openstack/openstack-ansible-os_horizon
Code Issues Proposed changes
openstack-ansible-os_horizon/templates/openstack_dashboard.conf.j2
Damian Dabrowski c92f45e3af Fix horizon_enable_ssl logic 
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.

Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto

Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
2023-04-11 19:35:00 +02:00

83 lines
3.0 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% for horizon_listen_port in horizon_listen_ports.values() %}
Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
{% endfor %}
# If horizon is being served via SSL from this web server,
# then we must redirect HTTP requests to HTTPS.
{% if (horizon_enable_ssl | bool) %}
<VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
ServerName {{ horizon_server_name }}
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
{% endif %}
# If horizon is being served via SSL via a load balancer, we
# need to listen via HTTP on this web server. If SSL is not
# enabled, then the same applies.
<VirtualHost {{ horizon_bind_address }}:{{ (horizon_enable_ssl | bool) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
ServerName {{ horizon_server_name }}
LogLevel {{ horizon_log_level }}
ErrorLog syslog:daemon
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
Options +FollowSymLinks
{% if horizon_enable_ssl | bool %}
SSLEngine on
SSLCertificateFile {{ horizon_ssl_cert }}
SSLCertificateKeyFile {{ horizon_ssl_key }}
{% if horizon_user_ssl_ca_cert is defined -%}
SSLCACertificateFile {{ horizon_ssl_ca_cert }}
{% endif -%}
SSLCompression Off
SSLProtocol {{ horizon_ssl_protocol }}
SSLHonorCipherOrder On
{% if horizon_ssl_cipher_suite_tls12 != "" -%}
SSLCipherSuite {{ horizon_ssl_cipher_suite_tls12 }}
{% endif -%}
{% if horizon_ssl_cipher_suite_tls13 != "" -%}
SSLCipherSuite TLSv1.3 {{ horizon_ssl_cipher_suite_tls13 }}
{% endif -%}
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
{% endif %}
{% if horizon_external_ssl | bool %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
{% else %}
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
{% endif %}
WSGIScriptAlias / {{ horizon_lib_wsgi_file }}
WSGIDaemonProcess horizon user={{ horizon_system_user_name }} group={{ horizon_system_group_name }} processes={{ horizon_wsgi_processes | default(horizon_wsgi_threads) }} threads={{ horizon_wsgi_threads }} python-path={{ horizon_lib_dir | dirname }}/site-packages
WSGIProcessGroup horizon
WSGIApplicationGroup %{GLOBAL}
<Directory {{ horizon_lib_wsgi_file | dirname }}>
<Files {{ horizon_lib_wsgi_file | basename }} >
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Files>
</Directory>
Alias /static {{ horizon_lib_dir }}/static/
<Directory {{ horizon_lib_dir }}/static/>
Options -FollowSymlinks
<IfVersion < 2.4>
AllowOverride None
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
</VirtualHost>
View Git Blame Copy Permalink