Add flag to enable the SECURE_PROXY_SSL_HEADER option

This is used to tell Django to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one is running horizon behind a proxy. Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-09 09:25:16 +02:00 · 2016-12-09 09:25:16 +02:00 · 5211ba5fc8
parent 7cbcc78baa
commit 5211ba5fc8
4 changed files with 49 additions and 31 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -293,6 +293,12 @@
 #    (optional) Disables Admin password prompt on Change Password form.
 #    Defaults to false
 #
+#  [*enable_secure_proxy_ssl_header*]
+#    (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django
+#    take the X-Forwarded-Proto header into account. Note that this is only
+#    recommended if you're running horizon behind a proxy.
+#    Defaults to false
+#
 # === DEPRECATED group/name
 #
 #  [*fqdn*]
@ -391,6 +397,7 @@ class horizon(
  $password_retrieve                   = false,
  $disable_password_reveal             = false,
  $enforce_password_check              = false,
+  $enable_secure_proxy_ssl_header      = false,
  # DEPRECATED PARAMETERS
  $custom_theme_path                   = undef,
  $fqdn                                = undef,
--- a/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml
+++ b/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which
+    enables horizon (via Django) to process the X-Forwarded-Proto header. This
+    done with the "enable_secure_proxy_ssl_header" in the manifest.
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@ -92,42 +92,43 @@ describe 'horizon' do
    context 'with overridden parameters' do
      before do
        params.merge!({
-          :cache_backend                => 'horizon.backends.memcached.HorizonMemcached',
-          :cache_options                => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
-          :cache_server_ip              => '10.0.0.1',
-          :django_session_engine        => 'django.contrib.sessions.backends.cache',
-          :keystone_default_role        => 'SwiftOperator',
-          :keystone_url                 => 'https://keystone.example.com:4682',
-          :ssl_no_verify                => true,
-          :log_handler                  => 'syslog',
-          :log_level                    => 'DEBUG',
-          :openstack_endpoint_type      => 'internalURL',
-          :secondary_endpoint_type      => 'ANY-VALUE',
-          :django_debug                 => true,
-          :api_result_limit             => 4682,
-          :compress_offline             => false,
-          :hypervisor_options           => {'can_set_mount_point' => false, 'can_set_password' => true },
-          :cinder_options               => {'enable_backup' => true },
-          :keystone_options             => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
-          :neutron_options              => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
+          :cache_backend                  => 'horizon.backends.memcached.HorizonMemcached',
+          :cache_options                  => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
+          :cache_server_ip                => '10.0.0.1',
+          :django_session_engine          => 'django.contrib.sessions.backends.cache',
+          :keystone_default_role          => 'SwiftOperator',
+          :keystone_url                   => 'https://keystone.example.com:4682',
+          :ssl_no_verify                  => true,
+          :log_handler                    => 'syslog',
+          :log_level                      => 'DEBUG',
+          :openstack_endpoint_type        => 'internalURL',
+          :secondary_endpoint_type        => 'ANY-VALUE',
+          :django_debug                   => true,
+          :api_result_limit               => 4682,
+          :compress_offline               => false,
+          :hypervisor_options             => {'can_set_mount_point' => false, 'can_set_password' => true },
+          :cinder_options                 => {'enable_backup' => true },
+          :keystone_options               => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
+          :neutron_options                => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
                                            'enable_distributed_router' => false, 'enable_ha_router' => false, 'profile_support' => 'cisco',
                                            'supported_provider_types' => ['flat', 'vxlan'], 'supported_vnic_types' => ['*'], 'default_ipv4_subnet_pool_label' => 'None', },
-          :file_upload_temp_dir         => '/var/spool/horizon',
-          :secure_cookies               => true,
-          :api_versions                 => {'identity' => 2.0},
-          :keystone_multidomain_support => true,
-          :keystone_default_domain      => 'domain.tld',
-          :overview_days_range          => 1,
-          :session_timeout              => 1800,
-          :timezone                     => 'Asia/Shanghai',
-          :available_themes             => [
+          :file_upload_temp_dir           => '/var/spool/horizon',
+          :secure_cookies                 => true,
+          :api_versions                   => {'identity' => 2.0},
+          :keystone_multidomain_support   => true,
+          :keystone_default_domain        => 'domain.tld',
+          :overview_days_range            => 1,
+          :session_timeout                => 1800,
+          :timezone                       => 'Asia/Shanghai',
+          :available_themes               => [
            { 'name' => 'default', 'label' => 'Default', 'path' => 'themes/default' },
            { 'name' => 'material', 'label' => 'Material', 'path' => 'themes/material' },
          ],
-          :default_theme                => 'default',
-          :password_autocomplete        => 'on',
-          :images_panel                 => 'angular',
-          :password_retrieve            => true,
+          :default_theme                  => 'default',
+          :password_autocomplete          => 'on',
+          :images_panel                   => 'angular',
+          :password_retrieve              => true,
+          :enable_secure_proxy_ssl_header => true,
        })
      end

@ -135,6 +136,7 @@ describe 'horizon' do
        verify_concat_fragment_contents(catalogue, 'local_settings.py', [
          'DEBUG = True',
          "ALLOWED_HOSTS = ['*', ]",
+          "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
          'CSRF_COOKIE_SECURE = True',
          'SESSION_COOKIE_SECURE = True',
          "  'identity': 2.0,",
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ]
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+<% if @enable_secure_proxy_ssl_header %>
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+<% else %>
 #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+<% end %>

 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits