openstack-ansible-os_horizon/templates/openstack_dashboard.conf.j2
Amy Marrich (spotz) 4283200534 Add ability for HTTP access to horizon
Horizon has, since OSA's inception, been deployed with HTTPS
access enabled, and has had no way to turn it off. Some use-cases
may want to access via HTTP instead, so this patch enables
the following:

1. Listen via HTTPS on a load balancer, but via HTTP on the
   horizon host and have the load balancer forward the correct
   headers. It will do this by default in the integrated build
   due to the presence of the load balancer, so the current
   behaviour is retained.

2. Enable HTTPS on the horizon host without a load balancer.
   This is the role's default behaviour which matches what it
   always has been.

3. Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which
   will also disable https on haproxy. This setting is inherited
   by the new ``horizon_enable_ssl`` variable by default. This
   is a new option.

Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Change-Id: I823f2f949258157e306dbf80570abe53373da0c3
Closes-Bug: 1794337
2018-10-17 11:56:26 +00:00

66 lines
2.5 KiB
Django/Jinja

# {{ ansible_managed }}
# If horizon is being served via SSL from this web server,
# then we must redirect HTTP requests to HTTPS.
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
<VirtualHost *:80>
ServerName {{ horizon_server_name }}
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
{% endif %}
# If horizon is being served via SSL via a load balancer, we
# need to listen via HTTP on this web server. If SSL is not
# enabled, then the same applies.
<VirtualHost *:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary('443', '80') }}>
ServerName {{ horizon_server_name }}
LogLevel {{ horizon_log_level }}
ErrorLog /var/log/horizon/horizon-error.log
CustomLog /var/log/horizon/ssl_access.log {{ horizon_apache_custom_log_format }}
Options +FollowSymLinks
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
SSLEngine on
SSLCertificateFile {{ horizon_ssl_cert }}
SSLCertificateKeyFile {{ horizon_ssl_key }}
{% if horizon_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ horizon_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ horizon_ssl_protocol }}
SSLHonorCipherOrder On
SSLCipherSuite {{ horizon_ssl_cipher_suite }}
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
{% endif %}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
{% endif %}
WSGIScriptAlias / {{ horizon_lib_wsgi_file }}
WSGIDaemonProcess horizon user={{ horizon_system_user_name }} group={{ horizon_system_group_name }} processes={{ horizon_wsgi_processes | default(horizon_wsgi_threads) }} threads={{ horizon_wsgi_threads }} python-path={{ horizon_bin | dirname }}/lib/python2.7/site-packages
WSGIProcessGroup horizon
WSGIApplicationGroup %{GLOBAL}
<Directory {{ horizon_lib_wsgi_file | dirname }}>
<Files django.wsgi>
Order allow,deny
allow from all
Require all granted
</Files>
</Directory>
Alias /static {{ horizon_lib_dir }}/static/
<Directory {{ horizon_lib_dir }}/static/>
Options -FollowSymlinks
AllowOverride None
Order allow,deny
allow from all
Require all granted
</Directory>
</VirtualHost>