diff options
author | Radomir Dopieralski <openstack@sheep.art.pl> | 2015-07-28 12:54:20 +0200 |
---|---|---|
committer | Radomir Dopieralski <openstack@sheep.art.pl> | 2015-08-03 08:50:45 +0200 |
commit | ab35779238658ad8595e383618ca28a191c1085d (patch) | |
tree | 92d0ef5b84f2db06b13e1d0e532704e266f663e6 /nova/wsgi.py | |
parent | 4a96b90623ffd3814131b37c622e75e4dae812fa (diff) | |
download | nova-ab35779238658ad8595e383618ca28a191c1085d.tar.gz |
Handle SSL termination proxies for version list
Return correct scheme in version URLs if service
behind an SSL termination proxy.
This is done by adding a new configuration option,
secure_proxy_ssl_header, which, when defined, makes
the wsgi application take the host_url scheme from
that header. By default, when this option is not
specified, there is no difference in behavior.
The intention is to configure any ssl-decrypting
proxy to set that header, so that nova-api knows
which protocol to use in the URLs in response.
This patch is largely based on
https://review.openstack.org/#/c/132235/18
DocImpact
Closes-Bug: #1384379
Change-Id: I27ba166902ecc19c9b7fff2ee7f3bf733885efe1
Diffstat (limited to 'nova/wsgi.py')
-rw-r--r-- | nova/wsgi.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nova/wsgi.py b/nova/wsgi.py index 30a41bb8db..b3d3f33239 100644 --- a/nova/wsgi.py +++ b/nova/wsgi.py @@ -51,6 +51,11 @@ wsgi_opts = [ 'generate log lines. The following values can be formatted ' 'into it: client_ip, date_time, request_line, status_code, ' 'body_length, wall_seconds.'), + cfg.StrOpt('secure_proxy_ssl_header', + help='The HTTP header used to determine the scheme for the ' + 'original request, even if it was removed by an SSL ' + 'terminating proxy. Typical value is ' + '"HTTP_X_FORWARDED_PROTO".'), cfg.StrOpt('ssl_ca_file', help="CA certificate file to use to verify " "connecting clients"), @@ -274,7 +279,12 @@ class Server(service.ServiceBase): class Request(webob.Request): - pass + def __init__(self, environ, *args, **kwargs): + if CONF.secure_proxy_ssl_header: + scheme = environ.get(CONF.secure_proxy_ssl_header) + if scheme: + environ['wsgi.url_scheme'] = scheme + super(Request, self).__init__(environ, *args, **kwargs) class Application(object): |