openstack/kolla-ansible
Code Issues Proposed changes
8c8dad0187
kolla-ansible/ansible/roles/horizon/templates/horizon.conf.j2
Maksim Malchuk d907790fff Add LimitRequestBody configuration for Horizon 
Since CVE-2022-29404 is fixed [1,2] the default value for the
LimitRequestBody directive in the Apache HTTP Server has been changed
from 0 (unlimited) to 1 GiB. This limits the size of images (for
example) uploaded in Horizon. This change add the ability to
configure the limit.

1. https://access.redhat.com/articles/6975397
2. https://ubuntu.com/security/CVE-2022-29404

Closes-Bug: #2012588
Change-Id: I4cd9dd088cbcf38ff6f8d188ebcc56be7d9ea1c9
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
2023-03-29 14:51:28 +03:00

89 lines
3.5 KiB
Django/Jinja
Raw Blame History

{% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
{% if horizon_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos', 'rocky'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
<VirtualHost {{ api_interface_address }}:{{ horizon_listen_port }}>
LogLevel warn
ErrorLog /var/log/kolla/horizon/horizon.log
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog /var/log/kolla/horizon/horizon-access.log logformat
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes={{ horizon_wsgi_processes }} threads={{ horizon_wsgi_threads }} user=horizon group=horizon display-name=horizon
WSGIProcessGroup horizon-http
WSGIScriptAlias / {{ python_path }}/openstack_dashboard/wsgi.py
WSGIPassAuthorization On
WSGIApplicationGroup %{GLOBAL}
<Location "/">
Require all granted
</Location>
Alias /static {{ python_path }}/static
<Location "/static">
SetHandler None
</Location>
{% if horizon_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
{% endif %}
{% if horizon_httpd_limitrequestbody is defined %}
LimitRequestBody {{ horizon_httpd_limitrequestbody }}
{% endif %}
</VirtualHost>
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Json, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
<IfModule mod_expires.c>
<Filesmatch "\.(jpg|jpeg|png|gif|js|css|swf|ico|woff)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType text/css "access plus 1 year"
ExpiresByType image/x-ico "access plus 1 year"
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
Header merge Cache-Control public
Header unset ETag
</Filesmatch>
</IfModule>
View Git Blame Copy Permalink