Handle SSL termination proxies for version list

Return correct scheme in version URLs if service
behind an SSL termination proxy.

This is done by adding a new configuration option,
secure_proxy_ssl_header, which, when defined, makes
the wsgi application take the host_url scheme from
that header. By default, when this option is not
specified, there is no difference in behavior.

The intention is to configure any ssl-decrypting
proxy to set that header, so that nova-api knows
which protocol to use in the URLs in response.

This patch is largely based on
https://review.openstack.org/#/c/132235/18

DocImpact
Closes-Bug: #1384379

Change-Id: I27ba166902ecc19c9b7fff2ee7f3bf733885efe1

1 files changed, 11 insertions, 1 deletions

diff --git a/nova/wsgi.py b/nova/wsgi.py
index 30a41bb8db..b3d3f33239 100644
--- a/nova/wsgi.py
+++ b/nova/wsgi.py
@@ -51,6 +51,11 @@ wsgi_opts = [
                  'generate log lines. The following values can be formatted '
                  'into it: client_ip, date_time, request_line, status_code, '
                  'body_length, wall_seconds.'),
+    cfg.StrOpt('secure_proxy_ssl_header',
+               help='The HTTP header used to determine the scheme for the '
+                    'original request, even if it was removed by an SSL '
+                    'terminating proxy. Typical value is '
+                    '"HTTP_X_FORWARDED_PROTO".'),
     cfg.StrOpt('ssl_ca_file',
                help="CA certificate file to use to verify "
                     "connecting clients"),
@@ -274,7 +279,12 @@ class Server(service.ServiceBase):
 
 
 class Request(webob.Request):
-    pass
+    def __init__(self, environ, *args, **kwargs):
+        if CONF.secure_proxy_ssl_header:
+            scheme = environ.get(CONF.secure_proxy_ssl_header)
+            if scheme:
+                environ['wsgi.url_scheme'] = scheme
+        super(Request, self).__init__(environ, *args, **kwargs)
 
 
 class Application(object):