yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #56110
[Bug 1620967] [NEW] Neutron API behind SSL terminating haproxy returns http version URL's instead of https
Public bug reported:
This is a re-post of an issue that was reported for an older OpenStack
version. Unfortunately, I am confronted with the same problem in
OpenStack Mitaka. Keystone has a proper support for the case, when you
use SSL terminating via HAProxy.
Have a look here:
https://bugzilla.redhat.com/show_bug.cgi?id=1259351
Description of problem:
When using haproxy with SSL termination in front of neutron, neutron
will return version URL's with http:// prefix instead of https://. This
causes API clients to fail.
How reproducible:
Steps to Reproduce:
1. Configure HAproxy in front of Neutron with SSL termination (so client talks to neutron over SSL, HAproxy talks to Neutron over plain HTTP)
2. curl https://openstack-api.example.com:9696
Actual results:
{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
"http://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}
Expected results:
{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
"https://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}
Additional info:
I patched this issue in /usr/lib/python2.7/site-
packages/neutron/api/views/versions.py:
def get_view_builder(req):
base_url = req.application_url
if req.environ.get('HTTP_X_FORWARDED_PROTO', None) != None:
base_url = base_url.replace('http://', 'https://')
return ViewBuilder(base_url)
Then neutron returns the proper https URL. The X-Forwarded-Proto header
is inserted by haproxy.
Note: this issue is present in other openstack api's as well but can be
worked around by setting public_endpoint explicitly. This option is not
available in neutron however.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1620967
Title:
Neutron API behind SSL terminating haproxy returns http version URL's
instead of https
Status in neutron:
New
Bug description:
This is a re-post of an issue that was reported for an older OpenStack
version. Unfortunately, I am confronted with the same problem in
OpenStack Mitaka. Keystone has a proper support for the case, when you
use SSL terminating via HAProxy.
Have a look here:
https://bugzilla.redhat.com/show_bug.cgi?id=1259351
Description of problem:
When using haproxy with SSL termination in front of neutron, neutron
will return version URL's with http:// prefix instead of https://.
This causes API clients to fail.
How reproducible:
Steps to Reproduce:
1. Configure HAproxy in front of Neutron with SSL termination (so client talks to neutron over SSL, HAproxy talks to Neutron over plain HTTP)
2. curl https://openstack-api.example.com:9696
Actual results:
{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
"http://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}
Expected results:
{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
"https://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}
Additional info:
I patched this issue in /usr/lib/python2.7/site-
packages/neutron/api/views/versions.py:
def get_view_builder(req):
base_url = req.application_url
if req.environ.get('HTTP_X_FORWARDED_PROTO', None) != None:
base_url = base_url.replace('http://', 'https://')
return ViewBuilder(base_url)
Then neutron returns the proper https URL. The X-Forwarded-Proto
header is inserted by haproxy.
Note: this issue is present in other openstack api's as well but can
be worked around by setting public_endpoint explicitly. This option is
not available in neutron however.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1620967/+subscriptions
Follow ups
