Horizon: Support Strict-Transport-Security header
This allows operators to enable HTTP Strict-Transport-Security (HSTS)
for Horizon endpoint, to enforce usage of SSL.
Change-Id: I20c2aee6af03af96a4a2022681eabba75a6acf00
(cherry picked from commit 837abea1f3
)
This commit is contained in:
parent
fe79b95db4
commit
6033999635
|
@ -76,6 +76,10 @@
|
|||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*hsts_header_value*]
|
||||
# (optional) Adds the HTTP Strict Transport Security (HSTS) header to
|
||||
# response. This takes effect only when public_certificate is set.
|
||||
# Defaults to undef
|
||||
class tripleo::haproxy::horizon_endpoint (
|
||||
$internal_ip,
|
||||
$ip_addresses,
|
||||
|
@ -89,6 +93,7 @@ class tripleo::haproxy::horizon_endpoint (
|
|||
$internal_certificates_specs = {},
|
||||
$service_network = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$hsts_header_value = undef,
|
||||
) {
|
||||
# Let users override the options on a per-service basis
|
||||
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
|
||||
|
@ -128,8 +133,18 @@ class tripleo::haproxy::horizon_endpoint (
|
|||
"${public_virtual_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_public),
|
||||
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public),
|
||||
}
|
||||
|
||||
if $hsts_header_value != undef {
|
||||
$hsts_header_value_real = join(any2array($hsts_header_value), '; ')
|
||||
$hsts_response = "set-header Strict-Transport-Security \"${hsts_header_value_real};\""
|
||||
} else {
|
||||
$hsts_response = undef
|
||||
}
|
||||
|
||||
$horizon_frontend_options = {
|
||||
'http-response' => 'replace-header Location http://(.*) https://\\1',
|
||||
'http-response' => delete_undef_values([
|
||||
'replace-header Location http://(.*) https://\\1',
|
||||
$hsts_response]),
|
||||
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
|
||||
'redirect' => 'scheme https code 301 if !{ ssl_fc }',
|
||||
'option' => [ 'forwardfor' ],
|
||||
|
|
Loading…
Reference in New Issue