From 8b5c095d6f7e4dca93306f00416784303392a67c Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Thu, 9 Jun 2016 09:36:19 +1000 Subject: [PATCH] Use http_proxy_to_wsgi from oslo.middleware Deprecate our custom usage of the HTTP_X_FORWARDED_PROTO header in favour of a standard middleware shared across all services. This will enable us to support the newer forwarding standards. Closes-Bug: #1590608 Change-Id: Iad628a863e55cbf20c89ef23ebc7527ba8e1a835 --- etc/keystone-paste.ini | 9 ++++++--- etc/keystone.conf.sample | 11 +++++++++-- keystone/common/config.py | 3 +++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/etc/keystone-paste.ini b/etc/keystone-paste.ini index ec169c06b9..acb17fc154 100644 --- a/etc/keystone-paste.ini +++ b/etc/keystone-paste.ini @@ -24,6 +24,9 @@ use = egg:keystone#json_body use = egg:oslo.middleware#cors oslo_config_project = keystone +[filter:http_proxy_to_wsgi] +use = egg:oslo.middleware#http_proxy_to_wsgi + [filter:ec2_extension] use = egg:keystone#ec2_extension @@ -51,17 +54,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = cors sizelimit osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 +pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index b205c5427f..71806b9fde 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -80,8 +80,11 @@ # automatically truncated to the maximum length. (boolean value) #strict_password_check = false -# The HTTP header used to determine the scheme for the original request, even -# if it was removed by an SSL terminating proxy. (string value) +# DEPRECATED: The HTTP header used to determine the scheme for the original +# request, even if it was removed by an SSL terminating proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Use http_proxy_to_wsgi middleware configuration instead. #secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO # If set to true the server will return information in the response that may @@ -1613,6 +1616,10 @@ # Its value may be silently ignored in the future. #secure_proxy_ssl_header = X-Forwarded-Proto +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + [oslo_policy] diff --git a/keystone/common/config.py b/keystone/common/config.py index 7ec17eae41..b3bfa2c290 100644 --- a/keystone/common/config.py +++ b/keystone/common/config.py @@ -144,6 +144,9 @@ FILE_OPTIONS = { 'passwords are automatically truncated to the ' 'maximum length.'), cfg.StrOpt('secure_proxy_ssl_header', default='HTTP_X_FORWARDED_PROTO', + deprecated_for_removal=True, + deprecated_reason='Use http_proxy_to_wsgi middleware ' + 'configuration instead.', help='The HTTP header used to determine the scheme for the ' 'original request, even if it was removed by an SSL ' 'terminating proxy.'),