From b4ef4638a6389eb98dd2e7ffaa132d74b0ea0b87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sat, 14 Sep 2019 22:00:56 +0200 Subject: [PATCH] Fix enforced horizon redirect to https MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also fixes similar issues introduced by the same recent change. Added FIXME note about possible TLS malfunction regarding horizon. Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78 Closes-Bug: #1844016 Signed-off-by: Radosław Piliszek --- ansible/roles/haproxy/templates/haproxy_main.cfg.j2 | 2 +- ansible/roles/horizon/templates/horizon.conf.j2 | 3 ++- ansible/roles/horizon/templates/local_settings.j2 | 2 +- ansible/roles/nova/templates/nova.conf.j2 | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ansible/roles/haproxy/templates/haproxy_main.cfg.j2 b/ansible/roles/haproxy/templates/haproxy_main.cfg.j2 index 85b9d7642e..6073f33815 100644 --- a/ansible/roles/haproxy/templates/haproxy_main.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy_main.cfg.j2 @@ -13,7 +13,7 @@ global {% endfor %} {% endif %} stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 - {% if kolla_enable_tls_external or kolla_enable_tls_internal | bool %} + {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 tune.ssl.default-dh-param 4096 diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 index 9577252496..b03bd4b403 100644 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ b/ansible/roles/horizon/templates/horizon.conf.j2 @@ -33,7 +33,8 @@ TraceEnable off -{% if kolla_enable_tls_external or kolla_enable_tls_internal| bool %} +{# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #} +{% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} Header edit Location ^http://(.*)$ https://$1 {% endif %} diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2 index 868f0057df..8e9b676be7 100644 --- a/ansible/roles/horizon/templates/local_settings.j2 +++ b/ansible/roles/horizon/templates/local_settings.j2 @@ -55,7 +55,7 @@ DATABASES = { #CSRF_COOKIE_SECURE = True #SESSION_COOKIE_SECURE = True -{% if kolla_enable_tls_external or kolla_enable_tls_internal | bool %} +{% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') CSRF_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index 838b1212db..2613710c30 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -229,7 +229,7 @@ debug = {{ nova_logging_debug }} [wsgi] api_paste_config = /etc/nova/api-paste.ini -{% if kolla_enable_tls_external or kolla_enable_tls_internal | bool %} +{% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %} secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO {% endif %}