openstack
/
puppet-tripleo
Code Issues Proposed changes

Horizon: Support Strict-Transport-Security header 

This allows operators to enable HTTP Strict-Transport-Security (HSTS)
for Horizon endpoint, to enforce usage of SSL.

Change-Id: I20c2aee6af03af96a4a2022681eabba75a6acf00
(cherry picked from commit 837abea1f3)
This commit is contained in:
Takashi Kajinami 2022-05-10 11:33:04 +09:00 committed by Radomir Dopieralski
parent e60b46efd7
commit 8b4a31d9a6
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
manifests/haproxy/horizon_endpoint.pp
View File

@ -71,6 +71,10 @@
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
# [*hsts_header_value*]
# (optional) Adds the HTTP Strict Transport Securiy (HSTS) header to
# response. This takes effect only when public_certificate is set.
# Defaults to undef
class tripleo::haproxy::horizon_endpoint (
$internal_ip,
$ip_addresses,
@ -83,6 +87,7 @@ class tripleo::haproxy::horizon_endpoint (
$internal_certificates_specs = {},
$service_network = undef,
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$hsts_header_value = undef,
) {
# Let users override the options on a per-service basis
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
@ -120,9 +125,24 @@ class tripleo::haproxy::horizon_endpoint (
"${public_virtual_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_public),
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public),
}
<<<<<<< HEAD (e60b46 Fix regression of Nova dhcp_domain handling)
$horizon_options = merge({
'cookie' => 'SERVERID insert indirect nocache',
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
=======
if $hsts_header_value != undef {
$hsts_header_value_real = join(any2array($hsts_header_value), '; ')
$hsts_response = "set-header Strict-Transport-Security \"${hsts_header_value_real};\""
} else {
$hsts_response = undef
}
$horizon_frontend_options = {
'http-response' => delete_undef_values([
'replace-header Location http://(.*) https://\\1',
$hsts_response]),
>>>>>>> CHANGE (c8890f Horizon: Support Strict-Transport-Security header)
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => 'scheme https code 301 if !{ ssl_fc }',
'option' => [ 'forwardfor', 'httpchk' ],