From 5f915a88e7c4eec6e6a0341808f0fbc4a4b1a161 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 22 Feb 2016 15:09:05 +0200
Subject: Override X-Forwarded-Proto header

Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.

This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.

Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
---
 manifests/loadbalancer.pp | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'manifests')

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 9e8c3b6..387f022 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -726,7 +726,9 @@ class tripleo::loadbalancer (
     }
     $heat_options = {
       'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
-      'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+      'http-request' => [
+        'set-header X-Forwarded-Proto https if { ssl_fc }',
+        'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
     }
     $heat_cw_bind_opts = {
       "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
@@ -843,7 +845,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'keystone_admin':
@@ -861,7 +865,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'keystone_public':
@@ -893,7 +899,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'cinder':
@@ -995,7 +1003,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http',
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'nova_osapi':
-- 
cgit 1.2.3-korg