Define X-Forwarded-Proto for keystone

Add X-Forwarded-Proto header based on the haproxy termination and if keystone configured to use SSL for internal connection Change-Id: Ia627e19923e1e24d2fede49aefb7251bb75d88de
2022-02-09 13:18:52 +02:00 · 2022-02-09 13:18:52 +02:00 · 6fae2bdade
parent 419cb210a9
commit 6fae2bdade
2 changed files with 8 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -252,10 +252,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>

 # Set to true when terminating SSL/TLS at a load balancer
-keystone_external_ssl: false
+keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"

 # External SSL forwarding proto
-keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+keystone_secure_proxy_ssl_header: X-Forwarded-Proto

 ## Override memcached_servers
 keystone_memcached_servers: "{{ memcached_servers }}"
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -21,6 +21,12 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
    {% endif -%}
    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"

+    {% if (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
+    {% elif not (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
+    {% endif %}
+
    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}