[openstack-dev] [all] Consistent support for SSL termination proxies across all API services
mgagne at internap.com
Fri Sep 18 00:38:54 UTC 2015
While debugging LP bug #1491579 , we identified  an issue where an
API sitting being a proxy performing SSL termination would not generate
the right redirection. The protocol ends up being the wrong one (http
instead of https) and this could hang your request indefinitely if
tcp/80 is not opened and a firewall drops your connection.
I suggested  adding support for the X-Fowarded-Proto header, thinking
Nova didn't supported it yet. In fact, someone suggested setting the
public_endpoint config instead.
So today I stumbled across this review  which added the
secure_proxy_ssl_header config to Nova. It allows the API to detect SSL
termination based on the (suggested) header X-Forwarded-Proto just like
I also found this bug report  (opened in 2014) which also happens to
complain about bad URLs when API is sitting behind a proxy.
Multiple projects applied patches to try to fix the issue (based on
* Glance added public_endpoint config
* Cinder added public_endpoint config
* Heat added secure_proxy_ssl_header config (through
* Nova added secure_proxy_ssl_header config
* Manila added secure_proxy_ssl_header config (through
* Ironic added public_endpoint config
* Keystone added secure_proxy_ssl_header config (LP #1370022)
As you can see, there is a lot of inconsistency between projects. (there
is more but lets start with that one)
My wish is for a common and consistent way for *ALL* OpenStack APIs to
support the same solution for this common problem. Let me tell you (and
I guess I can speak for all operators), we will be very happy to have
ONE config to remember of and set for *ALL* OpenStack services.
How can we get the ball rolling so we can fix it together once and for
all in a timely fashion?
More information about the OpenStack-dev