diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-03-01 09:34:16 +0200 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-03-01 09:34:16 +0200 |
| commit | 3aefa43072d9453412376a9bdedd949e03c926a5 (patch) | |
| tree | 71341d4e23d52a54b34ba4783e5c3f48052e777a | |
| parent | 5f915a88e7c4eec6e6a0341808f0fbc4a4b1a161 (diff) | |
Always override X-Forwarded-Proto header for Heat
Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.
Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
| -rw-r--r-- | manifests/loadbalancer.pp | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 387f022..4e5c37f 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -719,17 +719,19 @@ class tripleo::loadbalancer ( } $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} if $heat_bind_certificate { $heat_bind_opts = { "${heat_api_vip}:8004" => $haproxy_listen_bind_param, "${public_virtual_ip}:13004" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), } - $heat_options = { + $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } + $heat_options = merge($heat_base_options, $heat_ssl_options) $heat_cw_bind_opts = { "${heat_api_vip}:8003" => $haproxy_listen_bind_param, "${public_virtual_ip}:13003" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), @@ -743,7 +745,7 @@ class tripleo::loadbalancer ( "${heat_api_vip}:8004" => $haproxy_listen_bind_param, "${public_virtual_ip}:8004" => $haproxy_listen_bind_param, } - $heat_options = {} + $heat_options = $heat_base_options $heat_cw_bind_opts = { "${heat_api_vip}:8003" => $haproxy_listen_bind_param, "${public_virtual_ip}:8003" => $haproxy_listen_bind_param, |