yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1573766] Re: Enable the paste filter HTTPProxyToWSGI by default

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1573766@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 May 2016 20:04:38 -0000
Reply-to: Bug 1573766 <1573766@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/318603
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b609a3b32ee8e68cef7e66fabff07ca8ad6d4649
Submitter: Jenkins
Branch:    master

commit b609a3b32ee8e68cef7e66fabff07ca8ad6d4649
Author: Juan Antonio Osorio Robles <jaosorior@xxxxxxxxxx>
Date:   Thu May 19 15:10:22 2016 +0300

    Add http_proxy_to_wsgi to api-paste
    
    This sets up the HTTPProxyToWSGI middleware in front of Nova-API. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Nova.
    
    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Nova, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.
    
    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.
    
    Change-Id: Ia78f73e96585ab33a379a0b0be6d9682f7fbd810
    Closes-Bug: #1573766


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1573766

Title:
  Enable the paste filter HTTPProxyToWSGI by default

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  oslo middleware provides a paste filter that sets the correct proxy
  scheme and host. This is needed for the TLS proxy case.

  Without this then enabling the TLS proxy in devstack will fail
  configuring tempest because 'nova flavor-list' returns a http scheme
  in Location in a redirect it returns.

  I've proposed a temporary workaround in devstack using:

  +            iniset $NOVA_API_PASTE_INI filter:ssl_header_handler past
  e.filter_factory oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
  +            iniset $NOVA_API_PASTE_INI composite:openstack_compute_ap
  i_v21 keystone "ssl_header_handler cors compute_req_id faultwrap sizelimit autht
  oken keystonecontext osapi_compute_app_v21"

  But this isn't a long-term solution because two copies of the default
  paste filters will need to be maintained.

  See https://review.openstack.org/#/c/301172

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1573766/+subscriptions

References

[Bug 1573766] [NEW] Enable the paste filter HTTPProxyToWSGI by default
From: Rob Crittenden, 2016-04-22