add support for SECURE_PROXY_ADDR_HEADER

Change-Id: I4ab9871e8b238ad87369a77d53acdc7abdf60ffd (cherry picked from commit 7f6de8aa68) (cherry picked from commit ee49967ac8) (cherry picked from commit 40310e8611)
2020-12-24 22:49:33 +05:30 · 2020-12-24 22:49:33 +05:30 · cc8289ae95
parent 6470aea670
commit cc8289ae95
4 changed files with 25 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -381,6 +381,15 @@
 #    recommended if you're running horizon behind a proxy.
 #    Defaults to false
 #
+#  [*secure_proxy_addr_header*]
+#    (optional) Enables the SECURE_PROXY_ADDR_HEADER option.
+#    This setting specifies the name of the header with remote IP address.
+#    The commom value for this setting
+#    is HTTP_X_REAL_IP or HTTP_X_FORWARDED_FOR. Note that this is only
+#    recommended if you're running horizon behind a proxy.
+#    If not present, then REMOTE_ADDR header is used
+#    Defaults to undef
+#
 #  [*disallow_iframe_embed*]
 #    (optional)DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
 #    within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
@ -538,6 +547,7 @@ class horizon(
  $disable_password_reveal             = false,
  $enforce_password_check              = false,
  $enable_secure_proxy_ssl_header      = false,
+  $secure_proxy_addr_header            = undef,
  $disallow_iframe_embed               = true,
  $websso_enabled                      = false,
  $websso_initial_choice               = undef,
--- a/releasenotes/notes/add-secure-proxy-addr-header-07c36d89f8bf2ad2.yaml
+++ b/releasenotes/notes/add-secure-proxy-addr-header-07c36d89f8bf2ad2.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - Support was added to set the SECURE_PROXY_ADDR_HEADER option.
+    If horizon is behind a proxy server and the proxy is configured,
+    the IP address from request is passed using header variables
+    inside the request.
+    This setting specifies the name of the header with remote IP address.
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@ -141,6 +141,7 @@ describe 'horizon' do
          :create_image_defaults          => {'image_visibility' => 'private'},
          :password_retrieve              => true,
          :enable_secure_proxy_ssl_header => true,
+          :secure_proxy_addr_header       => 'HTTP_X_FORWARDED_FOR',
        })
      end

@ -150,6 +151,7 @@ describe 'horizon' do
          "SITE_BRANDING = 'mysite'",
          "ALLOWED_HOSTS = ['some.host.tld', ]",
          "SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
+          "SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'",
          'CSRF_COOKIE_SECURE = True',
          'SESSION_COOKIE_SECURE = True',
          "  'identity': 2.0,",
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -60,6 +60,12 @@ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 <% end %>

+# This setting specifies the name of the header with remote IP address
+#SECURE_PROXY_ADDR_HEADER = False
+<% if @secure_proxy_addr_header %>
+SECURE_PROXY_ADDR_HEADER = '<%= @secure_proxy_addr_header %>'
+<% end %>
+
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
 <% if @secure_cookies %>