OpenStack Dashboard (Horizon)

When proxied over https, redirects http even if USE_SSL is set to True

Bug #999960 reported by James Kyle on 2012-05-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Medium	Tihomir Trifonov	OpenStack Dashboard (Horizon) 2012.2 "folsom"

Bug Description

I'm running Horizon behind a proxy which servers all my domains over https.

The only problem is when the dashboard redirects. For example, after login or when performing certain admin functions. The redirect is an http url that fails to resolve.

I've set the USE_SSL parameter in the local_settings.py file. But this seems to have no effect.

I'll continue to add information as I debug.

Essex, ubuntu 12.04.

Gabriel Hurley (gabriel-hurley) on 2012-05-18

Changed in horizon:
importance:	Undecided → Medium
milestone:	none → folsom-2
status:	New → Confirmed

Revision history for this message

Tihomir Trifonov (ttrifonov) wrote on 2012-05-23:

Horizon needs to know that the traffic is being redirected from HTTPS. Usually this is done using headers:

X-FORWARDED-PROTO: https
or
HTTP_X_FORWARDED_PROTO: https

Make sure the proxy sends some of these to Horizon.

Changed in horizon:
assignee:	nobody → Tihomir Trifonov (ttrifonov)

Revision history for this message

Tihomir Trifonov (ttrifonov) wrote on 2012-05-23:

Actually, you can re-define in settings.py what header you want to use with your proxy (Django 1.4+):
https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header

Revision history for this message

Tihomir Trifonov (ttrifonov) wrote on 2012-05-23:

Hi James,

I've just tested - prepared a custom environment using NGINX+UWSGI,

nginx config:

        location / {
                uwsgi_pass 127.0.0.1:45909;
                include uwsgi_params;
                uwsgi_param X-FORWARDED-PROTO https;
}

and then in settings.py (Django 1.4):

SECURE_PROXY_SSL_HEADER = ('X-FORWARDED-PROTO', 'https')

And the redirects seem to work now (I've tested with login/logout, clicking on Dashboard>Home).

Depending on your current setup - for Django versions prior to 1.3 there might be needed a simple hack to fix this(using a middleware to check for headers and do something like:

request.is_secure = lambda: \
request.META[header_name].lower() == 'https'

So, as long the proper headers are sent - Django should/might handle redirects properly.

Revision history for this message

Tihomir Trifonov (ttrifonov) wrote on 2012-05-23:

In fact Django 1.3 natively supports that with:

def is_secure(self):
return os.environ.get("HTTPS") == "on"

it so exposing HTTPS=on in ENV seem to do the trick...

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-05-28: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/7841

Changed in horizon:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-05-30: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/7841
Committed: http://github.com/openstack/horizon/commit/3b41cb97c45167d7c5cc075a8d73c4eb3e7bbc93
Submitter: Jenkins
Branch: master

commit 3b41cb97c45167d7c5cc075a8d73c4eb3e7bbc93
Author: Tihomir Trifonov <email address hidden>
Date: Mon May 28 13:19:54 2012 +0300

    Added help text in local.settings.example
    how to setup Horizon to use SSL-offloading proxy
    to properly handle page redirects to SSL.

    The example is for Django 1.4 only.
    As I see at the moment Django 1.3 is
    not supported (pip-requires says Django>=1.4),
    so no example for Django 1.3 is added.

Fixes bug 999960

Change-Id: I3b885e84ef8332bfd0fe35a2307eb691cf34be03