Fix URLs when running with tls-proxy enabled

Various services are returning broken links when running behind tls-proxy. These issues can be fixed by setting the X-Forwarded-Proto header in the apache config and letting oslo_middleware parse it. Change-Id: Ibe5dbdc4644ec812f0435f59319666fc336c195a Partial-Bug: 1713731
2017-08-29 14:40:26 +00:00 · 2017-08-29 14:40:26 +00:00 · 411c34da69
parent c5aca3c996
commit 411c34da69
5 changed files with 6 additions and 3 deletions
--- a/lib/cinder
+++ b/lib/cinder
@ -296,8 +296,7 @@ function configure_cinder {
            # Set the service port for a proxy to take the original
            if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
                iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
-                iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST
-                iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST
+                iniset $CINDER_CONF oslo_middleware enable_proxy_headers_parsing True
            else
                iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
                iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
--- a/lib/neutron
+++ b/lib/neutron
@ -242,6 +242,7 @@ function configure_neutron_new {
    if is_service_enabled tls-proxy; then
        # Set the service port for a proxy to take the original
        iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
+        iniset $NEUTRON_CONF oslo_middleware enable_proxy_headers_parsing True
    fi

    # Metering
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@ -718,6 +718,7 @@ function _configure_neutron_common {
    if is_service_enabled tls-proxy; then
        # Set the service port for a proxy to take the original
        iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
+        iniset $NEUTRON_CONF oslo_middleware enable_proxy_headers_parsing True
    fi

    _neutron_setup_rootwrap
--- a/lib/nova
+++ b/lib/nova
@ -555,6 +555,7 @@ function create_nova_conf {

    if is_service_enabled tls-proxy; then
        iniset $NOVA_CONF DEFAULT glance_protocol https
+        iniset $NOVA_CONF oslo_middleware enable_proxy_headers_parsing True
    fi

    if is_service_enabled n-sproxy; then
--- a/lib/tls
+++ b/lib/tls
@ -527,6 +527,7 @@ $listen_string
    # for swift functional testing to work with tls enabled. It is 2 bytes
    # larger than the apache default of 8190.
    LimitRequestFieldSize $f_header_size
+    RequestHeader set X-Forwarded-Proto "https"

    <Location />
        ProxyPass http://$b_host:$b_port/ retry=0 nocanon
@ -541,7 +542,7 @@ EOF
    if is_suse ; then
        sudo a2enflag SSL
    fi
-    for mod in ssl proxy proxy_http; do
+    for mod in headers ssl proxy proxy_http; do
        enable_apache_mod $mod
    done
    enable_apache_site $b_service