Remove X-Forwarded-Proto header in apache
Ther X-Forward-Proto header should be added on the external loadbalancer only, otherwise admin, internal endpoint requests to keystone may suddenly flip to HTTPS while HTTP is configured in default. This also affects request to local keystone API calls for monitoring etc. Closes-Bug: #2068039 Change-Id: I4cfef16841f95328d4ae7e4666f5a8fac053440b
This commit is contained in:
parent
fbd6848886
commit
e8d0f0db5f
@ -365,9 +365,6 @@ keystone_ssl_cipher_suite_tls13: >-
|
||||
# keystone_user_ssl_key: <path to cert on ansible deployment host>
|
||||
# keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
||||
|
||||
# Set to true when terminating SSL/TLS at a load balancer
|
||||
keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
|
||||
|
||||
# External SSL forwarding proto
|
||||
keystone_secure_proxy_ssl_header: X-Forwarded-Proto
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
deprecations:
|
||||
- |
|
||||
The variable ``keystone_external_ssl`` was deprecated and is no longer used.
|
||||
You still can control if communication between HAProxy and Keystone should
|
||||
be covered with TLS through ``keystone_backend_ssl`` or
|
||||
``haproxy_ssl``/``haproxy_ssl_all_vips`` for communication between clients
|
||||
and HAProxy on frontend.
|
@ -20,12 +20,6 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
|
||||
{% endif -%}
|
||||
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
||||
|
||||
{% if (keystone_external_ssl | bool) %}
|
||||
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
|
||||
{% else %}
|
||||
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
|
||||
{% endif %}
|
||||
|
||||
{% if keystone_backend_ssl | bool -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
||||
|
Loading…
Reference in New Issue
Block a user