openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Fix keystone_secure_proxy_ssl_header logic 

Previous commit [1] introduced logic that breaks proper service
discovery. Now we're fixing logic, following next rules/assumptiuons:
+----------+---------+---------------+
| HAProxy  | Apache  | RequestHeader |
+----------+---------+-- ------------+
| non-SSL  | non-SSL | http          |
| non-SSL  | SSL     | http          |
| SSL      | SSL     | https         |
| SSL      | non-SSL | https         |
+----------+---------+---------------+

[1] 6fae2bdade

Change-Id: Ibf7759eea63b7150aeae655c10eccc69cd3417ea
This commit is contained in:
Dmitriy Rabotyagov 2022-08-12 10:54:54 +02:00 committed by Dmitriy Rabotyagov
parent e26aabe440
commit 33ee3fcb17
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
templates/keystone-httpd.conf.j2
View File

@ -20,9 +20,9 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
{% endif -%}
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
{% if (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
{% if (keystone_external_ssl | bool) %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
{% elif not (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
{% else %}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
{% endif %}