Use http_proxy_to_wsgi from oslo.middleware

Deprecate our custom usage of the HTTP_X_FORWARDED_PROTO header in
favour of a standard middleware shared across all services. This will
enable us to support the newer forwarding standards.

Closes-Bug: #1590608
Change-Id: Iad628a863e55cbf20c89ef23ebc7527ba8e1a835

etc/keystone-paste.ini

@@ -24,6 +24,9 @@ use = egg:keystone#json_body
 use = egg:oslo.middleware#cors
 oslo_config_project = keystone
 
+[filter:http_proxy_to_wsgi]
+use = egg:oslo.middleware#http_proxy_to_wsgi
+
 [filter:ec2_extension]
 use = egg:keystone#ec2_extension
 
@@ -51,17 +54,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
+pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
 
 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
+pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
 
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
+pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service

etc/keystone.conf.sample

@@ -80,8 +80,11 @@
 # automatically truncated to the maximum length. (boolean value)
 #strict_password_check = false
 
-# The HTTP header used to determine the scheme for the original request, even
-# if it was removed by an SSL terminating proxy. (string value)
+# DEPRECATED: The HTTP header used to determine the scheme for the original
+# request, even if it was removed by an SSL terminating proxy. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Use http_proxy_to_wsgi middleware configuration instead.
 #secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
 
 # If set to true the server will return information in the response that may
@@ -1613,6 +1616,10 @@
 # Its value may be silently ignored in the future.
 #secure_proxy_ssl_header = X-Forwarded-Proto
 
+# Whether the application is behind a proxy or not. This determines if the
+# middleware should parse the headers or not. (boolean value)
+#enable_proxy_headers_parsing = false
+
 
 [oslo_policy]
 

keystone/common/config.py

@@ -144,6 +144,9 @@ FILE_OPTIONS = {
                          'passwords are automatically truncated to the '
                          'maximum length.'),
         cfg.StrOpt('secure_proxy_ssl_header', default='HTTP_X_FORWARDED_PROTO',
+                   deprecated_for_removal=True,
+                   deprecated_reason='Use http_proxy_to_wsgi middleware '
+                                     'configuration instead.',
                    help='The HTTP header used to determine the scheme for the '
                         'original request, even if it was removed by an SSL '
                         'terminating proxy.'),