openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
bfd4651fe5
openstack-ansible-os_keystone/templates/keystone-httpd.conf.j2
Bjoern Teipel e8d0f0db5f
Remove X-Forwarded-Proto header in apache 
Ther X-Forward-Proto header should be added on the external loadbalancer only,
otherwise admin, internal endpoint requests to keystone may suddenly flip to
HTTPS while HTTP is configured in default.
This also affects request to local keystone API calls for monitoring etc.

Closes-Bug: #2068039
Change-Id: I4cfef16841f95328d4ae7e4666f5a8fac053440b
2024-06-20 13:06:57 -05:00

148 lines
6.2 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
<VirtualHost {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel {{ keystone_apache_log_level }}
ErrorLog syslog:daemon
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ keystone_system_service_name }}" {{ keystone_apache_custom_log_format }}
Options +FollowSymLinks
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self' https: wss:;"
{% if keystone_sp != {} -%}
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
{% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if keystone_backend_ssl | bool -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }}
{% if keystone_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ keystone_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ keystone_ssl_protocol }}
SSLHonorCipherOrder On
{% if keystone_ssl_cipher_suite_tls12 != "" -%}
SSLCipherSuite {{ keystone_ssl_cipher_suite_tls12 }}
{% endif -%}
{% if keystone_ssl_cipher_suite_tls13 != "" -%}
SSLCipherSuite TLSv1.3 {{ keystone_ssl_cipher_suite_tls13 }}
{% endif -%}
SSLOptions +StdEnvVars +ExportCertData
{% endif -%}
{% if keystone_sp_apache_mod_auth_openidc -%}
OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
OIDCScope "{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}"
OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
{% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%}
OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined -%}
OIDCOAuthIntrospectionEndpoint {{ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined -%}
OIDCOAuthClientID {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined -%}
OIDCOAuthClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined -%}
OIDCPKCEMethod {{ keystone_sp.trusted_idp_list.0.oidc_pkce_method }}
{% endif -%}
{% if keystone_cache_servers | length > 0 -%}
OIDCCacheType memcache
OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}"
{% endif %}
{% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined -%}
OIDCAuthRequestParams {{ keystone_sp.trusted_idp_list.0.oidc_auth_request_params }}
{% endif %}
{% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%}
OIDCStateMaxNumberOfCookies {{ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies }}
{% endif %}
{% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined -%}
OIDCDefaultURL {{ keystone_sp.trusted_idp_list.0.oidc_default_url }}
{% endif %}
{% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined -%}
OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
{% endif %}
<Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
Require valid-user
AuthType auth-openidc
</Location>
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
Require valid-user
AuthType openid-connect
</Location>
{% endif %}
{%- if keystone_sp_apache_mod_shib -%}
ShibURLScheme {{ keystone_service_publicuri_proto }}
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/auth/OS-FEDERATION/websso/saml2>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting exportAssertion 1
ShibRequireSession On
ShibExportAssertion On
Require valid-user
</Location>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
</LocationMatch>
{% endif %}
{% if keystone_sp != {} -%}
<Directory /var/www/cgi-bin/keystone>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
{% endif %}
{% if keystone_sp_apache_mod_shib -%}
ProxyPass /Shibboleth.sso !
{% endif -%}
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
</VirtualHost>
View Git Blame Copy Permalink