Role should default to no external SSL termination

This decouples the role more completely from the AIO
build default configuration in
Id87fab39c929e0860abbc3755ad386aa6893b151
which enables SSL termination at the HAProxy LB.

Variable naming should match what is in
Id87fab39c929e0860abbc3755ad386aa6893b151 to allow
the AIO configuration to enable external SSL termination.

And, bringing in changes from
I1c654501d0c8573734c52b9c20ba4b5713d667c1
that were missed.

Change-Id: I0fd26ec60f02e68688ea864d0d7880f73e6df780

defaults/main.yml

@@ -98,7 +98,8 @@ horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizo
 
 # Set this to True if you do ssl termination on an external device, like the
 # load balancer
-horizon_ssl_external: true
+horizon_external_ssl: false
+
 # Set this to the header that your device sets when doing ssl termination
 horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
 horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"

tasks/main.yml

@@ -22,11 +22,12 @@
     inventory_hostname == groups['horizon_all'][0]
 
 - include: horizon_ssl_self_signed.yml
-  when: >
-    horizon_user_ssl_cert is not defined or
-    horizon_user_ssl_key is not defined
+  when:
+    - not horizon_external_ssl|bool
+    - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined
 
 - include: horizon_ssl_user_provided.yml
+  when: not horizon_external_ssl|bool
 
 - include: horizon_service_setup.yml
 

templates/horizon_local_settings.py.j2

@@ -34,13 +34,14 @@ WEBROOT = '{{ horizon_webroot }}'
 # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = ['*']
 
+{% if horizon_external_ssl | bool %}
 # Set SSL proxy settings:
 # For Django 1.4+ pass this header from the proxy after terminating the SSL,
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
-#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
-#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_PROXY_SSL_HEADER = ('{{ horizon_secure_proxy_ssl_header_django }}', 'https')
+{% endif %}
 
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits

templates/openstack_dashboard.conf.j2

@@ -3,21 +3,23 @@
 {% set _wsgi_threads = ansible_processor_vcpus | default(2) // 2 %}
 {% set wsgi_threads = _wsgi_threads if _wsgi_threads > 0 else 1 %}
 
+{% if not horizon_external_ssl | bool %}
 <VirtualHost *:80>
     ServerName {{ horizon_server_name }}
     RewriteEngine On
     RewriteCond %{HTTPS} !=on
     RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
 </VirtualHost>
+{% endif %}
 
-<VirtualHost *:443>
+<VirtualHost *:{% if not horizon_external_ssl | bool %}443{% else %}80{% endif %}>
     ServerName {{ horizon_server_name }}
 
     LogLevel  {{ horizon_log_level }}
     ErrorLog  /var/log/horizon/horizon-error.log
     CustomLog /var/log/horizon/ssl_access.log combined
     Options +FollowSymLinks
-
+{% if not horizon_external_ssl | bool %}
     SSLEngine on
     SSLCertificateFile    {{ horizon_ssl_cert }}
     SSLCertificateKeyFile {{ horizon_ssl_key }}