From 3daded62427a1eda9998865b413c2a03210e4592 Mon Sep 17 00:00:00 2001
From: Dave McCowan <dmccowan@cisco.com>
Date: Mon, 29 Feb 2016 13:51:11 -0500
Subject: [PATCH] Add TLS protection on external API endpoints

TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
---
 ansible/group_vars/all.yml                    |  6 +-
 ansible/roles/certificates/tasks/generate.yml |  2 +-
 .../templates/openssl-kolla.cnf.j2            |  2 +-
 ansible/roles/haproxy/tasks/config.yml        |  8 ++
 .../roles/haproxy/templates/haproxy.cfg.j2    | 84 +++++++++++++++----
 .../roles/haproxy/templates/haproxy.json.j2   |  7 ++
 .../roles/horizon/templates/horizon.conf.j2   |  4 +
 .../roles/horizon/templates/local_settings.j2 | 12 ++-
 .../roles/keystone/templates/keystone.conf.j2 |  2 +
 ansible/roles/nova/templates/nova.conf.j2     |  4 +
 etc/kolla/globals.yml                         | 11 +++
 11 files changed, 117 insertions(+), 25 deletions(-)

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index f7807c88cb..4b0525b756 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -136,7 +136,7 @@ elasticsearch_port: "9200"
 
 manila_api_port: "8786"
 
-public_protocol: "http"
+public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"
 internal_protocol: "http"
 admin_protocol: "http"
 
@@ -207,7 +207,9 @@ rabbitmq_user: "openstack"
 ####################
 haproxy_user: "openstack"
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
-
+kolla_enable_tls_external: "no"
+kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
 
 #################################
 # Cinder - Block Storage options
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index dd82bbdd13..b0014e13aa 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -21,7 +21,7 @@
 
 - name: Creating Server Certificate
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_address }}" \
+    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
     -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
     -days 3650 \
     -extensions v3_req \
diff --git a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
index 8ebf22caa2..c9bbce5321 100644
--- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
+++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
@@ -7,7 +7,7 @@ countryName = US
 stateOrProvinceName = NC
 localityName = RTP
 organizationalUnitName = kolla
-commonName = {{ kolla_external_address }}
+commonName = {{ kolla_external_fqdn }}
 
 [v3_req]
 subjectAltName = @alt_names
diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml
index 2a9941ccc8..e41f6aa480 100644
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@@ -33,3 +33,11 @@
     dest: "{{ node_config_directory }}/{{ item }}/{{ item }}.conf"
   with_items:
     - "keepalived"
+
+- name: Copying over haproxy.pem
+  when: kolla_enable_tls_external | bool
+  copy:
+    src: "{{ kolla_external_fqdn_cert }}"
+    dest: "{{ node_config_directory }}/haproxy/{{ item }}"
+  with_items:
+    - "haproxy.pem"
diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2
index 1ab7dd67db..a9f1e8ac6b 100644
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -1,8 +1,14 @@
+{% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}
 global
   daemon
   log /var/lib/kolla/heka/log local0
   maxconn 4000
   stats socket /var/lib/kolla/haproxy/haproxy.sock
+{% if kolla_enable_tls_external | bool %}
+  ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
+  ssl-default-bind-options no-sslv3 no-tlsv10
+  tune.ssl.default-dh-param 4096
+{% endif %}
 
 defaults
   log global
@@ -58,13 +64,16 @@ listen mongodb
 {% if enable_keystone | bool %}
 listen keystone_internal
   bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}
 
 listen keystone_external
-  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }}
+  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -72,6 +81,7 @@ listen keystone_external
 
 listen keystone_admin
   bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -92,13 +102,13 @@ listen glance_api
 {% if haproxy_enable_external_vip | bool %}
 
 listen glance_registry_external
-  bind {{ kolla_external_vip_address }}:{{ glance_registry_port }}
+  bind {{ kolla_external_vip_address }}:{{ glance_registry_port }} {{ tls_bind_info }}
 {% for host in groups['glance-registry'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen glance_api_external
-  bind {{ kolla_external_vip_address }}:{{ glance_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ glance_api_port }} {{ tls_bind_info }}
 {% for host in groups['glance-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -108,18 +118,21 @@ listen glance_api_external
 {% if enable_nova | bool %}
 listen nova_api
   bind {{ kolla_internal_vip_address }}:{{ nova_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen nova_api_ec2
   bind {{ kolla_internal_vip_address }}:{{ nova_api_ec2_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen nova_metadata
   bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -127,6 +140,8 @@ listen nova_metadata
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy
   bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -140,32 +155,42 @@ listen nova_spicehtml5proxy
 {% if haproxy_enable_external_vip | bool %}
 
 listen nova_api_external
-  bind {{ kolla_external_vip_address }}:{{ nova_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen nova_api_ec2_external
-  bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen nova_metadata_external
-  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy_external
-  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% elif nova_console == 'spice' %}
 listen nova_spicehtml5proxy_external
-  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-spicehtml5proxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -182,7 +207,7 @@ listen neutron_server
 {% if haproxy_enable_external_vip | bool %}
 
 listen neutron_server_external
-  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }}
+  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }} {{ tls_bind_info }}
 {% for host in groups['neutron-server'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -192,11 +217,24 @@ listen neutron_server_external
 {% if enable_horizon | bool %}
 listen horizon
   bind {{ kolla_internal_vip_address }}:80
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['horizon'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
 {% endfor %}
-{% if haproxy_enable_external_vip | bool %}
 
+{% if haproxy_enable_external_vip | bool %}
+{% if kolla_enable_tls_external | bool %}
+listen horizon_external
+  bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+{% for host in groups['horizon'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+frontend horizon_external_redirect {{ kolla_external_vip_address }}:80
+   redirect scheme https code 301 if !{ ssl_fc }
+{% else %}
 listen horizon_external
   bind {{ kolla_external_vip_address }}:80
 {% for host in groups['horizon'] %}
@@ -204,17 +242,21 @@ listen horizon_external
 {% endfor %}
 {% endif %}
 {% endif %}
+{% endif %}
 
 {% if enable_cinder | bool %}
 listen cinder_api
   bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['cinder-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}
 
 listen cinder_api_external
-  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cinder-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -224,25 +266,31 @@ listen cinder_api_external
 {% if enable_heat | bool %}
 listen heat_api
   bind {{ kolla_internal_vip_address }}:{{ heat_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['heat-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen heat_api_cfn
   bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['heat-api-cfn'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}
 
 listen heat_api_external
-  bind {{ kolla_external_vip_address }}:{{ heat_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen heat_api_cfn_external
-  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }}
+  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -258,7 +306,7 @@ listen ironic_api
 {% if haproxy_enable_external_vip | bool %}
 
 listen ironic_api_external
-  bind {{ kolla_external_vip_address }}:{{ ironic_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ ironic_api_port }} {{ tls_bind_info }}
 {% for host in groups['ironic-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -274,7 +322,7 @@ listen swift_api
 {% if haproxy_enable_external_vip | bool %}
 
 listen swift_api_external
-  bind {{ kolla_external_vip_address }}:{{ swift_proxy_server_port }}
+  bind {{ kolla_external_vip_address }}:{{ swift_proxy_server_port }} {{ tls_bind_info }}
 {% for host in groups['swift-proxy-server'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -290,7 +338,7 @@ listen murano_api
 {% if haproxy_enable_external_vip | bool %}
 
 listen murano_api_external
-  bind {{ kolla_external_vip_address }}:{{ murano_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ murano_api_port }} {{ tls_bind_info }}
 {% for host in groups['murano-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -306,7 +354,7 @@ listen magnum_api
 {% if haproxy_enable_external_vip | bool %}
 
 listen magnum_api_external
-  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }} {{ tls_bind_info }}
 {% for host in groups['magnum-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -322,7 +370,7 @@ listen radosgw
 {% if haproxy_enable_external_vip | bool %}
 
 listen radosgw_external
-  bind {{ kolla_external_vip_address }}:{{ rgw_port }}
+  bind {{ kolla_external_vip_address }}:{{ rgw_port }} {{ tls_bind_info }}
 {% for host in groups['ceph-rgw'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
diff --git a/ansible/roles/haproxy/templates/haproxy.json.j2 b/ansible/roles/haproxy/templates/haproxy.json.j2
index a14bb1a37a..9672e239b2 100644
--- a/ansible/roles/haproxy/templates/haproxy.json.j2
+++ b/ansible/roles/haproxy/templates/haproxy.json.j2
@@ -6,6 +6,13 @@
             "dest": "/etc/haproxy/haproxy.cfg",
             "owner": "root",
             "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/haproxy.pem",
+            "dest": "/etc/haproxy/haproxy.pem",
+            "owner": "root",
+            "perm": "0600",
+            "optional": "true"
         }
     ]
 }
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index 53716c6037..1881978d02 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -22,3 +22,7 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
         SetHandler None
     </Location>
 </Virtualhost>
+
+{% if kolla_enable_tls_external | bool %}
+Header edit Location ^http://(.*)$ https://$1
+{% endif %}
diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2
index cc6802e50e..c8ad4e2cb3 100644
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@@ -41,6 +41,12 @@ ALLOWED_HOSTS = ['*']
 #CSRF_COOKIE_SECURE = True
 #SESSION_COOKIE_SECURE = True
 
+{% if kolla_enable_tls_external | bool %}
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+{% endif %}
+
 # Overrides for OpenStack API versions. Use this setting to force the
 # OpenStack dashboard to use a specific API version for a given service API.
 # Versions specified here should be integers or floats, not strings.
@@ -147,8 +153,8 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 #    ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
 #]
 
-OPENSTACK_HOST = "{{ kolla_external_fqdn }}"
-OPENSTACK_KEYSTONE_URL = "{{ public_protocol }}://%s:{{ keystone_public_port }}/v3" % OPENSTACK_HOST
+OPENSTACK_HOST = "{{ kolla_internal_fqdn }}"
+OPENSTACK_KEYSTONE_URL = "{{ internal_protocol }}://%s:{{ keystone_public_port }}/v3" % OPENSTACK_HOST
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 
 # Enables keystone web single-sign-on if set to True.
@@ -292,7 +298,7 @@ IMAGE_RESERVED_CUSTOM_PROPERTIES = []
 # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is 'publicURL'.
-#OPENSTACK_ENDPOINT_TYPE = "publicURL"
+OPENSTACK_ENDPOINT_TYPE = "internalURL"
 
 # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
 # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2
index c911d028cf..83e2e2a024 100644
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@@ -4,5 +4,7 @@ debug = {{ keystone_logging_debug }}
 # NOTE(elemoine) log_dir alone does not work for Keystone
 log_file = /var/log/kolla/keystone/keystone.log
 
+secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
+
 [database]
 connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 5d6b438270..4780f963c9 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -8,6 +8,10 @@ use_forwarded_for = true
 api_paste_config = /etc/nova/api-paste.ini
 state_path = /var/lib/nova
 
+{% if kolla_enable_tls_external | bool %}
+secure_proxy_ssl_header = X-Forwarded-Proto
+{% endif %}
+
 osapi_compute_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 osapi_compute_listen_port = {{ nova_api_port }}
 
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 44f72ead76..a505b38309 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -72,6 +72,17 @@ neutron_external_interface: "eth1"
 #neutron_plugin_agent: "openvswitch"
 
 
+####################
+# TLS options
+####################
+# To provide encryption and authentication on the kolla_external_vip_interface,
+# TLS can be enabled.  When TLS is enabled, certificates must be provided to
+# allow clients to perform authentication.  The default is TLS disabled.
+# kolla_enable_tls_external: "yes"
+# kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+# kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+
+
 ####################
 # OpenStack options
 ####################