Merge "Role should default to no external SSL termination"

defaults/main.yml

@@ -98,7 +98,8 @@ horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizo
 
 # Set this to True if you do ssl termination on an external device, like the
 # load balancer
-horizon_ssl_external: true
+horizon_external_ssl: false
+
 # Set this to the header that your device sets when doing ssl termination
 horizon_secure_proxy_ssl_header: "X-Forwarded-Proto"
 horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}"

tasks/main.yml

@@ -22,11 +22,12 @@
     inventory_hostname == groups['horizon_all'][0]
 
 - include: horizon_ssl_self_signed.yml
-  when: >
-    horizon_user_ssl_cert is not defined or
-    horizon_user_ssl_key is not defined
+  when:
+    - not horizon_external_ssl|bool
+    - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined
 
 - include: horizon_ssl_user_provided.yml
+  when: not horizon_external_ssl|bool
 
 - include: horizon_service_setup.yml
 

templates/horizon_local_settings.py.j2

@@ -34,13 +34,14 @@ WEBROOT = '{{ horizon_webroot }}'
 # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = ['*']
 
+{% if horizon_external_ssl | bool %}
 # Set SSL proxy settings:
 # For Django 1.4+ pass this header from the proxy after terminating the SSL,
 # and don't forget to strip it from the client's request.
 # For more information see:
 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
-#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
-#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_PROXY_SSL_HEADER = ('{{ horizon_secure_proxy_ssl_header_django }}', 'https')
+{% endif %}
 
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits

templates/openstack_dashboard.conf.j2

@@ -3,21 +3,23 @@
 {% set _wsgi_threads = ansible_processor_vcpus | default(2) // 2 %}
 {% set wsgi_threads = _wsgi_threads if _wsgi_threads > 0 else 1 %}
 
+{% if not horizon_external_ssl | bool %}
 <VirtualHost *:80>
     ServerName {{ horizon_server_name }}
     RewriteEngine On
     RewriteCond %{HTTPS} !=on
     RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
 </VirtualHost>
+{% endif %}
 
-<VirtualHost *:443>
+<VirtualHost *:{% if not horizon_external_ssl | bool %}443{% else %}80{% endif %}>
     ServerName {{ horizon_server_name }}
 
     LogLevel  {{ horizon_log_level }}
     ErrorLog  /var/log/horizon/horizon-error.log
     CustomLog /var/log/horizon/ssl_access.log combined
     Options +FollowSymLinks
-
+{% if not horizon_external_ssl | bool %}
     SSLEngine on
     SSLCertificateFile    {{ horizon_ssl_cert }}
     SSLCertificateKeyFile {{ horizon_ssl_key }}