yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74374
[Bug 1788180] [NEW] nova-serialproxy should support X-Forwarded-Proto
Public bug reported:
Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL
termination. nova-serialproxy is configured with base_url=wss://
because I want my users to connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
python serial.py wss://hostname:6083?token=<token>
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL
in 'Origin'has not the same scheme/protocol as issued in the
'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
possiblity to check the value of 'X-Forwarded-Proto' as source protocol.
** Affects: nova
Importance: Undecided
Status: New
** Description changed:
Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL termination.
nova-serialproxy is configured with base_url=wss:// because I want my users to
connect through a secure channel.
-
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
- openstack console url show --insecure --serial <uuid>
+ openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
- python serial.py wss://hostname:6083?token=<token>
+ python serial.py wss://hostname:6083?token=<token>
Result:
- nova-serialproxy closes the connection
- Log contains "Origin header protocol does not match this host."
+ nova-serialproxy closes the connection
+ Log contains "Origin header protocol does not match this host."
Expected result:
- connection works
-
+ connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
- 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'
- has not the same scheme/protocol as issued in the 'console url show' command.
+ 'websocketproxy.py' accepts the connection and fails because the URL
+ in 'Origin'has not the same scheme/protocol as issued in the
+ 'console url show' command.
- AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to
- check the value of 'X-Forwarded-Proto' as source protocol.
+ AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
+ possiblity to check the value of 'X-Forwarded-Proto' as source protocol.
** Description changed:
Setup description
------------------
- Multinode deployment with kolla with keepalived and haproxy with SSL termination.
- nova-serialproxy is configured with base_url=wss:// because I want my users to
- connect through a secure channel.
+ Multinode deployment with kolla with keepalived and haproxy with SSL
+ termination. nova-serialproxy is configured with base_url=wss://
+ because I want my users to connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
python serial.py wss://hostname:6083?token=<token>
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL
in 'Origin'has not the same scheme/protocol as issued in the
'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
possiblity to check the value of 'X-Forwarded-Proto' as source protocol.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1788180
Title:
nova-serialproxy should support X-Forwarded-Proto
Status in OpenStack Compute (nova):
New
Bug description:
Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL
termination. nova-serialproxy is configured with base_url=wss://
because I want my users to connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
python serial.py wss://hostname:6083?token=<token>
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL
in 'Origin'has not the same scheme/protocol as issued in the
'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
possiblity to check the value of 'X-Forwarded-Proto' as source protocol.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1788180/+subscriptions
Follow ups
