diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-02-22 15:09:05 +0200 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2016-02-22 15:26:54 +0200 |
| commit | 5f915a88e7c4eec6e6a0341808f0fbc4a4b1a161 (patch) | |
| tree | 6f24fd2f26519e53b9c35c53f8db0bcc20716a57 | |
| parent | 94a1aefd6213180804db4c7da9de477e1cc51a31 (diff) | |
Override X-Forwarded-Proto header
Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.
This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.
Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
| -rw-r--r-- | manifests/loadbalancer.pp | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 9e8c3b6..387f022 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -726,7 +726,9 @@ class tripleo::loadbalancer ( } $heat_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } $heat_cw_bind_opts = { "${heat_api_vip}:8003" => $haproxy_listen_bind_param, @@ -843,7 +845,9 @@ class tripleo::loadbalancer ( collect_exported => false, mode => 'http', # Needed for http-request option options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, } haproxy::balancermember { 'keystone_admin': @@ -861,7 +865,9 @@ class tripleo::loadbalancer ( collect_exported => false, mode => 'http', # Needed for http-request option options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, } haproxy::balancermember { 'keystone_public': @@ -893,7 +899,9 @@ class tripleo::loadbalancer ( collect_exported => false, mode => 'http', # Needed for http-request option options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, } haproxy::balancermember { 'cinder': @@ -995,7 +1003,9 @@ class tripleo::loadbalancer ( collect_exported => false, mode => 'http', options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, } haproxy::balancermember { 'nova_osapi': |