summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-02-22 15:09:05 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-02-22 15:26:54 +0200
commit5f915a88e7c4eec6e6a0341808f0fbc4a4b1a161 (patch)
tree6f24fd2f26519e53b9c35c53f8db0bcc20716a57
parent94a1aefd6213180804db4c7da9de477e1cc51a31 (diff)
Override X-Forwarded-Proto header
Right now, the only manipulation done to the X-Forwarded-Proto header is done if an SSL connection is established. This is not sufficient as one might be able to erroneously put values through that header. This patch disables that behaviour by defaulting to plain http if an SSL connection is not established. Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
-rw-r--r--manifests/loadbalancer.pp20
1 files changed, 15 insertions, 5 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 9e8c3b6..387f022 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -726,7 +726,9 @@ class tripleo::loadbalancer (
}
$heat_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
}
$heat_cw_bind_opts = {
"${heat_api_vip}:8003" => $haproxy_listen_bind_param,
@@ -843,7 +845,9 @@ class tripleo::loadbalancer (
collect_exported => false,
mode => 'http', # Needed for http-request option
options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
}
haproxy::balancermember { 'keystone_admin':
@@ -861,7 +865,9 @@ class tripleo::loadbalancer (
collect_exported => false,
mode => 'http', # Needed for http-request option
options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
}
haproxy::balancermember { 'keystone_public':
@@ -893,7 +899,9 @@ class tripleo::loadbalancer (
collect_exported => false,
mode => 'http', # Needed for http-request option
options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
}
haproxy::balancermember { 'cinder':
@@ -995,7 +1003,9 @@ class tripleo::loadbalancer (
collect_exported => false,
mode => 'http',
options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
}
haproxy::balancermember { 'nova_osapi':