From 5b79aa6066e7bdd06d73e09f2aa14a0e80d1f630 Mon Sep 17 00:00:00 2001
From: Mathias Ewald <mewald@evoila.de>
Date: Thu, 1 Dec 2016 20:22:11 +0100
Subject: [PATCH] Fix X-Forward-Proto Header Deletion

Deletion of X-Forward-Proto only happens if HAProxy manages SSL
termination

Change-Id: I9acd425330749a0fe296c9b9f8262f82ebf9de49
Closes-Bug: #1646593
---
 .../roles/haproxy/templates/haproxy.cfg.j2    | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2
index abedfbf024..cb40f555cc 100644
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -55,7 +55,7 @@ listen mongodb
 {% if enable_keystone | bool %}
 listen keystone_internal
   bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -63,7 +63,7 @@ listen keystone_internal
 
 listen keystone_external
   bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
@@ -72,7 +72,7 @@ listen keystone_external
 
 listen keystone_admin
   bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['keystone'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -103,14 +103,14 @@ listen glance_api_external
 {% if enable_nova | bool %}
 listen nova_api
   bind {{ kolla_internal_vip_address }}:{{ nova_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen nova_metadata
   bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -118,7 +118,7 @@ listen nova_metadata
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy
   bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
@@ -134,7 +134,7 @@ listen nova_spicehtml5proxy
 
 listen nova_api_external
   bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
@@ -142,7 +142,7 @@ listen nova_api_external
 
 listen nova_metadata_external
   bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
@@ -151,7 +151,7 @@ listen nova_metadata_external
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy_external
   bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
@@ -159,7 +159,7 @@ listen nova_novncproxy_external
 {% elif nova_console == 'spice' %}
 listen nova_spicehtml5proxy_external
   bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-spicehtml5proxy'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
@@ -188,7 +188,7 @@ listen neutron_server_external
 listen horizon
   bind {{ kolla_internal_vip_address }}:80
   balance source
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['horizon'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -198,7 +198,7 @@ listen horizon
 listen horizon_external
   bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }}
   balance source
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['horizon'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
@@ -220,7 +220,7 @@ listen horizon_external
 {% if enable_cinder | bool %}
 listen cinder_api
   bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['cinder-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -228,7 +228,7 @@ listen cinder_api
 
 listen cinder_api_external
   bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cinder-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
@@ -239,7 +239,7 @@ listen cinder_api_external
 {% if enable_cloudkitty | bool %}
 listen cloudkitty_api
   bind {{ kolla_internal_vip_address }}:{{ cloudkitty_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['cloudkitty-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -247,7 +247,7 @@ listen cloudkitty_api
 
 listen cloudkitty_api_external
   bind {{ kolla_external_vip_address }}:{{ cloudkitty_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cloudkitty-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5
@@ -258,14 +258,14 @@ listen cloudkitty_api_external
 {% if enable_heat | bool %}
 listen heat_api
   bind {{ kolla_internal_vip_address }}:{{ heat_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['heat-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 
 listen heat_api_cfn
   bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -273,7 +273,7 @@ listen heat_api_cfn
 
 listen heat_api_external
   bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
@@ -281,7 +281,7 @@ listen heat_api_external
 
 listen heat_api_cfn_external
   bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
@@ -292,7 +292,7 @@ listen heat_api_cfn_external
 {% if enable_grafana | bool %}
 listen grafana_server
   bind {{ kolla_internal_vip_address }}:{{ grafana_server_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['grafana'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5
@@ -301,7 +301,7 @@ listen grafana_server
 
 listen grafana_server_external
   bind {{ kolla_external_vip_address }}:{{ grafana_server_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['grafana'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5
@@ -513,7 +513,7 @@ listen kibana
 
 listen kibana_external
   bind {{ kolla_external_vip_address }}:{{ kibana_server_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   acl auth_acl http_auth(kibanauser)
   http-request auth realm basicauth unless auth_acl
@@ -615,7 +615,7 @@ listen trove_api_external
 {% if enable_congress | bool %}
 listen congress_api
   bind {{ kolla_internal_vip_address }}:{{ congress_api_port }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
 {% for host in groups['congress-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@@ -623,7 +623,7 @@ listen congress_api
 
 listen congress_api_external
   bind {{ kolla_external_vip_address }}:{{ congress_api_port }} {{ tls_bind_info }}
-  http-request del-header X-Forwarded-Proto
+  http-request del-header X-Forwarded-Proto if { ssl_fc }
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['congress-api'] %}
   server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5