From 411c34da69f423059a04431a542be2b1b7a65f38 Mon Sep 17 00:00:00 2001
From: Jens Harbott <j.harbott@x-ion.de>
Date: Tue, 29 Aug 2017 14:40:26 +0000
Subject: [PATCH] Fix URLs when running with tls-proxy enabled

Various services are returning broken links when running behind
tls-proxy. These issues can be fixed by setting the X-Forwarded-Proto
header in the apache config and letting oslo_middleware parse it.

Change-Id: Ibe5dbdc4644ec812f0435f59319666fc336c195a
Partial-Bug: 1713731
---
 lib/cinder         | 3 +--
 lib/neutron        | 1 +
 lib/neutron-legacy | 1 +
 lib/nova           | 1 +
 lib/tls            | 3 ++-
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/cinder b/lib/cinder
index 03328f31b6..67939f18e9 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -296,8 +296,7 @@ function configure_cinder {
             # Set the service port for a proxy to take the original
             if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
                 iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
-                iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST
-                iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST
+                iniset $CINDER_CONF oslo_middleware enable_proxy_headers_parsing True
             else
                 iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
                 iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
diff --git a/lib/neutron b/lib/neutron
index 2a660ec8e1..92c585a70f 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -242,6 +242,7 @@ function configure_neutron_new {
     if is_service_enabled tls-proxy; then
         # Set the service port for a proxy to take the original
         iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
+        iniset $NEUTRON_CONF oslo_middleware enable_proxy_headers_parsing True
     fi
 
     # Metering
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 784f3a8167..f9e0bd6ded 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -718,6 +718,7 @@ function _configure_neutron_common {
     if is_service_enabled tls-proxy; then
         # Set the service port for a proxy to take the original
         iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
+        iniset $NEUTRON_CONF oslo_middleware enable_proxy_headers_parsing True
     fi
 
     _neutron_setup_rootwrap
diff --git a/lib/nova b/lib/nova
index fa09fd8fc1..887a70d475 100644
--- a/lib/nova
+++ b/lib/nova
@@ -555,6 +555,7 @@ function create_nova_conf {
 
     if is_service_enabled tls-proxy; then
         iniset $NOVA_CONF DEFAULT glance_protocol https
+        iniset $NOVA_CONF oslo_middleware enable_proxy_headers_parsing True
     fi
 
     if is_service_enabled n-sproxy; then
diff --git a/lib/tls b/lib/tls
index 7bde5e6496..5bf5d96ede 100644
--- a/lib/tls
+++ b/lib/tls
@@ -527,6 +527,7 @@ $listen_string
     # for swift functional testing to work with tls enabled. It is 2 bytes
     # larger than the apache default of 8190.
     LimitRequestFieldSize $f_header_size
+    RequestHeader set X-Forwarded-Proto "https"
 
     <Location />
         ProxyPass http://$b_host:$b_port/ retry=0 nocanon
@@ -541,7 +542,7 @@ EOF
     if is_suse ; then
         sudo a2enflag SSL
     fi
-    for mod in ssl proxy proxy_http; do
+    for mod in headers ssl proxy proxy_http; do
         enable_apache_mod $mod
     done
     enable_apache_site $b_service