4283200534
Horizon has, since OSA's inception, been deployed with HTTPS access enabled, and has had no way to turn it off. Some use-cases may want to access via HTTP instead, so this patch enables the following: 1. Listen via HTTPS on a load balancer, but via HTTP on the horizon host and have the load balancer forward the correct headers. It will do this by default in the integrated build due to the presence of the load balancer, so the current behaviour is retained. 2. Enable HTTPS on the horizon host without a load balancer. This is the role's default behaviour which matches what it always has been. 3. Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which will also disable https on haproxy. This setting is inherited by the new ``horizon_enable_ssl`` variable by default. This is a new option. Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk> Change-Id: I823f2f949258157e306dbf80570abe53373da0c3 Closes-Bug: 1794337
66 lines
2.5 KiB
Django/Jinja
66 lines
2.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
# If horizon is being served via SSL from this web server,
|
|
# then we must redirect HTTP requests to HTTPS.
|
|
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
|
|
<VirtualHost *:80>
|
|
ServerName {{ horizon_server_name }}
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} !=on
|
|
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
|
|
</VirtualHost>
|
|
{% endif %}
|
|
|
|
# If horizon is being served via SSL via a load balancer, we
|
|
# need to listen via HTTP on this web server. If SSL is not
|
|
# enabled, then the same applies.
|
|
<VirtualHost *:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary('443', '80') }}>
|
|
ServerName {{ horizon_server_name }}
|
|
LogLevel {{ horizon_log_level }}
|
|
ErrorLog /var/log/horizon/horizon-error.log
|
|
CustomLog /var/log/horizon/ssl_access.log {{ horizon_apache_custom_log_format }}
|
|
Options +FollowSymLinks
|
|
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
|
|
SSLEngine on
|
|
SSLCertificateFile {{ horizon_ssl_cert }}
|
|
SSLCertificateKeyFile {{ horizon_ssl_key }}
|
|
{% if horizon_user_ssl_ca_cert is defined -%}
|
|
SSLCACertificateFile {{ horizon_ssl_ca_cert }}
|
|
{% endif -%}
|
|
SSLCompression Off
|
|
SSLProtocol {{ horizon_ssl_protocol }}
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite {{ horizon_ssl_cipher_suite }}
|
|
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
|
{% endif %}
|
|
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
|
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
|
|
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
|
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
|
|
{% endif %}
|
|
|
|
WSGIScriptAlias / {{ horizon_lib_wsgi_file }}
|
|
WSGIDaemonProcess horizon user={{ horizon_system_user_name }} group={{ horizon_system_group_name }} processes={{ horizon_wsgi_processes | default(horizon_wsgi_threads) }} threads={{ horizon_wsgi_threads }} python-path={{ horizon_bin | dirname }}/lib/python2.7/site-packages
|
|
|
|
WSGIProcessGroup horizon
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
|
|
<Directory {{ horizon_lib_wsgi_file | dirname }}>
|
|
<Files django.wsgi>
|
|
Order allow,deny
|
|
allow from all
|
|
Require all granted
|
|
</Files>
|
|
</Directory>
|
|
|
|
Alias /static {{ horizon_lib_dir }}/static/
|
|
|
|
<Directory {{ horizon_lib_dir }}/static/>
|
|
Options -FollowSymlinks
|
|
AllowOverride None
|
|
Order allow,deny
|
|
allow from all
|
|
Require all granted
|
|
</Directory>
|
|
</VirtualHost>
|