Add support for oslo_middleware http_proxy_to_wsgi

This sets up the HTTPProxyToWSGI middleware in front of Octavia API. The
purpose of this middleware is to set up the request URL correctly in
the case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Octavia API.

So, when TLS connections are terminated at the proxy, and one tries to
get the versions from the '/' resource from Octavia API, one will notice
that the protocol is incorrect; It will show 'http' instead of 'https'.
So this middleware handles such cases.

The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.

It can be enabled with the option in octavia.conf:
[oslo_middleware]
enable_proxy_headers_parsing=True

Conflicts:
	etc/octavia.conf
NOTE(s10): conflict is due to I3082962841d3b645f3cbd1a6b41fc7fb28dcf7e6
not being in stable branches

Story: 2005105
Task: 29732
Change-Id: I276188530a83598ed75560f02ed9d80ce9afca2f
(cherry picked from commit ec83c69372)
This commit is contained in:
Vlad Gusev 2019-08-03 21:00:21 +03:00
parent 15358a71e4
commit 6f8932e955
3 changed files with 15 additions and 0 deletions

View File

@ -293,6 +293,10 @@
# event_stream_transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
# event_stream_transport_url =
[oslo_middleware]
# HTTPProxyToWSGI middleware enabled
# enable_proxy_headers_parsing = False
[house_keeping]
# Interval in seconds to initiate spare amphora checks
# spare_check_interval = 30

View File

@ -16,6 +16,7 @@ import keystonemiddleware.audit as audit_middleware
from oslo_config import cfg
from oslo_log import log as logging
from oslo_middleware import cors
from oslo_middleware import http_proxy_to_wsgi
from oslo_middleware import request_id
import pecan
@ -83,6 +84,8 @@ def _wrap_app(app):
if cfg.CONF.api_settings.auth_strategy == constants.KEYSTONE:
app = keystone.SkippingAuthProtocol(app, {})
app = http_proxy_to_wsgi.HTTPProxyToWSGI(app)
# This should be the last middleware in the list (which results in
# it being the first in the middleware chain). This is to ensure
# that any errors thrown by other middleware, such as an auth

View File

@ -0,0 +1,8 @@
---
features:
- |
Now supports ``oslo_middleware http_proxy_to_wsgi``, which will set up the
request URL correctly in the case that there is a proxy (for example, a
loadbalancer such as HAProxy) in front of the Octavia API. It is off by
default and can be enabled by setting ``enable_proxy_headers_parsing=True``
in the ``[oslo_middleware]`` section of ``octavia.conf``.