From 5211ba5fc8652fbf6b3a7d72ed3de273d43d29ee Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Fri, 9 Dec 2016 09:25:16 +0200 Subject: [PATCH] Add flag to enable the SECURE_PROXY_SSL_HEADER option This is used to tell Django to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one is running horizon behind a proxy. Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e --- manifests/init.pp | 7 ++ ...URE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml | 5 ++ spec/classes/horizon_init_spec.rb | 64 ++++++++++--------- templates/local_settings.py.erb | 4 ++ 4 files changed, 49 insertions(+), 31 deletions(-) create mode 100644 releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml diff --git a/manifests/init.pp b/manifests/init.pp index 9a503bef..09229fd5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -293,6 +293,12 @@ # (optional) Disables Admin password prompt on Change Password form. # Defaults to false # +# [*enable_secure_proxy_ssl_header*] +# (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django +# take the X-Forwarded-Proto header into account. Note that this is only +# recommended if you're running horizon behind a proxy. +# Defaults to false +# # === DEPRECATED group/name # # [*fqdn*] @@ -391,6 +397,7 @@ class horizon( $password_retrieve = false, $disable_password_reveal = false, $enforce_password_check = false, + $enable_secure_proxy_ssl_header = false, # DEPRECATED PARAMETERS $custom_theme_path = undef, $fqdn = undef, diff --git a/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml b/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml new file mode 100644 index 00000000..70825359 --- /dev/null +++ b/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml @@ -0,0 +1,5 @@ +--- +features: + - Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which + enables horizon (via Django) to process the X-Forwarded-Proto header. This + done with the "enable_secure_proxy_ssl_header" in the manifest. diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb index 9c392de5..e4b6bdf3 100644 --- a/spec/classes/horizon_init_spec.rb +++ b/spec/classes/horizon_init_spec.rb @@ -92,42 +92,43 @@ describe 'horizon' do context 'with overridden parameters' do before do params.merge!({ - :cache_backend => 'horizon.backends.memcached.HorizonMemcached', - :cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1}, - :cache_server_ip => '10.0.0.1', - :django_session_engine => 'django.contrib.sessions.backends.cache', - :keystone_default_role => 'SwiftOperator', - :keystone_url => 'https://keystone.example.com:4682', - :ssl_no_verify => true, - :log_handler => 'syslog', - :log_level => 'DEBUG', - :openstack_endpoint_type => 'internalURL', - :secondary_endpoint_type => 'ANY-VALUE', - :django_debug => true, - :api_result_limit => 4682, - :compress_offline => false, - :hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true }, - :cinder_options => {'enable_backup' => true }, - :keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false}, - :neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true, + :cache_backend => 'horizon.backends.memcached.HorizonMemcached', + :cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1}, + :cache_server_ip => '10.0.0.1', + :django_session_engine => 'django.contrib.sessions.backends.cache', + :keystone_default_role => 'SwiftOperator', + :keystone_url => 'https://keystone.example.com:4682', + :ssl_no_verify => true, + :log_handler => 'syslog', + :log_level => 'DEBUG', + :openstack_endpoint_type => 'internalURL', + :secondary_endpoint_type => 'ANY-VALUE', + :django_debug => true, + :api_result_limit => 4682, + :compress_offline => false, + :hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true }, + :cinder_options => {'enable_backup' => true }, + :keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false}, + :neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true, 'enable_distributed_router' => false, 'enable_ha_router' => false, 'profile_support' => 'cisco', 'supported_provider_types' => ['flat', 'vxlan'], 'supported_vnic_types' => ['*'], 'default_ipv4_subnet_pool_label' => 'None', }, - :file_upload_temp_dir => '/var/spool/horizon', - :secure_cookies => true, - :api_versions => {'identity' => 2.0}, - :keystone_multidomain_support => true, - :keystone_default_domain => 'domain.tld', - :overview_days_range => 1, - :session_timeout => 1800, - :timezone => 'Asia/Shanghai', - :available_themes => [ + :file_upload_temp_dir => '/var/spool/horizon', + :secure_cookies => true, + :api_versions => {'identity' => 2.0}, + :keystone_multidomain_support => true, + :keystone_default_domain => 'domain.tld', + :overview_days_range => 1, + :session_timeout => 1800, + :timezone => 'Asia/Shanghai', + :available_themes => [ { 'name' => 'default', 'label' => 'Default', 'path' => 'themes/default' }, { 'name' => 'material', 'label' => 'Material', 'path' => 'themes/material' }, ], - :default_theme => 'default', - :password_autocomplete => 'on', - :images_panel => 'angular', - :password_retrieve => true, + :default_theme => 'default', + :password_autocomplete => 'on', + :images_panel => 'angular', + :password_retrieve => true, + :enable_secure_proxy_ssl_header => true, }) end @@ -135,6 +136,7 @@ describe 'horizon' do verify_concat_fragment_contents(catalogue, 'local_settings.py', [ 'DEBUG = True', "ALLOWED_HOSTS = ['*', ]", + "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')", 'CSRF_COOKIE_SECURE = True', 'SESSION_COOKIE_SECURE = True', " 'identity': 2.0,", diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb index 826d16e0..0385184a 100644 --- a/templates/local_settings.py.erb +++ b/templates/local_settings.py.erb @@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ] # and don't forget to strip it from the client's request. # For more information see: # https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header +<% if @enable_secure_proxy_ssl_header %> +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +<% else %> #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +<% end %> # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits