← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #67560

[Bug 1620967] Re: Neutron API behind SSL terminating haproxy returns http version URL's instead of https

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1620967

Title:
   Neutron API behind SSL terminating haproxy returns http version URL's
  instead of https

Status in neutron:
  Fix Released

Bug description:
  This is a re-post of an issue that was reported for an older OpenStack
  version. Unfortunately, I am confronted with the same problem in
  OpenStack Mitaka. Keystone has a proper support for the case, when you
  use SSL terminating via HAProxy.

  Have a look here:
  https://bugzilla.redhat.com/show_bug.cgi?id=1259351

  Description of problem:

  When using haproxy with SSL termination in front of neutron, neutron
  will return version URL's with http:// prefix instead of https://.
  This causes API clients to fail.

  How reproducible:

  Steps to Reproduce:
  1. Configure HAproxy in front of Neutron with SSL termination (so client talks to neutron over SSL, HAproxy talks to Neutron over plain HTTP)
  2. curl https://openstack-api.example.com:9696

  Actual results:

  {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
  "http://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}

  Expected results:

  {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href":
  "https://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]}

  Additional info:

  I patched this issue in /usr/lib/python2.7/site-
  packages/neutron/api/views/versions.py:

  def get_view_builder(req):
      base_url = req.application_url
      if req.environ.get('HTTP_X_FORWARDED_PROTO', None) != None:
          base_url = base_url.replace('http://', 'https://')
      return ViewBuilder(base_url)

  Then neutron returns the proper https URL. The X-Forwarded-Proto
  header is inserted by haproxy.

  Note: this issue is present in other openstack api's as well but can
  be worked around by setting public_endpoint explicitly. This option is
  not available in neutron however.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1620967/+subscriptions

References

  Thread PreviousDate PreviousThread Next