Fix X-Forward-Proto Header Deletion

Deletion of X-Forward-Proto only happens if HAProxy manages SSL termination Change-Id: I9acd425330749a0fe296c9b9f8262f82ebf9de49 Closes-Bug: #1646593
2016-12-01 20:22:11 +01:00 · 2016-12-01 20:22:11 +01:00 · 5b79aa6066
commit 5b79aa6066
parent df59b78f56
1 changed files with 25 additions and 25 deletions
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -55,7 +55,7 @@ listen mongodb
 {% if enable_keystone | bool %}
 listen keystone_internal
  bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -63,7 +63,7 @@ listen keystone_internal

 listen keystone_external
  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
@ -72,7 +72,7 @@ listen keystone_external

 listen keystone_admin
  bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -103,14 +103,14 @@ listen glance_api_external
 {% if enable_nova | bool %}
 listen nova_api
  bind {{ kolla_internal_vip_address }}:{{ nova_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen nova_metadata
  bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -118,7 +118,7 @@ listen nova_metadata
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy
  bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
@ -134,7 +134,7 @@ listen nova_spicehtml5proxy

 listen nova_api_external
  bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
@ -142,7 +142,7 @@ listen nova_api_external

 listen nova_metadata_external
  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
@ -151,7 +151,7 @@ listen nova_metadata_external
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy_external
  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
@ -159,7 +159,7 @@ listen nova_novncproxy_external
 {% elif nova_console == 'spice' %}
 listen nova_spicehtml5proxy_external
  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-spicehtml5proxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
@ -188,7 +188,7 @@ listen neutron_server_external
 listen horizon
  bind {{ kolla_internal_vip_address }}:80
  balance source
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['horizon'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
 {% endfor %}
@ -198,7 +198,7 @@ listen horizon
 listen horizon_external
  bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }}
  balance source
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['horizon'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
@ -220,7 +220,7 @@ listen horizon_external
 {% if enable_cinder | bool %}
 listen cinder_api
  bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['cinder-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -228,7 +228,7 @@ listen cinder_api

 listen cinder_api_external
  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cinder-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
@ -239,7 +239,7 @@ listen cinder_api_external
 {% if enable_cloudkitty | bool %}
 listen cloudkitty_api
  bind {{ kolla_internal_vip_address }}:{{ cloudkitty_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['cloudkitty-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -247,7 +247,7 @@ listen cloudkitty_api

 listen cloudkitty_api_external
  bind {{ kolla_external_vip_address }}:{{ cloudkitty_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cloudkitty-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5
@ -258,14 +258,14 @@ listen cloudkitty_api_external
 {% if enable_heat | bool %}
 listen heat_api
  bind {{ kolla_internal_vip_address }}:{{ heat_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['heat-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen heat_api_cfn
  bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -273,7 +273,7 @@ listen heat_api_cfn

 listen heat_api_external
  bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
@ -281,7 +281,7 @@ listen heat_api_external

 listen heat_api_cfn_external
  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
@ -292,7 +292,7 @@ listen heat_api_cfn_external
 {% if enable_grafana | bool %}
 listen grafana_server
  bind {{ kolla_internal_vip_address }}:{{ grafana_server_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['grafana'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5
@ -301,7 +301,7 @@ listen grafana_server

 listen grafana_server_external
  bind {{ kolla_external_vip_address }}:{{ grafana_server_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['grafana'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5
@ -513,7 +513,7 @@ listen kibana

 listen kibana_external
  bind {{ kolla_external_vip_address }}:{{ kibana_server_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  acl auth_acl http_auth(kibanauser)
  http-request auth realm basicauth unless auth_acl
@ -615,7 +615,7 @@ listen trove_api_external
 {% if enable_congress | bool %}
 listen congress_api
  bind {{ kolla_internal_vip_address }}:{{ congress_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['congress-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -623,7 +623,7 @@ listen congress_api

 listen congress_api_external
  bind {{ kolla_external_vip_address }}:{{ congress_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['congress-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5