From 310eded8e65a58b90f86423b2c6748d5cd44089c Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 22 Sep 2016 18:28:57 -0400 Subject: [PATCH] Add a configuration flag for external TLS termination This is necessary to ensure that we use the correct scheme when conducting health checks, setting cookies, etc. Fixes #1865 --- config.py | 5 +++++ health/services.py | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config.py b/config.py index 957c03c93..4f6181351 100644 --- a/config.py +++ b/config.py @@ -77,6 +77,11 @@ class DefaultConfig(object): DB_TRANSACTION_FACTORY = create_transaction + # If set to true, TLS is used, but is terminated by an external service (such as a load balancer). + # Note that PREFERRED_URL_SCHEME must be `https` when this flag is set or it can lead to undefined + # behavior. + EXTERNAL_TLS_TERMINATION = False + # If true, CDN URLs will be used for our external dependencies, rather than the local # copies. USE_CDN = True diff --git a/health/services.py b/health/services.py index a56422ad7..66a8b4033 100644 --- a/health/services.py +++ b/health/services.py @@ -16,7 +16,11 @@ def _check_registry_gunicorn(app): if len(hostname_parts) == 2: port = ':' + hostname_parts[1] - registry_url = '%s://localhost%s/v1/_internal_ping' % (app.config['PREFERRED_URL_SCHEME'], port) + scheme = app.config['PREFERRED_URL_SCHEME'] + if app.config.get('EXTERNAL_TLS_TERMINATION', False): + scheme = 'http' + + registry_url = '%s://localhost%s/v1/_internal_ping' % (scheme, port) try: return client.get(registry_url, verify=False, timeout=2).status_code == 200 except Exception: