Add http_proxy_to_wsgi to api-paste

This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The purpose of this middleware is to set up the request URL correctly in case there is a proxy (For instance, a loadbalancer such as HAProxy) in front of Neutron. So, for instance, when TLS connections are being terminated in the proxy, and one tries to get the versions from the / resource of Neutron, one will notice that the protocol is incorrect; It will show 'http' instead of 'https'. So this middleware handles such cases. Thus helping Keystone discovery work correctly. The HTTPProxyToWSGI is off by default and needs to be enabled via a configuration value. Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b Closes-Bug: #1590608 (cherry picked from commit 19c354aacd)
2016-10-10 08:56:12 +03:00 · 2016-10-10 08:56:12 +03:00 · 8be6a30d43
commit 8be6a30d43
parent 287bb35e16
3 changed files with 19 additions and 4 deletions
--- a/etc/api-paste.ini
+++ b/etc/api-paste.ini
@ -5,13 +5,13 @@ use = egg:Paste#urlmap

 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
-noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
+noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0

 [composite:neutronversions_composite]
 use = call:neutron.auth:pipeline_factory
-noauth = cors neutronversions
-keystone = cors neutronversions
+noauth = cors http_proxy_to_wsgi neutronversions
+keystone = cors http_proxy_to_wsgi neutronversions

 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@ -23,6 +23,9 @@ paste.filter_factory = oslo_middleware:CatchErrors.factory
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = neutron

+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory

--- a/etc/oslo-config-generator/neutron.conf
+++ b/etc/oslo-config-generator/neutron.conf
@ -14,6 +14,7 @@ namespace = oslo.policy
 namespace = oslo.concurrency
 namespace = oslo.messaging
 namespace = oslo.middleware.cors
+namespace = oslo.middleware.http_proxy_to_wsgi
 namespace = oslo.service.sslutils
 namespace = oslo.service.wsgi
 namespace = keystonemiddleware.auth_token
--- a/releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml
+++ b/releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - Middleware was added to parse the X-Forwarded-Proto HTTP header or the
+    Proxy protocol in order to help neutron respond with the correct URL refs
+    when it's put behind a TLS proxy (such as HAProxy). This adds
+    http_proxy_to_wsgi middleware to the pipeline. This middleware is disabled
+    by default, but can be enabled via a configuration option in the
+    oslo_middleware group.
+upgrade:
+  - The api-paste.ini configuration file for the paste pipeline was updated to
+    add the http_proxy_to_wsgi middleware.