Add flag to enable the SECURE_PROXY_SSL_HEADER option
This is used to tell Django to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one is running horizon behind a proxy. Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
This commit is contained in:
parent
7cbcc78baa
commit
5211ba5fc8
@ -293,6 +293,12 @@
|
||||
# (optional) Disables Admin password prompt on Change Password form.
|
||||
# Defaults to false
|
||||
#
|
||||
# [*enable_secure_proxy_ssl_header*]
|
||||
# (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django
|
||||
# take the X-Forwarded-Proto header into account. Note that this is only
|
||||
# recommended if you're running horizon behind a proxy.
|
||||
# Defaults to false
|
||||
#
|
||||
# === DEPRECATED group/name
|
||||
#
|
||||
# [*fqdn*]
|
||||
@ -391,6 +397,7 @@ class horizon(
|
||||
$password_retrieve = false,
|
||||
$disable_password_reveal = false,
|
||||
$enforce_password_check = false,
|
||||
$enable_secure_proxy_ssl_header = false,
|
||||
# DEPRECATED PARAMETERS
|
||||
$custom_theme_path = undef,
|
||||
$fqdn = undef,
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which
|
||||
enables horizon (via Django) to process the X-Forwarded-Proto header. This
|
||||
done with the "enable_secure_proxy_ssl_header" in the manifest.
|
@ -92,42 +92,43 @@ describe 'horizon' do
|
||||
context 'with overridden parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:cache_backend => 'horizon.backends.memcached.HorizonMemcached',
|
||||
:cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
|
||||
:cache_server_ip => '10.0.0.1',
|
||||
:django_session_engine => 'django.contrib.sessions.backends.cache',
|
||||
:keystone_default_role => 'SwiftOperator',
|
||||
:keystone_url => 'https://keystone.example.com:4682',
|
||||
:ssl_no_verify => true,
|
||||
:log_handler => 'syslog',
|
||||
:log_level => 'DEBUG',
|
||||
:openstack_endpoint_type => 'internalURL',
|
||||
:secondary_endpoint_type => 'ANY-VALUE',
|
||||
:django_debug => true,
|
||||
:api_result_limit => 4682,
|
||||
:compress_offline => false,
|
||||
:hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true },
|
||||
:cinder_options => {'enable_backup' => true },
|
||||
:keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
|
||||
:neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
|
||||
:cache_backend => 'horizon.backends.memcached.HorizonMemcached',
|
||||
:cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
|
||||
:cache_server_ip => '10.0.0.1',
|
||||
:django_session_engine => 'django.contrib.sessions.backends.cache',
|
||||
:keystone_default_role => 'SwiftOperator',
|
||||
:keystone_url => 'https://keystone.example.com:4682',
|
||||
:ssl_no_verify => true,
|
||||
:log_handler => 'syslog',
|
||||
:log_level => 'DEBUG',
|
||||
:openstack_endpoint_type => 'internalURL',
|
||||
:secondary_endpoint_type => 'ANY-VALUE',
|
||||
:django_debug => true,
|
||||
:api_result_limit => 4682,
|
||||
:compress_offline => false,
|
||||
:hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true },
|
||||
:cinder_options => {'enable_backup' => true },
|
||||
:keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
|
||||
:neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
|
||||
'enable_distributed_router' => false, 'enable_ha_router' => false, 'profile_support' => 'cisco',
|
||||
'supported_provider_types' => ['flat', 'vxlan'], 'supported_vnic_types' => ['*'], 'default_ipv4_subnet_pool_label' => 'None', },
|
||||
:file_upload_temp_dir => '/var/spool/horizon',
|
||||
:secure_cookies => true,
|
||||
:api_versions => {'identity' => 2.0},
|
||||
:keystone_multidomain_support => true,
|
||||
:keystone_default_domain => 'domain.tld',
|
||||
:overview_days_range => 1,
|
||||
:session_timeout => 1800,
|
||||
:timezone => 'Asia/Shanghai',
|
||||
:available_themes => [
|
||||
:file_upload_temp_dir => '/var/spool/horizon',
|
||||
:secure_cookies => true,
|
||||
:api_versions => {'identity' => 2.0},
|
||||
:keystone_multidomain_support => true,
|
||||
:keystone_default_domain => 'domain.tld',
|
||||
:overview_days_range => 1,
|
||||
:session_timeout => 1800,
|
||||
:timezone => 'Asia/Shanghai',
|
||||
:available_themes => [
|
||||
{ 'name' => 'default', 'label' => 'Default', 'path' => 'themes/default' },
|
||||
{ 'name' => 'material', 'label' => 'Material', 'path' => 'themes/material' },
|
||||
],
|
||||
:default_theme => 'default',
|
||||
:password_autocomplete => 'on',
|
||||
:images_panel => 'angular',
|
||||
:password_retrieve => true,
|
||||
:default_theme => 'default',
|
||||
:password_autocomplete => 'on',
|
||||
:images_panel => 'angular',
|
||||
:password_retrieve => true,
|
||||
:enable_secure_proxy_ssl_header => true,
|
||||
})
|
||||
end
|
||||
|
||||
@ -135,6 +136,7 @@ describe 'horizon' do
|
||||
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
|
||||
'DEBUG = True',
|
||||
"ALLOWED_HOSTS = ['*', ]",
|
||||
"SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
|
||||
'CSRF_COOKIE_SECURE = True',
|
||||
'SESSION_COOKIE_SECURE = True',
|
||||
" 'identity': 2.0,",
|
||||
|
@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ]
|
||||
# and don't forget to strip it from the client's request.
|
||||
# For more information see:
|
||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
|
||||
<% if @enable_secure_proxy_ssl_header %>
|
||||
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
||||
<% else %>
|
||||
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
||||
<% end %>
|
||||
|
||||
# If Horizon is being served through SSL, then uncomment the following two
|
||||
# settings to better secure the cookies from security exploits
|
||||
|
Loading…
x
Reference in New Issue
Block a user