Fix horizon_enable_ssl logic

Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.

Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
This commit is contained in:
Damian Dabrowski 2023-04-04 23:17:39 +02:00
parent 9c07e79890
commit c92f45e3af
3 changed files with 6 additions and 9 deletions

View File

@ -58,7 +58,6 @@
- import_tasks: horizon_ssl_self_signed.yml
when:
- horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
- horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined
tags:
- horizon-config
@ -66,7 +65,6 @@
- import_tasks: horizon_ssl_user_provided.yml
when:
- horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
tags:
- horizon-config
@ -74,7 +72,6 @@
command: "update-ca-certificates -f"
when:
- horizon_enable_ssl | bool
- not (horizon_external_ssl | bool)
- ansible_facts['pkg_mgr'] == 'apt'
tags:
- horizon-config

View File

@ -49,7 +49,7 @@ LOGOUT_URL = '{{ horizon_logout_url }}'
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
ALLOWED_HOSTS = {{ horizon_allowed_hosts | to_json }}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
{% if horizon_external_ssl | bool %}
# Set SSL proxy settings:
# For Django 1.4+ pass this header from the proxy after terminating the SSL,
# and don't forget to strip it from the client's request.

View File

@ -6,7 +6,7 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
# If horizon is being served via SSL from this web server,
# then we must redirect HTTP requests to HTTPS.
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
{% if (horizon_enable_ssl | bool) %}
<VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
ServerName {{ horizon_server_name }}
RewriteEngine On
@ -18,13 +18,13 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
# If horizon is being served via SSL via a load balancer, we
# need to listen via HTTP on this web server. If SSL is not
# enabled, then the same applies.
<VirtualHost {{ horizon_bind_address }}:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
<VirtualHost {{ horizon_bind_address }}:{{ (horizon_enable_ssl | bool) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
ServerName {{ horizon_server_name }}
LogLevel {{ horizon_log_level }}
ErrorLog syslog:daemon
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
Options +FollowSymLinks
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
{% if horizon_enable_ssl | bool %}
SSLEngine on
SSLCertificateFile {{ horizon_ssl_cert }}
SSLCertificateKeyFile {{ horizon_ssl_key }}
@ -42,9 +42,9 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
{% endif -%}
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
{% endif %}
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
{% if horizon_external_ssl | bool %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
{% else %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
{% endif %}