Added X-Forwarded-Proto headers for horizon

When enabling federated authentication with keystone, and then enabling websso
in horizon, the URL horizon constructs for the redirect is done internally, and
django needs to be able to know if it has to construct the url with http or
https. By setting this header at the haproxy level, horizon can make the correct
decision.

Change-Id: I0281fe1e5efa0d3f5983342dec70752246d9fca8

1 files changed, 7 insertions, 4 deletions

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index e2b2cc9..e72d915 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -414,11 +414,14 @@ class tripleo::haproxy (
       "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
     }
     $horizon_options = {
-      'cookie'   => 'SERVERID insert indirect nocache',
-      'rsprep'   => '^Location:\ http://(.*) Location:\ https://\1',
+      'cookie'       => 'SERVERID insert indirect nocache',
+      'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
       # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-      'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
-      'option'   => 'forwardfor',
+      'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+      'option'       => 'forwardfor',
+      'http-request' => [
+          'set-header X-Forwarded-Proto https if { ssl_fc }',
+          'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
     }
   } else {
     $horizon_bind_opts = {