From 107bed13e39f4e8e0fb5ab44aa8a4912ea372b6f Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Sun, 7 Feb 2016 14:38:30 -0600 Subject: [PATCH] Enable SSL termination for all services This change makes it so that all services are expecting SSL termination at the load balancer by default. This is more indicative of how a real world deployment will be setup and is being added such that we can test a more production like deployment system by default. The AIO will now terminate SSL in HAProxy using a self-signed cert. Change-Id: I09a7b9f0f180a79b4f46bb51322f96b1b2715f5b Re-Implementation-Of: https://review.openstack.org/#/c/277199/9 Signed-off-by: Kevin Carter --- defaults/main.yml | 7 ++++--- templates/keystone.conf.j2 | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 40a4b70c..38a10c46 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -108,9 +108,6 @@ keystone_admin_user_name: admin keystone_admin_tenant_name: admin keystone_admin_description: Admin Tenant -## Secure Proxy SSL Information -#keystone_secure_proxy_ssl_header: X-Forwarded-For - ## Service Type and Data keystone_service_setup: true keystone_service_region: RegionOne @@ -171,6 +168,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter #keystone_user_ssl_key: #keystone_user_ssl_ca_cert: +# External SSL forwarding proto +keystone_ssl_external: true +keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO + ## Caching # If set this will enable dog pile cache for keystone. # keystone_cache_backend_argument: url:127.0.0.1:11211 diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2 index 0d1926b6..b5789e44 100644 --- a/templates/keystone.conf.j2 +++ b/templates/keystone.conf.j2 @@ -11,7 +11,7 @@ admin_endpoint = {{ keystone_service_adminuri }} fatal_deprecations = {{ keystone_fatal_deprecations }} member_role_name = {{ keystone_default_role_name }} -{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %} +{% if keystone_external_ssl | bool %} secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }} {% endif %}