Permalink
Browse files

Add flag to enable the SECURE_PROXY_SSL_HEADER option

This is used to tell Django to take into account the X-Forwarded-Proto
header. It is disabled by default as it should only be enabled if one
is running horizon behind a proxy.

Change-Id: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
  • Loading branch information...
JAORMX committed Dec 9, 2016
1 parent 7cbcc78 commit 5211ba5fc8652fbf6b3a7d72ed3de273d43d29ee
View
@@ -293,6 +293,12 @@
# (optional) Disables Admin password prompt on Change Password form.
# Defaults to false
#
# [*enable_secure_proxy_ssl_header*]
# (optional) Enables the SECURE_PROXY_SSL_HEADER option which makes django
# take the X-Forwarded-Proto header into account. Note that this is only
# recommended if you're running horizon behind a proxy.
# Defaults to false
#
# === DEPRECATED group/name
#
# [*fqdn*]
@@ -391,6 +397,7 @@
$password_retrieve = false,
$disable_password_reveal = false,
$enforce_password_check = false,
$enable_secure_proxy_ssl_header = false,
# DEPRECATED PARAMETERS
$custom_theme_path = undef,
$fqdn = undef,
@@ -0,0 +1,5 @@
---
features:
- Support was added to enable/disable the SECURE_PROXY_SSL_HEADER which
enables horizon (via Django) to process the X-Forwarded-Proto header. This
done with the "enable_secure_proxy_ssl_header" in the manifest.
@@ -92,49 +92,51 @@
context 'with overridden parameters' do
before do
params.merge!({
:cache_backend => 'horizon.backends.memcached.HorizonMemcached',
:cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
:cache_server_ip => '10.0.0.1',
:django_session_engine => 'django.contrib.sessions.backends.cache',
:keystone_default_role => 'SwiftOperator',
:keystone_url => 'https://keystone.example.com:4682',
:ssl_no_verify => true,
:log_handler => 'syslog',
:log_level => 'DEBUG',
:openstack_endpoint_type => 'internalURL',
:secondary_endpoint_type => 'ANY-VALUE',
:django_debug => true,
:api_result_limit => 4682,
:compress_offline => false,
:hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true },
:cinder_options => {'enable_backup' => true },
:keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
:neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
:cache_backend => 'horizon.backends.memcached.HorizonMemcached',
:cache_options => {'SOCKET_TIMEOUT' => 1,'SERVER_RETRIES' => 1,'DEAD_RETRY' => 1},
:cache_server_ip => '10.0.0.1',
:django_session_engine => 'django.contrib.sessions.backends.cache',
:keystone_default_role => 'SwiftOperator',
:keystone_url => 'https://keystone.example.com:4682',
:ssl_no_verify => true,
:log_handler => 'syslog',
:log_level => 'DEBUG',
:openstack_endpoint_type => 'internalURL',
:secondary_endpoint_type => 'ANY-VALUE',
:django_debug => true,
:api_result_limit => 4682,
:compress_offline => false,
:hypervisor_options => {'can_set_mount_point' => false, 'can_set_password' => true },
:cinder_options => {'enable_backup' => true },
:keystone_options => {'name' => 'native', 'can_edit_user' => true, 'can_edit_group' => true, 'can_edit_project' => true, 'can_edit_domain' => false, 'can_edit_role' => false},
:neutron_options => {'enable_lb' => true, 'enable_firewall' => true, 'enable_quotas' => false, 'enable_security_group' => false, 'enable_vpn' => true,
'enable_distributed_router' => false, 'enable_ha_router' => false, 'profile_support' => 'cisco',
'supported_provider_types' => ['flat', 'vxlan'], 'supported_vnic_types' => ['*'], 'default_ipv4_subnet_pool_label' => 'None', },
:file_upload_temp_dir => '/var/spool/horizon',
:secure_cookies => true,
:api_versions => {'identity' => 2.0},
:keystone_multidomain_support => true,
:keystone_default_domain => 'domain.tld',
:overview_days_range => 1,
:session_timeout => 1800,
:timezone => 'Asia/Shanghai',
:available_themes => [
:file_upload_temp_dir => '/var/spool/horizon',
:secure_cookies => true,
:api_versions => {'identity' => 2.0},
:keystone_multidomain_support => true,
:keystone_default_domain => 'domain.tld',
:overview_days_range => 1,
:session_timeout => 1800,
:timezone => 'Asia/Shanghai',
:available_themes => [
{ 'name' => 'default', 'label' => 'Default', 'path' => 'themes/default' },
{ 'name' => 'material', 'label' => 'Material', 'path' => 'themes/material' },
],
:default_theme => 'default',
:password_autocomplete => 'on',
:images_panel => 'angular',
:password_retrieve => true,
:default_theme => 'default',
:password_autocomplete => 'on',
:images_panel => 'angular',
:password_retrieve => true,
:enable_secure_proxy_ssl_header => true,
})
end
it 'generates local_settings.py' do
verify_concat_fragment_contents(catalogue, 'local_settings.py', [
'DEBUG = True',
"ALLOWED_HOSTS = ['*', ]",
"SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')",
'CSRF_COOKIE_SECURE = True',
'SESSION_COOKIE_SECURE = True',
" 'identity': 2.0,",
@@ -41,7 +41,11 @@ ALLOWED_HOSTS = ['<%= @final_allowed_hosts %>', ]
# and don't forget to strip it from the client's request.
# For more information see:
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
<% if @enable_secure_proxy_ssl_header %>
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
<% else %>
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
<% end %>
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits

0 comments on commit 5211ba5

Please sign in to comment.