From a81a5d5d5d0f6f84d17850b50dc35585738853d6 Mon Sep 17 00:00:00 2001 From: Kevin TIBI Date: Mon, 12 Feb 2018 16:19:47 +0100 Subject: [PATCH] Fix SSL api for multiple services If SSL is enabled, api of multiple services returns wrong external URL without https prefix. Removal of condition for deletion of http header. Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4 Closes-Bug: #1749155 Closes-Bug: #1717491 --- ansible/roles/aodh/templates/aodh.conf.j2 | 3 + .../roles/barbican/templates/barbican.conf.j2 | 3 + ansible/roles/cinder/templates/cinder.conf.j2 | 3 + .../roles/congress/templates/congress.conf.j2 | 3 + .../designate/templates/designate.conf.j2 | 4 + .../roles/freezer/templates/freezer.conf.j2 | 3 + .../roles/glance/templates/glance-api.conf.j2 | 3 + .../roles/gnocchi/templates/gnocchi.conf.j2 | 2 + .../roles/haproxy/templates/haproxy.cfg.j2 | 106 +++++++++++++----- ansible/roles/heat/templates/heat.conf.j2 | 2 - ansible/roles/ironic/templates/ironic.conf.j2 | 3 + ansible/roles/karbor/templates/karbor.conf.j2 | 3 + ansible/roles/magnum/templates/magnum.conf.j2 | 3 + ansible/roles/manila/templates/manila.conf.j2 | 3 + ansible/roles/murano/templates/murano.conf.j2 | 3 + .../roles/neutron/templates/neutron.conf.j2 | 3 + ansible/roles/nova/templates/nova.conf.j2 | 3 + ansible/roles/panko/templates/panko.conf.j2 | 3 + .../roles/vitrage/templates/vitrage.conf.j2 | 3 + 19 files changed, 126 insertions(+), 33 deletions(-) diff --git a/ansible/roles/aodh/templates/aodh.conf.j2 b/ansible/roles/aodh/templates/aodh.conf.j2 index e256fa9185..dce3afbfa8 100644 --- a/ansible/roles/aodh/templates/aodh.conf.j2 +++ b/ansible/roles/aodh/templates/aodh.conf.j2 @@ -27,6 +27,9 @@ password = {{ aodh_keystone_password }} auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} auth_type = password +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if aodh_policy_file is defined %} [oslo_policy] policy_file = {{ aodh_policy_file }} diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2 index 1ccd397141..1385c71a90 100644 --- a/ansible/roles/barbican/templates/barbican.conf.j2 +++ b/ansible/roles/barbican/templates/barbican.conf.j2 @@ -74,6 +74,9 @@ auth_type = password [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if barbican_policy_file is defined %} [oslo_policy] policy_file = {{ barbican_policy_file }} diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index bedafc7276..6b2a163d00 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -68,6 +68,9 @@ topics = notifications driver = noop {% endif %} +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if cinder_policy_file is defined %} [oslo_policy] policy_file = {{ cinder_policy_file }} diff --git a/ansible/roles/congress/templates/congress.conf.j2 b/ansible/roles/congress/templates/congress.conf.j2 index 15094c28da..9a5f21220b 100644 --- a/ansible/roles/congress/templates/congress.conf.j2 +++ b/ansible/roles/congress/templates/congress.conf.j2 @@ -50,5 +50,8 @@ transport_url = {{ notify_transport_url }} policy_file = {{ congress_policy_file }} {% endif %} +[oslo_middleware] +enable_proxy_headers_parsing = True + [congress] url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ congress_api_port }} diff --git a/ansible/roles/designate/templates/designate.conf.j2 b/ansible/roles/designate/templates/designate.conf.j2 index c853f7cc51..4c091fdc9a 100644 --- a/ansible/roles/designate/templates/designate.conf.j2 +++ b/ansible/roles/designate/templates/designate.conf.j2 @@ -15,6 +15,7 @@ listen = {{ api_interface_address }}:{{ designate_api_port }} api_base_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ designate_api_port }} enabled_extensions_v2 = 'quotas, reports' workers = {{ openstack_service_workers }} +enable_host_header = True [keystone_authtoken] auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} @@ -102,6 +103,9 @@ driver = messagingv2 [oslo_concurrency] lock_path = /var/lib/designate/tmp +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if designate_policy_file is defined %} [oslo_policy] policy_file = {{ designate_policy_file }} diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index 510fe7495d..90f86892c9 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -40,6 +40,9 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi policy_file = {{ freezer_policy_file }} {% endif %} +[oslo_middleware] +enable_proxy_headers_parsing = True + [paste_deploy] config_file = /etc/freezer/freezer-paste.ini diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index a54dae97ce..85aee91a68 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -81,6 +81,9 @@ vmware_datastores = {{ vmware_vcenter_name }}:{{ vmware_datastore_name }} vmware_insecure = True {% endif %} +[oslo_middleware] +enable_proxy_headers_parsing = True + [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} {% if glance_enabled_notification_topics %} diff --git a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 index 705a2c0562..7e0e07f55d 100644 --- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 @@ -18,6 +18,8 @@ host = {{ api_interface_address }} middlewares = keystonemiddleware.auth_token.AuthProtocol auth_mode = keystone +[oslo_middleware] +enable_proxy_headers_parsing = True [database] connection = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }}@{{ gnocchi_database_address }}/{{ gnocchi_database_name }} diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index 1eefd9d0fa..789c120609 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -86,10 +86,10 @@ listen mongodb {% if enable_keystone | bool %} listen keystone_internal bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -97,7 +97,7 @@ listen keystone_internal listen keystone_external bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -109,10 +109,10 @@ listen keystone_external listen keystone_admin bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -124,12 +124,14 @@ listen glance_registry {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['glance-registry'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen glance_api bind {{ kolla_internal_vip_address }}:{{ glance_api_port }} + http-request del-header X-Forwarded-Proto timeout client {{ haproxy_glance_api_client_timeout }} timeout server {{ haproxy_glance_api_server_timeout }} {% for http_option in haproxy_listen_http_extra %} @@ -147,6 +149,8 @@ listen glance_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['glance-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -170,30 +174,30 @@ listen influxdb_http {% if enable_nova | bool %} listen nova_api bind {{ kolla_internal_vip_address }}:{{ nova_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen nova_metadata bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen placement_api bind {{ kolla_internal_vip_address }}:{{ placement_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['placement-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ placement_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -201,7 +205,7 @@ listen placement_api {% if nova_console == 'novnc' %} listen nova_novncproxy bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } timeout tunnel 1h {% for http_option in haproxy_listen_http_extra %} @@ -216,6 +220,7 @@ listen nova_spicehtml5proxy {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['nova-spicehtml5proxy'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -244,7 +249,7 @@ listen nova_serialconsole_proxy listen nova_api_external bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -255,7 +260,7 @@ listen nova_api_external listen nova_metadata_external bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -266,7 +271,7 @@ listen nova_metadata_external listen placement_api_external bind {{ kolla_external_vip_address }}:{{ placement_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -278,7 +283,7 @@ listen placement_api_external {% if nova_console == 'novnc' %} listen nova_novncproxy_external bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -289,7 +294,7 @@ listen nova_novncproxy_external {% elif nova_console == 'spice' %} listen nova_spicehtml5proxy_external bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -332,6 +337,8 @@ listen neutron_server_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['neutron-server'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -342,10 +349,10 @@ listen neutron_server_external listen horizon bind {{ kolla_internal_vip_address }}:{{ horizon_port }} balance source - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['horizon'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ horizon_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -355,7 +362,7 @@ listen horizon listen horizon_external bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }} balance source - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -383,10 +390,10 @@ listen horizon_external {% if enable_cinder | bool %} listen cinder_api bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['cinder-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -394,7 +401,7 @@ listen cinder_api listen cinder_api_external bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -408,10 +415,10 @@ listen cinder_api_external {% if enable_cloudkitty | bool %} listen cloudkitty_api bind {{ kolla_internal_vip_address }}:{{ cloudkitty_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['cloudkitty-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -419,7 +426,7 @@ listen cloudkitty_api listen cloudkitty_api_external bind {{ kolla_external_vip_address }}:{{ cloudkitty_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -483,20 +490,20 @@ listen panko_api_external {% if enable_heat | bool %} listen heat_api bind {{ kolla_internal_vip_address }}:{{ heat_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['heat-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen heat_api_cfn bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['heat-api-cfn'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -504,7 +511,7 @@ listen heat_api_cfn listen heat_api_external bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -515,7 +522,7 @@ listen heat_api_external listen heat_api_cfn_external bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -529,7 +536,7 @@ listen heat_api_cfn_external {% if enable_grafana | bool %} listen grafana_server bind {{ kolla_internal_vip_address }}:{{ grafana_server_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -541,7 +548,7 @@ listen grafana_server listen grafana_server_external bind {{ kolla_external_vip_address }}:{{ grafana_server_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -558,6 +565,7 @@ listen ironic_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['ironic-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -566,6 +574,7 @@ listen ironic_inspector {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['ironic-inspector'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_inspector_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -598,6 +607,7 @@ listen karbor_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['karbor-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ karbor_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -608,6 +618,8 @@ listen karbor_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['karbor-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ karbor_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -621,6 +633,7 @@ listen freezer_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['freezer-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ freezer_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -631,6 +644,8 @@ listen freezer_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['freezer-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ freezer_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -644,6 +659,7 @@ listen senlin_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['senlin-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ senlin_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -654,6 +670,8 @@ listen senlin_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['senlin-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ senlin_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -666,6 +684,7 @@ listen solum_application_deployment {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['solum-application-deployment'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_application_deployment_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -675,6 +694,7 @@ listen solum_image_builder {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['solum-image-builder'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_image_builder_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -694,6 +714,8 @@ listen solum_image_builder_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['solum-image-builder'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_image_builder_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -706,6 +728,7 @@ listen swift_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['swift-proxy-server'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -716,6 +739,8 @@ listen swift_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['swift-proxy-server'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -728,6 +753,7 @@ listen murano_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['murano-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -738,6 +764,8 @@ listen murano_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['murano-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -750,6 +778,7 @@ listen manila_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['manila-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ manila_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -760,6 +789,8 @@ listen manila_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['manila-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ manila_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -772,6 +803,7 @@ listen magnum_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['magnum-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -782,6 +814,8 @@ listen magnum_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['magnum-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -794,6 +828,7 @@ listen watcher_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['watcher-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ watcher_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -804,6 +839,8 @@ listen watcher_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['watcher-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ watcher_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -816,6 +853,7 @@ listen sahara_api {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['sahara-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ sahara_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -895,7 +933,7 @@ listen kibana listen kibana_external bind {{ kolla_external_vip_address }}:{{ kibana_server_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } acl auth_acl http_auth(kibanauser) http-request auth realm basicauth unless auth_acl @@ -924,6 +962,8 @@ listen gnocchi_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['gnocchi-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ gnocchi_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -980,6 +1020,8 @@ listen aodh_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['aodh-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ aodh_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -1011,10 +1053,10 @@ listen trove_api_external {% if enable_congress | bool %} listen congress_api bind {{ kolla_internal_vip_address }}:{{ congress_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['congress-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -1022,7 +1064,7 @@ listen congress_api listen congress_api_external bind {{ kolla_external_vip_address }}:{{ congress_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -1049,6 +1091,8 @@ listen designate_api_external {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto + http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['designate-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ designate_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -1102,10 +1146,10 @@ listen tacker_server_external {% if enable_zun | bool %} listen zun_api bind {{ kolla_internal_vip_address }}:{{ zun_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['zun-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ zun_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -1113,7 +1157,7 @@ listen zun_api listen zun_api_external bind {{ kolla_external_vip_address }}:{{ zun_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} @@ -1174,10 +1218,10 @@ listen vitrage_api_external {% if enable_blazar | bool %} listen blazar_api bind {{ kolla_internal_vip_address }}:{{ blazar_api_port }} - http-request del-header X-Forwarded-Proto if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} {% endfor %} + http-request del-header X-Forwarded-Proto {% for host in groups['blazar-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ blazar_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -1185,7 +1229,7 @@ listen blazar_api listen blazar_api_external bind {{ kolla_external_vip_address }}:{{ blazar_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto if { ssl_fc } + http-request del-header X-Forwarded-Proto http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for http_option in haproxy_listen_http_extra %} {{ http_option }} diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2 index 8c32f256f1..6564f5f8bf 100644 --- a/ansible/roles/heat/templates/heat.conf.j2 +++ b/ansible/roles/heat/templates/heat.conf.j2 @@ -95,10 +95,8 @@ endpoint_type = internalURL [clients_heat] endpoint_type = publicURL -{% if public_protocol != internal_protocol and kolla_external_fqdn != kolla_internal_fqdn %} [oslo_middleware] enable_proxy_headers_parsing = True -{% endif %} {% if enable_osprofiler | bool %} [profiler] diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 6c58f97e34..0a9744e671 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -97,3 +97,6 @@ deploy_logs_collect = always [pxe] pxe_append_params = nofb nomodeset vga=normal console=tty0 console=ttyS0,{{ ironic_console_serial_speed }} + +[oslo_middleware] +enable_proxy_headers_parsing = True diff --git a/ansible/roles/karbor/templates/karbor.conf.j2 b/ansible/roles/karbor/templates/karbor.conf.j2 index 908cf13d0d..6e9470d065 100644 --- a/ansible/roles/karbor/templates/karbor.conf.j2 +++ b/ansible/roles/karbor/templates/karbor.conf.j2 @@ -45,3 +45,6 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} + +[oslo_middleware] +enable_proxy_headers_parsing = True diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index fa987d558e..8d9aec4b39 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -74,6 +74,9 @@ cluster_user_trust = {{ enable_cluster_user_trust }} [oslo_concurrency] lock_path = /var/lib/magnum/tmp +[oslo_middleware] +enable_proxy_headers_parsing = True + [certificates] {% if enable_barbican | bool %} cert_manager_type = barbican diff --git a/ansible/roles/manila/templates/manila.conf.j2 b/ansible/roles/manila/templates/manila.conf.j2 index 7aace90134..1e25800542 100644 --- a/ansible/roles/manila/templates/manila.conf.j2 +++ b/ansible/roles/manila/templates/manila.conf.j2 @@ -45,6 +45,9 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if manila_policy_file is defined %} [oslo_policy] policy_file = {{ manila_policy_file }} diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2 index 228b2b2ce2..d9d1e43d70 100644 --- a/ansible/roles/murano/templates/murano.conf.j2 +++ b/ansible/roles/murano/templates/murano.conf.j2 @@ -49,6 +49,9 @@ api_workers = {{ openstack_service_workers }} transport_url = {{ notify_transport_url }} driver = messagingv2 +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if murano_policy_file is defined %} [oslo_policy] policy_file = {{ murano_policy_file }} diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2 index 4b5a553976..3e1a62f10f 100644 --- a/ansible/roles/neutron/templates/neutron.conf.j2 +++ b/ansible/roles/neutron/templates/neutron.conf.j2 @@ -79,6 +79,9 @@ username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} endpoint_type = internal +[oslo_middleware] +enable_proxy_headers_parsing = True + [oslo_concurrency] lock_path = /var/lib/neutron/tmp diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index d94c8ace37..c02d22cbbc 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -121,6 +121,9 @@ project_domain_name = {{ default_project_domain_name }} api_endpoint = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ ironic_api_port }}/v1 {% endif %} +[oslo_middleware] +enable_proxy_headers_parsing = True + [oslo_concurrency] lock_path = /var/lib/nova/tmp diff --git a/ansible/roles/panko/templates/panko.conf.j2 b/ansible/roles/panko/templates/panko.conf.j2 index c04b1b66cf..8d17bcca0d 100644 --- a/ansible/roles/panko/templates/panko.conf.j2 +++ b/ansible/roles/panko/templates/panko.conf.j2 @@ -34,3 +34,6 @@ memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansi [oslo_policy] policy_file = {{ panko_policy_file }} {% endif %} + +[oslo_middleware] +enable_proxy_headers_parsing = True diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2 index ba32a009b6..bb56278336 100644 --- a/ansible/roles/vitrage/templates/vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/vitrage.conf.j2 @@ -61,6 +61,9 @@ driver = messagingv2 [oslo_concurrency] lock_path = /var/lib/vitrage/tmp +[oslo_middleware] +enable_proxy_headers_parsing = True + {% if vitrage_policy_file is defined %} [oslo_policy] policy_file = {{ vitrage_policy_file }}