Use http_proxy_to_wsgi middleware

This sets up the HTTPProxyToWSGI middleware in front of Freezer.
The purpose of this middleware is to set up the request URL
correctly in case there is a proxy (For instance, a loadbalancer
such as HAProxy) in front of Freezer.

The HTTPProxyToWSGI is off by default and needs to be enabled
via a configuration value.

Depends-On: Iffd38a325204a3ec7380a7a56061866477d3d06e
Change-Id: I44d60863eefeb52891474653aa9fcf1ba57d50a1
Closes-bug: #1590608

config-generator/freezer-api.conf

@@ -4,3 +4,4 @@ wrap_width = 79
 namespace = "freezer-api"
 namespace = oslo.log
 namespace = oslo.policy
+namespace = oslo.middleware

etc/freezer/freezer-api.conf.sample

@@ -33,6 +33,7 @@
 # configuration files are used then all logging configuration is set in the
 # configuration file and other logging configuration options are ignored (for
 # example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
 # Deprecated group/name - [DEFAULT]/log_config
 #log_config_append = <None>
 
@@ -109,6 +110,64 @@
 #fatal_deprecations = false
 
 
+[cors]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers =
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers =
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers =
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers =
+
+
 [keystone_authtoken]
 
 #
@@ -157,7 +216,7 @@
 
 # Optionally specify a list of memcached server(s) to use for caching. If left
 # undefined, tokens will instead be cached in-process. (list value)
-# Deprecated group/name - [DEFAULT]/memcache_servers
+# Deprecated group/name - [keystone_authtoken]/memcache_servers
 #memcached_servers = <None>
 
 # In order to prevent excessive effort spent validating tokens, the middleware
@@ -167,8 +226,8 @@
 
 # Determines the frequency at which the list of revoked tokens is retrieved
 # from the Identity service (in seconds). A high number of revocation events
-# combined with a low cache duration may significantly reduce performance. Only
-# valid for PKI tokens. (integer value)
+# combined with a low cache duration may significantly reduce performance.
+# (integer value)
 #revocation_cache_time = 10
 
 # (Optional) If defined, indicate whether token data should be authenticated or
@@ -235,58 +294,44 @@
 # performance. (list value)
 #hash_algorithms = md5
 
-# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri.
-# (string value)
-#auth_admin_prefix =
-
-# Host providing the admin Identity API endpoint. Deprecated, use identity_uri.
-# (string value)
-#auth_host = 127.0.0.1
-
-# Port of the admin Identity API endpoint. Deprecated, use identity_uri.
-# (integer value)
-#auth_port = 35357
-
-# Protocol of the admin Identity API endpoint. Deprecated, use identity_uri.
-# (string value)
-# Allowed values: http, https
-#auth_protocol = https
-
-# Complete admin Identity API endpoint. This should specify the unversioned
-# root endpoint e.g. https://localhost:35357/ (string value)
-#identity_uri = <None>
-
-# This option is deprecated and may be removed in a future release. Single
-# shared secret with the Keystone configuration used for bootstrapping a
-# Keystone installation, or otherwise bypassing the normal authentication
-# process. This option should not be used, use `admin_user` and
-# `admin_password` instead. (string value)
-#admin_token = <None>
-
-# Service username. (string value)
-#admin_user = <None>
-
-# Service user password. (string value)
-#admin_password = <None>
-
-# Service tenant name. (string value)
-#admin_tenant_name = admin
-
-# Authentication type to load (unknown value)
-# Deprecated group/name - [DEFAULT]/auth_plugin
+# Authentication type to load (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_plugin
 #auth_type = <None>
 
-# Config Section from which to load plugin specific options (unknown value)
+# Config Section from which to load plugin specific options (string value)
 #auth_section = <None>
 
 
+[oslo_middleware]
+
+#
+# From oslo.middleware
+#
+
+# The maximum body size for each  request, in bytes. (integer value)
+# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
+# Deprecated group/name - [DEFAULT]/max_request_body_size
+#max_request_body_size = 114688
+
+# DEPRECATED: The HTTP Header that will be used to determine what the original
+# request protocol scheme was, even if it was hidden by a SSL termination
+# proxy. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#secure_proxy_ssl_header = X-Forwarded-Proto
+
+# Whether the application is behind a proxy or not. This determines if the
+# middleware should parse the headers or not. (boolean value)
+#enable_proxy_headers_parsing = false
+
+
 [oslo_policy]
 
 #
 # From oslo.policy
 #
 
-# The JSON file that defines policies. (string value)
+# The file that defines policies. (string value)
 # Deprecated group/name - [DEFAULT]/policy_file
 #policy_file = policy.json
 
@@ -347,8 +392,6 @@
 # path to CA certs on disk (string value)
 #ca_certs = <None>
 
-# Number of replicas for elk cluster. Default is 0. Use 0 for no replicas
-# In a production environment, this value should be equal to:
-# (Number of elasticsearch node in the cluster - 1)
-# (integer value)
+# Number of replicas for elk cluster. Default is 0. Use 0 for no replicas. This
+# should be set to (number of node in the ES cluter -1). (integer value)
 #number_of_replicas = 0

etc/freezer/freezer-paste.ini

@@ -19,8 +19,11 @@ paste.filter_factory = freezer_api.api.common.middleware:HealthApp.factory
 [filter:context]
 paste.filter_factory = freezer_api.api.common.middleware:ContextMiddleware.factory
 
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
+
 [pipeline:main]
-pipeline = healthcheck authtoken context freezer_app
+pipeline = healthcheck http_proxy_to_wsgi authtoken context freezer_app
 
 [pipeline:unauthenticated_freezer_api]
-pipeline = HealthApp Healthcheck freezer_app
+pipeline = http_proxy_to_wsgi HealthApp Healthcheck freezer_app