From f8de51a85da685f92900ea17aef8b16a32661843 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Fri, 18 Mar 2016 10:30:55 +0200 Subject: Redirect to https for horizon This adds a TLS binding listening on the internal network for horizon. And on the other hand, if the public binding for horizon is accessed via non-https, it will redirect to https. Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a --- manifests/loadbalancer.pp | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'manifests') diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 0d70f32..901ffcd 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -855,13 +855,25 @@ class tripleo::loadbalancer ( $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $horizon_bind_certificate { + # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the horizon_vip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), } $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", } } else { $horizon_bind_opts = { -- cgit 1.2.3-korg