From f8e7040a2559f6a5f117af8d2afe11693fbce576 Mon Sep 17 00:00:00 2001 From: Christopher Aedo Date: Mon, 31 Aug 2015 08:24:19 -0700 Subject: [PATCH] Enable CORS for new /api directory and gzip This patch adds access control headers to the location /api/v1/assets. This will allow a Horizon panel to work with the App Catalog directly. For multiple deployments of OpenStack to access the JSON file regardless of their domain name, this additional header (Access-Control-Allow-Origin) must be set to "*" which will enable cross- origin resource sharing which is normally forbidden to prevent security issues related to cross-site scripting. This change also enables compression on the file, giving roughly a 5x reduction in download size. This patch also removes this access control header from /static To provide content at /api/v1/assets this patch replaces a trigger that used to build a JSON file via a shell call in puppet with a call to a script on the server. Authored-By: Christopher Aedo Co-Authored-By: Kevin Fox Change-Id: I4da417908186c24767310d337bc3bbbc07964d48 Closes-Bug: 1490609 --- manifests/init.pp | 21 +++++++++++++++++++-- templates/vhost.erb | 21 +++++++++++++++++++-- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 325d49a..b5f702c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -35,7 +35,18 @@ class apps_site ( } httpd_mod { 'headers': - ensure => present + ensure => present, + notify => Service['httpd'] + } + + httpd_mod { 'rewrite': + ensure => present, + notify => Service['httpd'] + } + + httpd_mod { 'deflate': + ensure => present, + notify => Service['httpd'] } if ! defined(Package['python-yaml']) { @@ -44,6 +55,12 @@ class apps_site ( } } + if ! defined(Package['zopfli']) { + package { 'zopfli': + ensure => present, + } + } + file { "${root_dir}/openstack_catalog/web/api": ensure => directory, } @@ -53,7 +70,7 @@ class apps_site ( } exec { 'make_assets_json' : - command => "python -c 'import sys, yaml, json; json.dump(yaml.load(sys.stdin), sys.stdout)' < ${root_dir}/openstack_catalog/web/static/assets.yaml > ${root_dir}/openstack_catalog/web/api/v1/assets", + command => "${root_dir}/tools/update_assets.sh", path => '/usr/local/bin:/usr/bin:/bin', refreshonly => true, subscribe => Vcsrepo[$root_dir], diff --git a/templates/vhost.erb b/templates/vhost.erb index 3aad69c..e4e2a20 100644 --- a/templates/vhost.erb +++ b/templates/vhost.erb @@ -11,9 +11,26 @@ Allow from all Satisfy Any - /static/> + Header set Access-Control-Allow-Origin "*" - + Header set Content-type "application/json" + Header set Access-Control-Allow-Headers "Origin, Accept-Encoding, Content-Type, X-App-Catalog-Versions" + Header set Access-Control-Max-Age 3600 + Header set Cache-Control max-age=3600 + Header set Access-Control-Allow-Methods "GET, OPTIONS" + SetOutputFilter DEFLATE + + + RewriteEngine On + + RewriteRule "^/api/v1/assets\.gz$" "-" [T=application/json,E=no-gzip:1] + + RewriteCond %{REQUEST_METHOD} OPTIONS + RewriteRule ^(/api/v1/assets)$ /static/blank.json [QSA,L] + + RewriteCond "%{HTTP:Accept-Encoding}" "gzip" + RewriteCond "%{REQUEST_FILENAME}\.gz" -s + RewriteRule "^(/api/v1/assets)" "$1\.gz" [QSA] ErrorLog /var/log/apache2/app_site-error.log