Rely on HTTP_HOST sent by clients for redirection

The dashboard may have multiple networks and IP addresses. We never be
able to determine where to redirect reliably. Also, redirecting an
access from internal network to a public IP address may not be what
users want. Instead, use HTTP_HOST sent by the client and let the
client's browser reveal SSL related errors if any.

Change-Id: I9f4c734a61d3ab07f3f7c9a1a073eede73ae4651
Closes-Bug: #1710930
Closes-Bug: #1713198
This commit is contained in:
Nobuto Murata 2017-08-26 18:10:22 +07:00 committed by James Page
parent d4c0d5f91f
commit 289d5bb66b
5 changed files with 23 additions and 15 deletions

View File

@ -31,9 +31,6 @@ from charmhelpers.contrib.openstack.context import (
HAProxyContext,
context_complete
)
from charmhelpers.contrib.openstack.ip import (
resolve_address,
)
from charmhelpers.contrib.openstack.utils import (
git_default_repos,
git_pip_venv_dir,
@ -211,13 +208,14 @@ class ApacheContext(OSContextGenerator):
''' Grab cert and key from configuraton for SSL config '''
ctxt = {
'http_port': 70,
'https_port': 433
'https_port': 433,
'enforce_ssl': False
}
if config('enforce-ssl'):
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
if all(get_cert()):
ctxt['ssl_addr'] = resolve_address()
ctxt['enforce_ssl'] = True
else:
log("Enforce ssl redirect requested but ssl not configured - "
"skipping redirect", level=WARNING)

View File

@ -263,6 +263,7 @@ def enable_ssl():
''' Enable SSL support in local apache2 instance '''
subprocess.call(['a2ensite', 'default-ssl'])
subprocess.call(['a2enmod', 'ssl'])
subprocess.call(['a2enmod', 'rewrite'])
def determine_packages():

View File

@ -1,8 +1,9 @@
<VirtualHost *:{{ http_port }}>
{% if ssl_addr -%}
RedirectPermanent / https://{{ ssl_addr }}:443/
{%- endif %}
{% if enforce_ssl %}
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
{% endif %}
ServerAdmin webmaster@localhost
DocumentRoot /var/www

View File

@ -32,7 +32,6 @@ TO_PATCH = [
'local_unit',
'unit_get',
'pwgen',
'resolve_address',
]
@ -63,14 +62,22 @@ class TestHorizonContexts(CharmTestCase):
def test_Apachecontext(self):
self.assertEqual(horizon_contexts.ApacheContext()(),
{'http_port': 70, 'https_port': 433})
{'http_port': 70, 'https_port': 433,
'enforce_ssl': False})
def test_Apachecontext_enforce_ssl(self):
self.test_config.set('enforce-ssl', True)
self.resolve_address.return_value = 'horizon.example.stack'
self.assertEqual(horizon_contexts.ApacheContext()(),
{'http_port': 70, 'https_port': 433,
'ssl_addr': 'horizon.example.stack'})
self.get_cert.return_value = ('cert', 'key')
self.assertEquals(horizon_contexts.ApacheContext()(),
{'http_port': 70, 'https_port': 433,
'enforce_ssl': True})
def test_Apachecontext_enforce_ssl_no_cert(self):
self.test_config.set('enforce-ssl', True)
self.get_cert.return_value = (None, 'key')
self.assertEquals(horizon_contexts.ApacheContext()(),
{'http_port': 70, 'https_port': 433,
'enforce_ssl': False})
@patch.object(horizon_contexts, 'get_ca_cert', lambda: None)
@patch('os.chmod')

View File

@ -80,7 +80,8 @@ class TestHorizohorizon_utils(CharmTestCase):
horizon_utils.enable_ssl()
_call.assert_has_calls([
call(['a2ensite', 'default-ssl']),
call(['a2enmod', 'ssl'])
call(['a2enmod', 'ssl']),
call(['a2enmod', 'rewrite'])
])
def test_restart_map(self):