openstack/openstack-ansible-os_horizon
Code Issues Proposed changes

Fix horizon_enable_ssl logic

Browse Source 
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.

Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
This commit is contained in:
Damian Dabrowski 2023-04-04 23:17:39 +02:00
parent 9c07e79890
commit c92f45e3af
3 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tasks/main.yml
View File

@ -58,7 +58,6 @@
- import_tasks: horizon_ssl_self_signed.yml - import_tasks: horizon_ssl_self_signed.yml
when: when:
- horizon_enable_ssl | bool - horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
- horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined
tags: tags:
- horizon-config - horizon-config
@ -66,7 +65,6 @@
- import_tasks: horizon_ssl_user_provided.yml - import_tasks: horizon_ssl_user_provided.yml
when: when:
- horizon_enable_ssl | bool - horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
tags: tags:
- horizon-config - horizon-config
@ -74,7 +72,6 @@
command: "update-ca-certificates -f" command: "update-ca-certificates -f"
when: when:
- horizon_enable_ssl | bool - horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
- ansible_facts['pkg_mgr'] == 'apt' - ansible_facts['pkg_mgr'] == 'apt'
tags: tags:
- horizon-config - horizon-config

2
templates/horizon_local_settings.py.j2
View File

@ -49,7 +49,7 @@ LOGOUT_URL = '{{ horizon_logout_url }}'
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
ALLOWED_HOSTS = {{ horizon_allowed_hosts | to_json }} ALLOWED_HOSTS = {{ horizon_allowed_hosts | to_json }}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %} {% if horizon_external_ssl | bool %}
# Set SSL proxy settings: # Set SSL proxy settings:
# For Django 1.4+ pass this header from the proxy after terminating the SSL, # For Django 1.4+ pass this header from the proxy after terminating the SSL,
# and don't forget to strip it from the client's request. # and don't forget to strip it from the client's request.

10
templates/openstack_dashboard.conf.j2
View File

@ -6,7 +6,7 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
# If horizon is being served via SSL from this web server, # If horizon is being served via SSL from this web server,
# then we must redirect HTTP requests to HTTPS. # then we must redirect HTTP requests to HTTPS.
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %} {% if (horizon_enable_ssl | bool) %}
<VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}> <VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
ServerName {{ horizon_server_name }} ServerName {{ horizon_server_name }}
RewriteEngine On RewriteEngine On
@ -18,13 +18,13 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
# If horizon is being served via SSL via a load balancer, we # If horizon is being served via SSL via a load balancer, we
# need to listen via HTTP on this web server. If SSL is not # need to listen via HTTP on this web server. If SSL is not
# enabled, then the same applies. # enabled, then the same applies.
<VirtualHost {{ horizon_bind_address }}:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}> <VirtualHost {{ horizon_bind_address }}:{{ (horizon_enable_ssl | bool) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
ServerName {{ horizon_server_name }} ServerName {{ horizon_server_name }}
LogLevel {{ horizon_log_level }} LogLevel {{ horizon_log_level }}
ErrorLog syslog:daemon ErrorLog syslog:daemon
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }} CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
Options +FollowSymLinks Options +FollowSymLinks
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %} {% if horizon_enable_ssl | bool %}
SSLEngine on SSLEngine on
SSLCertificateFile {{ horizon_ssl_cert }} SSLCertificateFile {{ horizon_ssl_cert }}
SSLCertificateKeyFile {{ horizon_ssl_key }} SSLCertificateKeyFile {{ horizon_ssl_key }}
@ -42,9 +42,9 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
{% endif -%} {% endif -%}
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
{% endif %} {% endif %}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %} {% if horizon_external_ssl | bool %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https" RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %} {% else %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http" RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
{% endif %} {% endif %}