yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1788180] Re: nova-serialproxy should support X-Forwarded-Proto

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1788180@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Jan 2019 23:12:19 -0000
Reply-to: Bug 1788180 <1788180@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/631103
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=890e2d320e8e8e7b501af8e21cc6b751fb204d04
Submitter: Zuul
Branch:    master

commit 890e2d320e8e8e7b501af8e21cc6b751fb204d04
Author: melanie witt <melwittt@xxxxxxxxx>
Date:   Wed Jan 16 00:27:42 2019 +0000

    Use X-Forwarded-Proto as origin protocol if present
    
    When using a haproxy with SSL termination to provide secure console
    connections, haproxy will change the Origin header scheme to 'http'
    and add the 'X-Forwarded-Proto: https' header. This causes a failure
    in the Nova console proxy code which verifies that the Origin header
    scheme matches the access_url scheme for the connection, because the
    Origin header coming from haproxy is 'http' while the access_url
    scheme is 'https' or 'wss'.
    
    This looks for the X-Forwarded-Proto header and uses its scheme for
    the verification instead, if it is present.
    
    Closes-Bug: #1788180
    
    Change-Id: I43401dc8368853654bf443273a0a1b5b9b63e3f0


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1788180

Title:
  nova-serialproxy should support X-Forwarded-Proto

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Setup description
  ------------------
  Multinode deployment with kolla with keepalived and haproxy with SSL
  termination. nova-serialproxy is configured with base_url=wss://
  because I want my users to connect through a secure channel.

  Problem description
  -------------------
  Get a serial-proxy url with token like this (works fine):
    openstack console url show --insecure --serial <uuid>

  Connect to the url (in my case: simple python websocket):
    python serial.py wss://hostname:6083?token=<token>

  Result:
    nova-serialproxy closes the connection
    Log contains "Origin header protocol does not match this host."

  Expected result:
    connection works

  Problem analysis
  ----------------
  haproxy accepts the wss:// connection and forwards the connection to the
  serialproxy process. HAproxy changes the Origin header to 'http' and adds
  a header 'X-Forwarded-Proto: https'.

  'websocketproxy.py' accepts the connection and fails because the URL
  in 'Origin'has not the same scheme/protocol as issued in the
  'console url show' command.

  AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
  possiblity to check the value of 'X-Forwarded-Proto' as source protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1788180/+subscriptions

References

[Bug 1788180] [NEW] nova-serialproxy should support X-Forwarded-Proto
From: Georg Hoesch, 2018-08-21