Add http_proxy_to_wsgi to api-paste

This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The
purpose of this middleware is to set up the request URL correctly in
case there is a proxy (For instance, a loadbalancer such as HAProxy)
in front of Neutron.

So, for instance, when TLS connections are being terminated in the
proxy, and one tries to get the versions from the / resource of
Neutron, one will notice that the protocol is incorrect; It will show
'http' instead of 'https'. So this middleware handles such cases.
Thus helping Keystone discovery work correctly.

The HTTPProxyToWSGI is off by default and needs to be enabled via a
configuration value.

Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b
Closes-Bug: #1590608
This commit is contained in:
Juan Antonio Osorio Robles 2016-10-10 08:56:12 +03:00
parent fcd47cca6e
commit 19c354aacd
3 changed files with 19 additions and 4 deletions

View File

@ -5,13 +5,13 @@ use = egg:Paste#urlmap
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = cors request_id catch_errors extensions neutronapiapp_v2_0
keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
[composite:neutronversions_composite]
use = call:neutron.auth:pipeline_factory
noauth = cors neutronversions
keystone = cors neutronversions
noauth = cors http_proxy_to_wsgi neutronversions
keystone = cors http_proxy_to_wsgi neutronversions
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
@ -23,6 +23,9 @@ paste.filter_factory = oslo_middleware:CatchErrors.factory
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = neutron
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
[filter:keystonecontext]
paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory

View File

@ -14,6 +14,7 @@ namespace = oslo.policy
namespace = oslo.concurrency
namespace = oslo.messaging
namespace = oslo.middleware.cors
namespace = oslo.middleware.http_proxy_to_wsgi
namespace = oslo.service.sslutils
namespace = oslo.service.wsgi
namespace = keystonemiddleware.auth_token

View File

@ -0,0 +1,11 @@
---
features:
- Middleware was added to parse the X-Forwarded-Proto HTTP header or the
Proxy protocol in order to help neutron respond with the correct URL refs
when it's put behind a TLS proxy (such as HAProxy). This adds
http_proxy_to_wsgi middleware to the pipeline. This middleware is disabled
by default, but can be enabled via a configuration option in the
oslo_middleware group.
upgrade:
- The api-paste.ini configuration file for the paste pipeline was updated to
add the http_proxy_to_wsgi middleware.