From fbd1f04abf997ca6a079a9d97f954aabe194bd57 Mon Sep 17 00:00:00 2001 From: Jeremy Liu Date: Sun, 16 Oct 2016 11:13:03 +0800 Subject: [PATCH] Use http_proxy_to_wsgi middleware This sets up the HTTPProxyToWSGI middleware in front of Freezer. The purpose of this middleware is to set up the request URL correctly in case there is a proxy (For instance, a loadbalancer such as HAProxy) in front of Freezer. The HTTPProxyToWSGI is off by default and needs to be enabled via a configuration value. Depends-On: Iffd38a325204a3ec7380a7a56061866477d3d06e Change-Id: I44d60863eefeb52891474653aa9fcf1ba57d50a1 Closes-bug: #1590608 --- config-generator/freezer-api.conf | 1 + etc/freezer/freezer-api.conf.sample | 139 ++++++++++++++++++---------- etc/freezer/freezer-paste.ini | 7 +- 3 files changed, 97 insertions(+), 50 deletions(-) diff --git a/config-generator/freezer-api.conf b/config-generator/freezer-api.conf index ba94c16b..c30b5c45 100644 --- a/config-generator/freezer-api.conf +++ b/config-generator/freezer-api.conf @@ -4,3 +4,4 @@ wrap_width = 79 namespace = "freezer-api" namespace = oslo.log namespace = oslo.policy +namespace = oslo.middleware diff --git a/etc/freezer/freezer-api.conf.sample b/etc/freezer/freezer-api.conf.sample index b5c59dbe..19d59314 100644 --- a/etc/freezer/freezer-api.conf.sample +++ b/etc/freezer/freezer-api.conf.sample @@ -33,6 +33,7 @@ # configuration files are used then all logging configuration is set in the # configuration file and other logging configuration options are ignored (for # example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -109,6 +110,64 @@ #fatal_deprecations = false +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = + + +[cors.subdomain] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = + + [keystone_authtoken] # @@ -157,7 +216,7 @@ # Optionally specify a list of memcached server(s) to use for caching. If left # undefined, tokens will instead be cached in-process. (list value) -# Deprecated group/name - [DEFAULT]/memcache_servers +# Deprecated group/name - [keystone_authtoken]/memcache_servers #memcached_servers = # In order to prevent excessive effort spent validating tokens, the middleware @@ -167,8 +226,8 @@ # Determines the frequency at which the list of revoked tokens is retrieved # from the Identity service (in seconds). A high number of revocation events -# combined with a low cache duration may significantly reduce performance. Only -# valid for PKI tokens. (integer value) +# combined with a low cache duration may significantly reduce performance. +# (integer value) #revocation_cache_time = 10 # (Optional) If defined, indicate whether token data should be authenticated or @@ -235,58 +294,44 @@ # performance. (list value) #hash_algorithms = md5 -# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. -# (string value) -#auth_admin_prefix = - -# Host providing the admin Identity API endpoint. Deprecated, use identity_uri. -# (string value) -#auth_host = 127.0.0.1 - -# Port of the admin Identity API endpoint. Deprecated, use identity_uri. -# (integer value) -#auth_port = 35357 - -# Protocol of the admin Identity API endpoint. Deprecated, use identity_uri. -# (string value) -# Allowed values: http, https -#auth_protocol = https - -# Complete admin Identity API endpoint. This should specify the unversioned -# root endpoint e.g. https://localhost:35357/ (string value) -#identity_uri = - -# This option is deprecated and may be removed in a future release. Single -# shared secret with the Keystone configuration used for bootstrapping a -# Keystone installation, or otherwise bypassing the normal authentication -# process. This option should not be used, use `admin_user` and -# `admin_password` instead. (string value) -#admin_token = - -# Service username. (string value) -#admin_user = - -# Service user password. (string value) -#admin_password = - -# Service tenant name. (string value) -#admin_tenant_name = admin - -# Authentication type to load (unknown value) -# Deprecated group/name - [DEFAULT]/auth_plugin +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin #auth_type = -# Config Section from which to load plugin specific options (unknown value) +# Config Section from which to load plugin specific options (string value) #auth_section = +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + + [oslo_policy] # # From oslo.policy # -# The JSON file that defines policies. (string value) +# The file that defines policies. (string value) # Deprecated group/name - [DEFAULT]/policy_file #policy_file = policy.json @@ -347,8 +392,6 @@ # path to CA certs on disk (string value) #ca_certs = -# Number of replicas for elk cluster. Default is 0. Use 0 for no replicas -# In a production environment, this value should be equal to: -# (Number of elasticsearch node in the cluster - 1) -# (integer value) +# Number of replicas for elk cluster. Default is 0. Use 0 for no replicas. This +# should be set to (number of node in the ES cluter -1). (integer value) #number_of_replicas = 0 diff --git a/etc/freezer/freezer-paste.ini b/etc/freezer/freezer-paste.ini index 751a2bfe..cc2aae17 100644 --- a/etc/freezer/freezer-paste.ini +++ b/etc/freezer/freezer-paste.ini @@ -19,8 +19,11 @@ paste.filter_factory = freezer_api.api.common.middleware:HealthApp.factory [filter:context] paste.filter_factory = freezer_api.api.common.middleware:ContextMiddleware.factory +[filter:http_proxy_to_wsgi] +paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory + [pipeline:main] -pipeline = healthcheck authtoken context freezer_app +pipeline = healthcheck http_proxy_to_wsgi authtoken context freezer_app [pipeline:unauthenticated_freezer_api] -pipeline = HealthApp Healthcheck freezer_app +pipeline = http_proxy_to_wsgi HealthApp Healthcheck freezer_app