From 63e5c444dda43958843f7729056a254708e92002 Mon Sep 17 00:00:00 2001 From: pomac Date: Wed, 1 Mar 2017 09:40:45 +0100 Subject: [PATCH] Enable heat-api proxy header parsing heat-api kept redirecting clients to use http:// instead of https:// when communicating with our https:// only loadbalancer Please examine the logic for enabling it carefully, it's hard to know if it should be enabled or not, potenitially it could be a security risk. Based on openstack-ansible-os_heat: commit 4033a0f854cba6719c61812ef5b553e932a6c6c2 Author: Kyle L. Henderson Enable oslo_middleware proxy header parsing "Heat has moved to using oslo_middleware for the http proxy header parsing, however the default is to not parse the headers. When the external protocol differs from the internal protocol this parsing is required in order for heat to work properly since it will return 302 redirects to the client during some operations (such as delete stack). An example of this is when using haproxy with https configured for the external protocol and http for the internal protocol. If the oslo_middleware does not parse the headers, then any 302 redirects would specify a url with http rather than correctly specifying https and the heat client would fail to connect on the redirect url." Change-Id: I38661a0bc2163a7f72febd98b7ae6f51c5d45ad5 --- ansible/roles/heat/templates/heat.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2 index b9389e445a..b3f494b10c 100644 --- a/ansible/roles/heat/templates/heat.conf.j2 +++ b/ansible/roles/heat/templates/heat.conf.j2 @@ -89,3 +89,8 @@ driver = noop [clients] endpoint_type = internalURL + +{% if public_protocol != internal_protocol and kolla_external_fqdn != kolla_internal_fqdn %} +[oslo_middleware] +enable_proxy_headers_parsing = True +{% endif %}