From b7fe58567704920a819128d43a8aa38807ebba9a Mon Sep 17 00:00:00 2001 From: Graeme Gillies Date: Wed, 24 Aug 2016 11:32:09 +1000 Subject: Added X-Forwarded-Proto headers for horizon When enabling federated authentication with keystone, and then enabling websso in horizon, the URL horizon constructs for the redirect is done internally, and django needs to be able to know if it has to construct the url with http or https. By setting this header at the haproxy level, horizon can make the correct decision. Change-Id: I0281fe1e5efa0d3f5983342dec70752246d9fca8 --- manifests/haproxy.pp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'manifests') diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index e2b2cc9..e72d915 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -414,11 +414,14 @@ class tripleo::haproxy ( "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), } $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } } else { $horizon_bind_opts = { -- cgit 1.2.3-korg