Merge pull request #313 from deshipu/https-headers

Set the relevant http headers when Horizon is served as https
openstack-k8s-operators · Apr 16, 2024 · 8e29e92 · 8e29e92
2 parents ce91595 + db53d51
commit 8e29e92
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/controllers/horizon_controller.go b/controllers/horizon_controller.go
@@ -790,6 +790,7 @@ func (r *HorizonReconciler) generateServiceConfigMaps(
 		"ServerName":         fmt.Sprintf("%s.%s.svc", horizon.ServiceName, instance.Namespace),
 		"Port":               horizon.HorizonPort,
 		"TLS":                false,
+		"isPublicHTTPS":      url.Scheme == "https",
 	}
 
 	// create httpd tls template parameters

diff --git a/templates/horizon/config/local_settings.py b/templates/horizon/config/local_settings.py
@@ -77,17 +77,16 @@ def get_pod_ip():
 
 ALLOWED_HOSTS = [get_pod_ip(), "{{ .horizonEndpointUrl }}"]
 
-# Set SSL proxy settings:
-# Pass this header from the proxy after terminating the SSL,
-# and don't forget to strip it from the client's request.
-# For more information see:
-# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
-#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+USE_X_FORWARDED_HOST = True
 
-# If Horizon is being served through SSL, then uncomment the following two
-# settings to better secure the cookies from security exploits
-#CSRF_COOKIE_SECURE = True
-#SESSION_COOKIE_SECURE = True
+{{- if .isPublicHTTPS }}
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+SECURE_SSL_REDIRECT = True
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_HTTPONLY = True
+SECURE_HSTS_SECONDS = 31536000
+{{- end }}
 
 LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))