openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Merge "Define X-Forwarded-Proto for keystone"

Browse Source
This commit is contained in:
Zuul 2022-02-15 18:58:13 +00:00 committed by Gerrit Code Review
commit ba9d685380
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -255,10 +255,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
#keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: false
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
# External SSL forwarding proto
keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
keystone_secure_proxy_ssl_header: X-Forwarded-Proto
## Override memcached_servers
keystone_memcached_servers: "{{ memcached_servers }}"

6
templates/keystone-httpd.conf.j2
View File

@ -20,6 +20,12 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
{% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
{% elif not (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
{% endif %}
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}