Merge pull request #521 from enovance/bug/emilien/520

Horizon / SSL Forwarding: keep HTTPS in headers
2014-06-26 08:45:07 -04:00
parent 49a08614d8 48ef6de397
commit e3c59b5a87
5 changed files with 29 additions and 3 deletions
--- a/manifests/dashboard.pp
+++ b/manifests/dashboard.pp
@@ -73,6 +73,10 @@
 # [*horizon_ca*]
 #   (required with listen_ssl) CA certificate to use for SSL support.
 #
+# [*ssl_forward*]
+#   (optional) Forward HTTPS proto in the headers
+#   Useful when activating SSL binding on HAproxy and not in Horizon.
+#   Defaults to false

 class cloud::dashboard(
  $ks_keystone_internal_host = '127.0.0.1',
@@ -90,14 +94,21 @@ class cloud::dashboard(
  $horizon_cert              = undef,
  $horizon_key               = undef,
  $horizon_ca                = undef,
+  $ssl_forward               = false
 ) {

  # We build the param needed for horizon class
  $keystone_url = "${keystone_proto}://${keystone_host}:${keystone_port}/v2.0"

  # Apache2 specific configuration
+  if $ssl_forward {
+    $setenvif = ['X-Forwarded-Proto https HTTPS=1']
+  } else {
+    $setenvif = []
+  }
  $vhost_extra_params = {
-    'add_listen'    => true
+    'add_listen' => true,
+    'setenvif'   => $setenvif
  }
  ensure_resource('class', 'apache', {
    default_vhost => false
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -245,9 +245,16 @@ class cloud::loadbalancer(
      'balance' => 'leastconn' }
  } else {
    $horizon_httpchk = "httpchk GET  /${horizon_auth_url}  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\""
-    $horizon_options = {
+    if 'ssl' in $horizon_bind_options {
+      $horizon_options = {
+      'cookie'  => 'sessionid prefix',
+      'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }',
+      'balance' => 'leastconn' }
+    } else {
+      $horizon_options = {
      'cookie'  => 'sessionid prefix',
      'balance' => 'leastconn' }
+    }
  }
  if $horizon_ssl_port {
    warning('horizon_ssl_port parameter is deprecated. Specify port with the horizon_port instead.')
--- a/spec/classes/cloud_dashboard_spec.rb
+++ b/spec/classes/cloud_dashboard_spec.rb
@@ -32,6 +32,7 @@ describe 'cloud::dashboard' do
        :keystone_port              => '5000',
        :debug                      => true,
        :api_eth                    => '10.0.0.1',
+        :ssl_forward                => true,
        :servername                 => 'horizon.openstack.org' }
    end

@@ -48,7 +49,10 @@ describe 'cloud::dashboard' do
          :keystone_url        => 'http://keystone.openstack.org:5000/v2.0',
          :django_debug        => true,
          :neutron_options     => { 'enable_lb' => true },
-          :vhost_extra_params  => { 'add_listen' => true }
+          :vhost_extra_params  => {
+              'add_listen' => true ,
+              'setenvif'     => ['X-Forwarded-Proto https HTTPS=1']
+          }
        )
      should contain_class('apache').with(:default_vhost => false)
    end
--- a/spec/classes/cloud_loadbalancer_spec.rb
+++ b/spec/classes/cloud_loadbalancer_spec.rb
@@ -393,6 +393,7 @@ describe 'cloud::loadbalancer' do
          'option'         => ["tcpka", "forwardfor", "tcplog", "httpchk GET  /  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
          'cookie'         => 'sessionid prefix',
          'balance'        => 'leastconn',
+          'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }'
        },
        :bind_options => ['ssl', 'crt']
      )}
--- a/templates/loadbalancer/monitor.erb
+++ b/templates/loadbalancer/monitor.erb
@@ -66,3 +66,6 @@ monitor fail if heat_cloudwatch_api_dead
 acl horizon_dead nbsrv(horizon_cluster) lt 1
 monitor fail if horizon_dead
 <%- end -%>
+
+# Used when forwarding SSL in http headers
+acl is-ssl dst_port 443