Add option to handle SSL termination proxies

ooi needs to return URLs of objects matching the URL scheme used for serving the application even if ooi is behind a SSL termination proxy. A new configuration variable "ooi_secure_proxy_ssl_header" that defines the HTTP header that can be used to update the wsgi.url_scheme environment variable. Typical value for this variable is 'HTTP_X_FORWARDED_PROTO'. Change-Id: I7ce7583f64778f667a7ea310d493390d9e19f1e2 Closes-Bug: #1676844
2017-03-28 13:11:54 +01:00 · 2017-03-28 13:11:54 +01:00 · d1da7a1dfe
parent a8cfcb58e8
commit d1da7a1dfe
2 changed files with 20 additions and 0 deletions
--- a/ooi/tests/unit/test_wsgi.py
+++ b/ooi/tests/unit/test_wsgi.py
@ -16,6 +16,7 @@ import webob
 import webob.dec
 import webob.exc

+from ooi import config
 from ooi.tests import base
 from ooi import wsgi

@ -160,6 +161,12 @@ class TestMiddleware(base.TestCase):
        result = req.get_response(self.app)
        self.assertEqual(404, result.status_code)

+    def test_ssl_middleware(self):
+        config.cfg.CONF.set_override('ooi_secure_proxy_ssl_header', 'bar')
+        request = wsgi.Request.blank("/foos", method="GET",
+                                     environ={'bar': 'baz'})
+        self.assertEqual('baz', request.environ['wsgi.url_scheme'])
+

 class TestOCCIMiddleware(base.TestCase):
    def setUp(self):
--- a/ooi/wsgi/init.py
+++ b/ooi/wsgi/init.py
@ -48,6 +48,12 @@ occi_opts = [
                      help='Number of workers for OCCI (ooi) API service. '
                           'The default will be equal to the number of CPUs '
                           'available.'),
+    config.cfg.StrOpt('ooi_secure_proxy_ssl_header',
+                      default=None,
+                      help='The HTTP header used to determine the scheme '
+                           'for the original request, even if it was '
+                           'removed by an SSL terminating proxy. Typical '
+                           'value is "HTTP_X_FORWARDED_PROTO".'),
    # NEUTRON
    config.cfg.StrOpt('neutron_ooi_endpoint',
                      default=None,
@ -60,6 +66,13 @@ CONF.register_opts(occi_opts)


 class Request(webob.Request):
+    def __init__(self, environ, *args, **kwargs):
+        if CONF.ooi_secure_proxy_ssl_header:
+            scheme = environ.get(CONF.ooi_secure_proxy_ssl_header)
+            if scheme:
+                environ['wsgi.url_scheme'] = scheme
+        super(Request, self).__init__(environ, *args, **kwargs)
+
    def should_have_body(self):
        return self.method in ("POST", "PUT")