yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1528266] [NEW] Enable secure_proxy_ssl_header by default in keystone.conf

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Stanislaw Bogatkin <sbogatkin@xxxxxxxxxxxx>
Date: Mon, 21 Dec 2015 15:46:06 -0000
Reply-to: Bug 1528266 <1528266@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1528258 ***
    https://bugs.launchpad.net/bugs/1528258

Public bug reported:

Currently, keystone.conf has a option named secure_proxy_ssl_header
which set to None by default. I suppose it should be set to
HTTP_X_FORWARDED_PROTO by default, as X-Forwarded-Proto  is a default
header for this. Also, this doesn't break anything by default, as if
this header will be unset - code related to it will be never used. Today
2 steps should be done if we have SSL terminator before keystone - we
should configure keystone special way for this and also configure
terminator some special way. It leads to troubles, misunderstanding how
keystone works and false-positive bug reports, so much nicer would be
have this option enabled by default.

** Affects: keystone
     Importance: Undecided
         Status: New

** This bug has been marked a duplicate of bug 1528258
   secure_proxy_ssl_header should default to HTTP_X_FORWARDED_PROTO

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1528266

Title:
  Enable secure_proxy_ssl_header by default in keystone.conf

Status in OpenStack Identity (keystone):
  New

Bug description:
  Currently, keystone.conf has a option named secure_proxy_ssl_header
  which set to None by default. I suppose it should be set to
  HTTP_X_FORWARDED_PROTO by default, as X-Forwarded-Proto  is a default
  header for this. Also, this doesn't break anything by default, as if
  this header will be unset - code related to it will be never used.
  Today 2 steps should be done if we have SSL terminator before keystone
  - we should configure keystone special way for this and also configure
  terminator some special way. It leads to troubles, misunderstanding
  how keystone works and false-positive bug reports, so much nicer would
  be have this option enabled by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1528266/+subscriptions