Remove X-Forwarded-Proto header in apache

Ther X-Forward-Proto header should be added on the external loadbalancer only,
otherwise admin, internal endpoint requests to keystone may suddenly flip to
HTTPS while HTTP is configured in default.
This also affects request to local keystone API calls for monitoring etc.

Closes-Bug: #2068039
Change-Id: I4cfef16841f95328d4ae7e4666f5a8fac053440b
This commit is contained in:
Bjoern Teipel 2024-06-04 10:49:50 -05:00
parent fbd6848886
commit e8d0f0db5f
No known key found for this signature in database
GPG Key ID: FE384C0F6844A893
3 changed files with 8 additions and 9 deletions

View File

@ -365,9 +365,6 @@ keystone_ssl_cipher_suite_tls13: >-
# keystone_user_ssl_key: <path to cert on ansible deployment host>
# keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
# Set to true when terminating SSL/TLS at a load balancer
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
# External SSL forwarding proto
keystone_secure_proxy_ssl_header: X-Forwarded-Proto

View File

@ -0,0 +1,8 @@
---
deprecations:
- |
The variable ``keystone_external_ssl`` was deprecated and is no longer used.
You still can control if communication between HAProxy and Keystone should
be covered with TLS through ``keystone_backend_ssl`` or
``haproxy_ssl``/``haproxy_ssl_all_vips`` for communication between clients
and HAProxy on frontend.

View File

@ -20,12 +20,6 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
{% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if (keystone_external_ssl | bool) %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
{% else %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
{% endif %}
{% if keystone_backend_ssl | bool -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}