ensite', 'default-ssl']),
|
||||
call(['a2enmod', 'ssl'])
|
||||
call(['a2enmod', 'ssl']),
|
||||
call(['a2enmod', 'rewrite'])
|
||||
])
|
||||
|
||||
def test_restart_map(self):
|
||||
|
Loading…
Reference in New Issue
Block a user