From 8be6a30d431da15e2389ebe288c133dc9a28d279 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 10 Oct 2016 08:56:12 +0300 Subject: [PATCH] Add http_proxy_to_wsgi to api-paste This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The purpose of this middleware is to set up the request URL correctly in case there is a proxy (For instance, a loadbalancer such as HAProxy) in front of Neutron. So, for instance, when TLS connections are being terminated in the proxy, and one tries to get the versions from the / resource of Neutron, one will notice that the protocol is incorrect; It will show 'http' instead of 'https'. So this middleware handles such cases. Thus helping Keystone discovery work correctly. The HTTPProxyToWSGI is off by default and needs to be enabled via a configuration value. Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b Closes-Bug: #1590608 (cherry picked from commit 19c354aacd27f6941467e34826774c6199bc4f8f) --- etc/api-paste.ini | 11 +++++++---- etc/oslo-config-generator/neutron.conf | 1 + ...ttp_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml | 11 +++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml diff --git a/etc/api-paste.ini b/etc/api-paste.ini index 0d6873abe21..1c98cfe3676 100644 --- a/etc/api-paste.ini +++ b/etc/api-paste.ini @@ -5,13 +5,13 @@ use = egg:Paste#urlmap [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory -noauth = cors request_id catch_errors extensions neutronapiapp_v2_0 -keystone = cors request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 +noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0 +keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 [composite:neutronversions_composite] use = call:neutron.auth:pipeline_factory -noauth = cors neutronversions -keystone = cors neutronversions +noauth = cors http_proxy_to_wsgi neutronversions +keystone = cors http_proxy_to_wsgi neutronversions [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -23,6 +23,9 @@ paste.filter_factory = oslo_middleware:CatchErrors.factory paste.filter_factory = oslo_middleware.cors:filter_factory oslo_config_project = neutron +[filter:http_proxy_to_wsgi] +paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory + [filter:keystonecontext] paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory diff --git a/etc/oslo-config-generator/neutron.conf b/etc/oslo-config-generator/neutron.conf index 1d61c360b3e..be613762224 100644 --- a/etc/oslo-config-generator/neutron.conf +++ b/etc/oslo-config-generator/neutron.conf @@ -14,6 +14,7 @@ namespace = oslo.policy namespace = oslo.concurrency namespace = oslo.messaging namespace = oslo.middleware.cors +namespace = oslo.middleware.http_proxy_to_wsgi namespace = oslo.service.sslutils namespace = oslo.service.wsgi namespace = keystonemiddleware.auth_token diff --git a/releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml b/releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml new file mode 100644 index 00000000000..8decbb0ce1e --- /dev/null +++ b/releasenotes/notes/Adds-http_proxy_to_wsgi-middleware-24e8271cbd94ffdf.yaml @@ -0,0 +1,11 @@ +--- +features: + - Middleware was added to parse the X-Forwarded-Proto HTTP header or the + Proxy protocol in order to help neutron respond with the correct URL refs + when it's put behind a TLS proxy (such as HAProxy). This adds + http_proxy_to_wsgi middleware to the pipeline. This middleware is disabled + by default, but can be enabled via a configuration option in the + oslo_middleware group. +upgrade: + - The api-paste.ini configuration file for the paste pipeline was updated to + add the http_proxy_to_wsgi middleware.