From 5b79aa6066e7bdd06d73e09f2aa14a0e80d1f630 Mon Sep 17 00:00:00 2001 From: Mathias Ewald Date: Thu, 1 Dec 2016 20:22:11 +0100 Subject: [PATCH] Fix X-Forward-Proto Header Deletion Deletion of X-Forward-Proto only happens if HAProxy manages SSL termination Change-Id: I9acd425330749a0fe296c9b9f8262f82ebf9de49 Closes-Bug: #1646593 --- .../roles/haproxy/templates/haproxy.cfg.j2 | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index abedfbf024..cb40f555cc 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -55,7 +55,7 @@ listen mongodb {% if enable_keystone | bool %} listen keystone_internal bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -63,7 +63,7 @@ listen keystone_internal listen keystone_external bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5 @@ -72,7 +72,7 @@ listen keystone_external listen keystone_admin bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -103,14 +103,14 @@ listen glance_api_external {% if enable_nova | bool %} listen nova_api bind {{ kolla_internal_vip_address }}:{{ nova_api_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen nova_metadata bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -118,7 +118,7 @@ listen nova_metadata {% if nova_console == 'novnc' %} listen nova_novncproxy bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['nova-novncproxy'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5 @@ -134,7 +134,7 @@ listen nova_spicehtml5proxy listen nova_api_external bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5 @@ -142,7 +142,7 @@ listen nova_api_external listen nova_metadata_external bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['nova-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5 @@ -151,7 +151,7 @@ listen nova_metadata_external {% if nova_console == 'novnc' %} listen nova_novncproxy_external bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['nova-novncproxy'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5 @@ -159,7 +159,7 @@ listen nova_novncproxy_external {% elif nova_console == 'spice' %} listen nova_spicehtml5proxy_external bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['nova-spicehtml5proxy'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5 @@ -188,7 +188,7 @@ listen neutron_server_external listen horizon bind {{ kolla_internal_vip_address }}:80 balance source - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['horizon'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5 {% endfor %} @@ -198,7 +198,7 @@ listen horizon listen horizon_external bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }} balance source - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['horizon'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5 @@ -220,7 +220,7 @@ listen horizon_external {% if enable_cinder | bool %} listen cinder_api bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['cinder-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -228,7 +228,7 @@ listen cinder_api listen cinder_api_external bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['cinder-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5 @@ -239,7 +239,7 @@ listen cinder_api_external {% if enable_cloudkitty | bool %} listen cloudkitty_api bind {{ kolla_internal_vip_address }}:{{ cloudkitty_api_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['cloudkitty-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -247,7 +247,7 @@ listen cloudkitty_api listen cloudkitty_api_external bind {{ kolla_external_vip_address }}:{{ cloudkitty_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['cloudkitty-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5 @@ -258,14 +258,14 @@ listen cloudkitty_api_external {% if enable_heat | bool %} listen heat_api bind {{ kolla_internal_vip_address }}:{{ heat_api_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['heat-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} listen heat_api_cfn bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['heat-api-cfn'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -273,7 +273,7 @@ listen heat_api_cfn listen heat_api_external bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['heat-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5 @@ -281,7 +281,7 @@ listen heat_api_external listen heat_api_cfn_external bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['heat-api-cfn'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5 @@ -292,7 +292,7 @@ listen heat_api_cfn_external {% if enable_grafana | bool %} listen grafana_server bind {{ kolla_internal_vip_address }}:{{ grafana_server_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['grafana'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5 @@ -301,7 +301,7 @@ listen grafana_server listen grafana_server_external bind {{ kolla_external_vip_address }}:{{ grafana_server_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['grafana'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5 @@ -513,7 +513,7 @@ listen kibana listen kibana_external bind {{ kolla_external_vip_address }}:{{ kibana_server_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } acl auth_acl http_auth(kibanauser) http-request auth realm basicauth unless auth_acl @@ -615,7 +615,7 @@ listen trove_api_external {% if enable_congress | bool %} listen congress_api bind {{ kolla_internal_vip_address }}:{{ congress_api_port }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['congress-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5 {% endfor %} @@ -623,7 +623,7 @@ listen congress_api listen congress_api_external bind {{ kolla_external_vip_address }}:{{ congress_api_port }} {{ tls_bind_info }} - http-request del-header X-Forwarded-Proto + http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['congress-api'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5