Horizon needs ability to add SECURE_PROXY_SSL_HEADER

Bug #1408818 reported by Steve McLellan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Juan Antonio Osorio Robles

Bug Description

This is arguably a feature request rather than a bug, although since things appear to work but fail in subtle ways it manifests as a bug.

When deploying openstack services behind SSL, it's common to terminate SSL somewhere upstream of the service. Horizon has to construct URLs and in the absence of any other information, it does this using information from the request. In this scenario Apache thinks it's serving HTTP, so the protocol in generated URLs is incorrect.

Django has a setting to deal with this situation, in https://docs.djangoproject.com/en/1.7/ref/settings/ under SECURE_PROXY_SSL_HEADER

I suggest adding a section to local_settings.py for horizon to check for a config variable ('proxy_terminating_ssl' or something) similar to:

{{#proxy_terminating_ssl}}
SECURE_PROXY_SSL_HEADER = ("{{header_name}}", "{{secure_value}}")

# These are optional but recommended
CSRF_COOKIE_SECURE = True

# This is Django 1.7 only so not currently supported
# SESSION_COOKIE_SECURE = True
{{/proxy_terminating_ssl}}

It would be a separate task to ensure that the header's appropriate unset and set by the proxy.

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

Django usually contructs a relative URL ( without the http://<host>/ ), so the protocol inferred is not used. I am curious what particular use case when the URL construction fails due to Django thinking its HTTP.

Revision history for this message
Steve McLellan (sjmc7) wrote :

One example is in horizon/middleware.py in process_exception:
  login_url = request.build_absolute_uri(auth_url)

If your session times out, the redirect back to the login page fails.

Changed in tripleo:
status: New → Confirmed
importance: Undecided → Medium
Luke Hinds (lhinds)
tags: added: security-hardening
Luke Hinds (lhinds)
Changed in tripleo:
status: Confirmed → Triaged
status: Triaged → Confirmed
Luke Hinds (lhinds)
Changed in tripleo:
milestone: none → ocata-3
milestone: ocata-3 → none
Changed in tripleo:
status: Confirmed → Triaged
milestone: none → ocata-3
Revision history for this message
Luke Hinds (lhinds) wrote :

This has been addressed now:

https://review.openstack.org/#/c/408989/
https://review.openstack.org/#/c/408992/

I think we can go ahead and close?

Revision history for this message
Julie Pichon (jpichon) wrote :

Thanks for the update and including the links, Luke!

Changed in tripleo:
status: Triaged → Fix Released
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
Revision history for this message
Steve McLellan (sjmc7) wrote :

Yep, looks good to me, thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.