summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-08-09 17:58:37 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-08-10 15:10:05 +0300
commit39e10ab15a626b7fb9c55342779d091b73d82f28 (patch)
treeb72a64ecbde15a93bcbd4ef4e6cd4d97b682e8cd
parent689d80e97188342c84bb965980d48c8ed212e60d (diff)
Handle redirects for keystone
If keystone sends a redirect and we have TLS enabled, we need to modify the response in order to indicate https. Change-Id: Icd61f527473bfe5153e058e94f9ed141cf13812d
-rw-r--r--manifests/haproxy.pp21
1 files changed, 16 insertions, 5 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 0a53353..e2b2cc9 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -517,6 +517,21 @@ class tripleo::haproxy (
}
if $keystone_public {
+ $keystone_listen_opts = {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
+ if $service_certificate {
+ $keystone_public_tls_listen_opts = {
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'option' => 'forwardfor',
+ }
+ } else {
+ $keystone_public_tls_listen_opts = {}
+ }
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
@@ -524,11 +539,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
}
}