Use http-proxy-to-wsgi middleware from oslo.middleware
The HTTP_X_FORWARDED_PROTO handling fails to handle the case of redirecting the /v1 request to /v1/ because it is handled purely by routes and does not enter the glance wsgi code. This means a https request is redirect to http and fails. oslo.middleware has middleware for handling the X-Forwarded-Proto header in a standard way so that services don't have to and so we should use that instead of our own mechanism. Leaving the existing header handling around until removal should not be a problem as the worst that will happen is it overwrites an existing 'https' header value set by the middleware. Closes-Bug: #1558683 Closes-Bug: #1590608 Change-Id: I481d88020b6e8420ce4b9072dd30ec82fe3fb4f7
This commit is contained in:
parent
8932a71651
commit
b0d0b1d0ba
@ -1,38 +1,38 @@
|
|||||||
# Use this pipeline for no auth or image caching - DEFAULT
|
# Use this pipeline for no auth or image caching - DEFAULT
|
||||||
[pipeline:glance-api]
|
[pipeline:glance-api]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
|
||||||
|
|
||||||
# Use this pipeline for image caching and no auth
|
# Use this pipeline for image caching and no auth
|
||||||
[pipeline:glance-api-caching]
|
[pipeline:glance-api-caching]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
|
||||||
|
|
||||||
# Use this pipeline for caching w/ management interface but no auth
|
# Use this pipeline for caching w/ management interface but no auth
|
||||||
[pipeline:glance-api-cachemanagement]
|
[pipeline:glance-api-cachemanagement]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
|
||||||
|
|
||||||
# Use this pipeline for keystone auth
|
# Use this pipeline for keystone auth
|
||||||
[pipeline:glance-api-keystone]
|
[pipeline:glance-api-keystone]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler authtoken context rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp
|
||||||
|
|
||||||
# Use this pipeline for keystone auth with image caching
|
# Use this pipeline for keystone auth with image caching
|
||||||
[pipeline:glance-api-keystone+caching]
|
[pipeline:glance-api-keystone+caching]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
|
||||||
|
|
||||||
# Use this pipeline for keystone auth with caching and cache management
|
# Use this pipeline for keystone auth with caching and cache management
|
||||||
[pipeline:glance-api-keystone+cachemanagement]
|
[pipeline:glance-api-keystone+cachemanagement]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
|
||||||
|
|
||||||
# Use this pipeline for authZ only. This means that the registry will treat a
|
# Use this pipeline for authZ only. This means that the registry will treat a
|
||||||
# user as authenticated without making requests to keystone to reauthenticate
|
# user as authenticated without making requests to keystone to reauthenticate
|
||||||
# the user.
|
# the user.
|
||||||
[pipeline:glance-api-trusted-auth]
|
[pipeline:glance-api-trusted-auth]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler context rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
|
||||||
|
|
||||||
# Use this pipeline for authZ only. This means that the registry will treat a
|
# Use this pipeline for authZ only. This means that the registry will treat a
|
||||||
# user as authenticated without making requests to keystone to reauthenticate
|
# user as authenticated without making requests to keystone to reauthenticate
|
||||||
# the user and uses cache management
|
# the user and uses cache management
|
||||||
[pipeline:glance-api-trusted-auth+cachemanagement]
|
[pipeline:glance-api-trusted-auth+cachemanagement]
|
||||||
pipeline = cors healthcheck versionnegotiation osprofiler context cache cachemanage rootapp
|
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
|
||||||
|
|
||||||
[composite:rootapp]
|
[composite:rootapp]
|
||||||
paste.composite_factory = glance.api:root_app_factory
|
paste.composite_factory = glance.api:root_app_factory
|
||||||
@ -85,3 +85,6 @@ enabled = yes #DEPRECATED
|
|||||||
paste.filter_factory = oslo_middleware.cors:filter_factory
|
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||||
oslo_config_project = glance
|
oslo_config_project = glance
|
||||||
oslo_config_program = glance-api
|
oslo_config_program = glance-api
|
||||||
|
|
||||||
|
[filter:http_proxy_to_wsgi]
|
||||||
|
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
|
||||||
|
@ -1649,6 +1649,17 @@
|
|||||||
#rpc_retry_delay = 0.25
|
#rpc_retry_delay = 0.25
|
||||||
|
|
||||||
|
|
||||||
|
[oslo_middleware]
|
||||||
|
|
||||||
|
#
|
||||||
|
# From oslo.middleware.http_proxy_to_wsgi
|
||||||
|
#
|
||||||
|
|
||||||
|
# Wether the application is behind a proxy or not. This determines if
|
||||||
|
# the middleware should parse the headers or not. (boolean value)
|
||||||
|
#enable_proxy_headers_parsing = false
|
||||||
|
|
||||||
|
|
||||||
[oslo_policy]
|
[oslo_policy]
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -10,4 +10,5 @@ namespace = oslo.policy
|
|||||||
namespace = keystonemiddleware.auth_token
|
namespace = keystonemiddleware.auth_token
|
||||||
namespace = oslo.log
|
namespace = oslo.log
|
||||||
namespace = oslo.middleware.cors
|
namespace = oslo.middleware.cors
|
||||||
|
namespace = oslo.middleware.http_proxy_to_wsgi
|
||||||
namespace = osprofiler
|
namespace = osprofiler
|
||||||
|
@ -107,6 +107,9 @@ eventlet_opts = [
|
|||||||
|
|
||||||
wsgi_opts = [
|
wsgi_opts = [
|
||||||
cfg.StrOpt('secure_proxy_ssl_header',
|
cfg.StrOpt('secure_proxy_ssl_header',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_('Use the http_proxy_to_wsgi middleware '
|
||||||
|
'instead.'),
|
||||||
help=_('The HTTP header used to determine the scheme for the '
|
help=_('The HTTP header used to determine the scheme for the '
|
||||||
'original request, even if it was removed by an SSL '
|
'original request, even if it was removed by an SSL '
|
||||||
'terminating proxy. Typical value is '
|
'terminating proxy. Typical value is '
|
||||||
|
Loading…
Reference in New Issue
Block a user