summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-18 10:30:55 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-03-18 12:31:19 +0200
commitf8de51a85da685f92900ea17aef8b16a32661843 (patch)
tree7fa592ba4857f615b5e4ae3fffdd526eaa24c041
parent4988d0fc359a59af6ce86c0beb8549a950df57cd (diff)
Redirect to https for horizon
This adds a TLS binding listening on the internal network for horizon. And on the other hand, if the public binding for horizon is accessed via non-https, it will redirect to https. Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
-rw-r--r--manifests/loadbalancer.pp18
1 files changed, 15 insertions, 3 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 0d70f32..901ffcd 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -855,13 +855,25 @@ class tripleo::loadbalancer (
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $horizon_bind_certificate {
+ # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
+ # same, the first option takes precedence. Which is the case when network
+ # isolation is not enabled. This is not a problem as both options are
+ # identical. If network isolation is enabled, this works correctly and
+ # will add a TLS binding to both the horizon_vip and the
+ # public_virtual_ip.
+ # Even though for the public_virtual_ip the port 80 is listening, we
+ # redirect to https in the horizon_options below.
$horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
+ "${horizon_vip}:80" => $haproxy_listen_bind_param,
+ "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
}
$horizon_options = {
- 'cookie' => 'SERVERID insert indirect nocache',
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
}
} else {
$horizon_bind_opts = {