From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 22 Feb 2016 13:09:05 +0000 (+0200)
Subject: Override X-Forwarded-Proto header
X-Git-Tag: opnfv-6.0.0~803
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=5f915a88e7c4eec6e6a0341808f0fbc4a4b1a161;p=apex-puppet-tripleo.git

Override X-Forwarded-Proto header

Right now, the only manipulation done to the X-Forwarded-Proto header
is done if an SSL connection is established. This is not sufficient as
one might be able to erroneously put values through that header.

This patch disables that behaviour by defaulting to plain http if an
SSL connection is not established.

Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
---

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 9e8c3b6..387f022 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -726,7 +726,9 @@ class tripleo::loadbalancer (
     }
     $heat_options = {
       'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
-      'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+      'http-request' => [
+        'set-header X-Forwarded-Proto https if { ssl_fc }',
+        'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
     }
     $heat_cw_bind_opts = {
       "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
@@ -843,7 +845,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'keystone_admin':
@@ -861,7 +865,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'keystone_public':
@@ -893,7 +899,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http', # Needed for http-request option
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'cinder':
@@ -995,7 +1003,9 @@ class tripleo::loadbalancer (
       collect_exported => false,
       mode             => 'http',
       options          => {
-          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+          'http-request' => [
+            'set-header X-Forwarded-Proto https if { ssl_fc }',
+            'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
       },
     }
     haproxy::balancermember { 'nova_osapi':