From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 1 Mar 2016 07:34:16 +0000 (+0200)
Subject: Always override X-Forwarded-Proto header for Heat
X-Git-Tag: opnfv-6.0.0~802
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=3aefa43072d9453412376a9bdedd949e03c926a5;p=apex-puppet-tripleo.git

Always override X-Forwarded-Proto header for Heat

Heat has the ssl middleware to handle the X-Forwarded-Proto header by
default. We override this header when SSL is enabled because we need
to, but overriding it even when we won't be terminating SSL will
prevent some attacks using this header.

Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
---

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 387f022..4e5c37f 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -719,17 +719,19 @@ class tripleo::loadbalancer (
   }
 
   $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
+  $heat_base_options = {
+    'http-request' => [
+      'set-header X-Forwarded-Proto https if { ssl_fc }',
+      'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
   if $heat_bind_certificate {
     $heat_bind_opts = {
       "${heat_api_vip}:8004" => $haproxy_listen_bind_param,
       "${public_virtual_ip}:13004" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
     }
-    $heat_options = {
+    $heat_ssl_options = {
       'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
-      'http-request' => [
-        'set-header X-Forwarded-Proto https if { ssl_fc }',
-        'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
     }
+    $heat_options = merge($heat_base_options, $heat_ssl_options)
     $heat_cw_bind_opts = {
       "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
       "${public_virtual_ip}:13003" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
@@ -743,7 +745,7 @@ class tripleo::loadbalancer (
       "${heat_api_vip}:8004" => $haproxy_listen_bind_param,
       "${public_virtual_ip}:8004" => $haproxy_listen_bind_param,
     }
-    $heat_options = {}
+    $heat_options = $heat_base_options
     $heat_cw_bind_opts = {
       "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
       "${public_virtual_ip}:8003" => $haproxy_listen_bind_param,