From 39c950ba4ebc10ff16b11ab0740231a0e74e309e Mon Sep 17 00:00:00 2001 From: Travis Truman Date: Fri, 4 Mar 2016 18:00:48 -0500 Subject: [PATCH] Role should default to no external SSL termination This decouples the role more completely from the AIO build default configuration in Id87fab39c929e0860abbc3755ad386aa6893b151 which enables SSL termination at the HAProxy LB. Variable naming should match what is in Id87fab39c929e0860abbc3755ad386aa6893b151 to allow the AIO configuration to enable external SSL termination. And, bringing in changes from I1c654501d0c8573734c52b9c20ba4b5713d667c1 that were missed. Change-Id: I0fd26ec60f02e68688ea864d0d7880f73e6df780 --- defaults/main.yml | 3 ++- tasks/main.yml | 7 ++++--- templates/horizon_local_settings.py.j2 | 5 +++-- templates/openstack_dashboard.conf.j2 | 6 ++++-- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7c6d7793..152df280 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -98,7 +98,8 @@ horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizo # Set this to True if you do ssl termination on an external device, like the # load balancer -horizon_ssl_external: true +horizon_external_ssl: false + # Set this to the header that your device sets when doing ssl termination horizon_secure_proxy_ssl_header: "X-Forwarded-Proto" horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}" diff --git a/tasks/main.yml b/tasks/main.yml index fe8fb227..8ae921e1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,11 +22,12 @@ inventory_hostname == groups['horizon_all'][0] - include: horizon_ssl_self_signed.yml - when: > - horizon_user_ssl_cert is not defined or - horizon_user_ssl_key is not defined + when: + - not horizon_external_ssl|bool + - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined - include: horizon_ssl_user_provided.yml + when: not horizon_external_ssl|bool - include: horizon_service_setup.yml diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2 index e895fd97..a5d69c65 100644 --- a/templates/horizon_local_settings.py.j2 +++ b/templates/horizon_local_settings.py.j2 @@ -34,13 +34,14 @@ WEBROOT = '{{ horizon_webroot }}' # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts ALLOWED_HOSTS = ['*'] +{% if horizon_external_ssl | bool %} # Set SSL proxy settings: # For Django 1.4+ pass this header from the proxy after terminating the SSL, # and don't forget to strip it from the client's request. # For more information see: # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header -#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') -#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') +SECURE_PROXY_SSL_HEADER = ('{{ horizon_secure_proxy_ssl_header_django }}', 'https') +{% endif %} # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits diff --git a/templates/openstack_dashboard.conf.j2 b/templates/openstack_dashboard.conf.j2 index 979fd3e3..7a96996f 100644 --- a/templates/openstack_dashboard.conf.j2 +++ b/templates/openstack_dashboard.conf.j2 @@ -3,21 +3,23 @@ {% set _wsgi_threads = ansible_processor_vcpus | default(2) // 2 %} {% set wsgi_threads = _wsgi_threads if _wsgi_threads > 0 else 1 %} +{% if not horizon_external_ssl | bool %} ServerName {{ horizon_server_name }} RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L] +{% endif %} - + ServerName {{ horizon_server_name }} LogLevel {{ horizon_log_level }} ErrorLog /var/log/horizon/horizon-error.log CustomLog /var/log/horizon/ssl_access.log combined Options +FollowSymLinks - +{% if not horizon_external_ssl | bool %} SSLEngine on SSLCertificateFile {{ horizon_ssl_cert }} SSLCertificateKeyFile {{ horizon_ssl_key }}