Horizon needs ability to add SECURE_PROXY_SSL_HEADER
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Juan Antonio Osorio Robles |
Bug Description
This is arguably a feature request rather than a bug, although since things appear to work but fail in subtle ways it manifests as a bug.
When deploying openstack services behind SSL, it's common to terminate SSL somewhere upstream of the service. Horizon has to construct URLs and in the absence of any other information, it does this using information from the request. In this scenario Apache thinks it's serving HTTP, so the protocol in generated URLs is incorrect.
Django has a setting to deal with this situation, in https:/
I suggest adding a section to local_settings.py for horizon to check for a config variable ('proxy_
{{#proxy_
SECURE_
# These are optional but recommended
CSRF_COOKIE_SECURE = True
# This is Django 1.7 only so not currently supported
# SESSION_
{{/proxy_
It would be a separate task to ensure that the header's appropriate unset and set by the proxy.
Changed in tripleo: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: security-hardening |
Changed in tripleo: | |
status: | Confirmed → Triaged |
status: | Triaged → Confirmed |
Changed in tripleo: | |
milestone: | none → ocata-3 |
milestone: | ocata-3 → none |
Changed in tripleo: | |
status: | Confirmed → Triaged |
milestone: | none → ocata-3 |
Django usually contructs a relative URL ( without the http://<host>/ ), so the protocol inferred is not used. I am curious what particular use case when the URL construction fails due to Django thinking its HTTP.