yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1558683] Re: Versions endpoint does not support X-Forwarded-Proto

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1558683@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Jun 2016 05:09:26 -0000
Reply-to: Bug 1558683 <1558683@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/326798
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Submitter: Jenkins
Branch:    master

commit b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Author: Jamie Lennox <jamielennox@xxxxxxxxx>
Date:   Wed Jun 8 11:59:09 2016 +1000

    Use http-proxy-to-wsgi middleware from oslo.middleware
    
    The HTTP_X_FORWARDED_PROTO handling fails to handle the case of
    redirecting the /v1 request to /v1/ because it is handled purely by
    routes and does not enter the glance wsgi code. This means a https
    request is redirect to http and fails.
    
    oslo.middleware has middleware for handling the X-Forwarded-Proto header
    in a standard way so that services don't have to and so we should use
    that instead of our own mechanism.
    
    Leaving the existing header handling around until removal should not be
    a problem as the worst that will happen is it overwrites an existing
    'https' header value set by the middleware.
    
    Closes-Bug: #1558683
    Closes-Bug: #1590608
    Change-Id: I481d88020b6e8420ce4b9072dd30ec82fe3fb4f7


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1558683

Title:
  Versions endpoint does not support X-Forwarded-Proto

Status in Cinder:
  Fix Released
Status in Glance:
  Fix Released

Bug description:
  When a project is deployed behind a SSL terminating proxy, the version
  endpoint returns the wrong URLs.  The returned protocol in the reponse
  URLs is  http:// instead of the expected https://.

  This is because the response built by versions.py git the host
  information only from the incoming req.  If SSL has been terminated by
  a proxy, then the information in the req indicates http://.  Other
  projects have addressed this by adding the config parameter
  secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO.  This will tell the
  project to use the value in X-Forwarded-Proto (https or http) when
  building the URLs in the response.  Nova and Keystone support this
  configuration option.

  One workaround is to set the public_endpoint parameter. However, the
  value set for public_endpoint, is also returned when the internal and
  admin version endpoints are queried, which breaks other things.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1558683/+subscriptions

References

[Bug 1558683] [NEW] Versions endpoint does not support X-Forwarded-Proto
From: Dave McCowan, 2016-03-17