Add flag to enable the SECURE_PROXY_SSL_HEADER option

This is used to tell Django to take into account the X-Forwarded-Proto header. It is disabled by default as it should only be enabled if one is running horizon behind a proxy. Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-09 09:25:16 +02:00 · 2016-12-09 09:25:16 +02:00 · 5211ba5fc8
parent 7cbcc78baa
commit 5211ba5fc8
4 changed files with 49 additions and 31 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -293,6 +293,12 @@
 #    (optional) Disables Admin password prompt on Change Password form.
 #    Defaults to false
 #
+#  [*enable_secure_proxy_ssl_header*]
+#    (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django
+#    take the X-Forwarded-Proto header into account. Note that this is only
+#    recommended if you're running horizon behind a proxy.
+#    Defaults to false
+#
 # === DEPRECATED group/name
 #
 #  [*fqdn*]
@ -391,6 +397,7 @@ class horizon(
  $password_retrieve                   = false,
  $disable_password_reveal             = false,
  $enforce_password_check              = false,
+  $enable_secure_proxy_ssl_header      = false,
  # DEPRECATED PARAMETERS
  $custom_theme_path                   = undef,
  $fqdn                                = undef,
--- a/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml
+++ b/releasenotes/notes/add-support-for-SECURE_PROXY_SSL_HEADER-fbd83ad4f85bd52b.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which
+    enables horizon (via Django) to process the X-Forwarded-Proto header. This
+    done with the "enable_secure_proxy_ssl_header" in the manifest.
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@ -128,6 +128,7 @@ describe 'horizon' do
          :password_autocomplete          => 'on',
          :images_panel                   => 'angular',
          :password_retrieve              => true,
+          :enable_secure_proxy_ssl_header => true,
        })
      end

@ -135,6 +136,7 @@ describe 'horizon' do
        verify_concat_fragment_contents(catalogue, 'local_settings.py', [
          'DEBUG = True',
          "ALLOWED_HOSTS = ['*', ]",
+          "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
          'CSRF_COOKIE_SECURE = True',
          'SESSION_COOKIE_SECURE = True',
          "  'identity': 2.0,",
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ]
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+<% if @enable_secure_proxy_ssl_header %>
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+<% else %>
 #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+<% end %>

 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits