Add flag to enable the SECURE_PROXY_SSL_HEADER option
This is used to tell Django to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one is running horizon behind a proxy. Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
This commit is contained in:
parent
7cbcc78baa
commit
5211ba5fc8
|
@ -293,6 +293,12 @@
|
||||||
# (optional) Disables Admin password prompt on Change Password form.
|
# (optional) Disables Admin password prompt on Change Password form.
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
#
|
#
|
||||||
|
# [*enable_secure_proxy_ssl_header*]
|
||||||
|
# (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django
|
||||||
|
# take the X-Forwarded-Proto header into account. Note that this is only
|
||||||
|
# recommended if you're running horizon behind a proxy.
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
# === DEPRECATED group/name
|
# === DEPRECATED group/name
|
||||||
#
|
#
|
||||||
# [*fqdn*]
|
# [*fqdn*]
|
||||||
|
@ -391,6 +397,7 @@ class horizon(
|
||||||
$password_retrieve = false,
|
$password_retrieve = false,
|
||||||
$disable_password_reveal = false,
|
$disable_password_reveal = false,
|
||||||
$enforce_password_check = false,
|
$enforce_password_check = false,
|
||||||
|
$enable_secure_proxy_ssl_header = false,
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$custom_theme_path = undef,
|
$custom_theme_path = undef,
|
||||||
$fqdn = undef,
|
$fqdn = undef,
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which
|
||||||
|
enables horizon (via Django) to process the X-Forwarded-Proto header. This
|
||||||
|
done with the "enable_secure_proxy_ssl_header" in the manifest.
|
|
@ -128,6 +128,7 @@ describe 'horizon' do
|
||||||
:password_autocomplete => 'on',
|
:password_autocomplete => 'on',
|
||||||
:images_panel => 'angular',
|
:images_panel => 'angular',
|
||||||
:password_retrieve => true,
|
:password_retrieve => true,
|
||||||
|
:enable_secure_proxy_ssl_header => true,
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -135,6 +136,7 @@ describe 'horizon' do
|
||||||
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
|
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
|
||||||
'DEBUG = True',
|
'DEBUG = True',
|
||||||
"ALLOWED_HOSTS = ['*', ]",
|
"ALLOWED_HOSTS = ['*', ]",
|
||||||
|
"SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
|
||||||
'CSRF_COOKIE_SECURE = True',
|
'CSRF_COOKIE_SECURE = True',
|
||||||
'SESSION_COOKIE_SECURE = True',
|
'SESSION_COOKIE_SECURE = True',
|
||||||
" 'identity': 2.0,",
|
" 'identity': 2.0,",
|
||||||
|
|
|
@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ]
|
||||||
# and don't forget to strip it from the client's request.
|
# and don't forget to strip it from the client's request.
|
||||||
# For more information see:
|
# For more information see:
|
||||||
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
|
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
|
||||||
|
<% if @enable_secure_proxy_ssl_header %>
|
||||||
|
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
||||||
|
<% else %>
|
||||||
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
|
||||||
|
<% end %>
|
||||||
|
|
||||||
# If Horizon is being served through SSL, then uncomment the following two
|
# If Horizon is being served through SSL, then uncomment the following two
|
||||||
# settings to better secure the cookies from security exploits
|
# settings to better secure the cookies from security exploits
|
||||||
|
|
Loading…
Reference in New Issue