[openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Julien Danjou julien at danjou.info
Wed Sep 23 12:12:19 UTC 2015


On Wed, Sep 23 2015, ZZelle wrote:

> * It doesn't work when the service itself acts as a proxy (typically nova
> image-list)
> * it doesn't work when you rewrite from
> https://<proxy-host>:<proxy-port>/<base>/...
> to http://<host>:<port>/...
>   because the <base> information is not provided in the headers (except if
> you exploit a webob limitation)

Yup, that's what I wrote in my previous mail – that's the only case not
covered correctly except if you have specific oslo.config option à la
Keystone.

Though we could also use and document a header that we would use inside
OpenStack to pass the <base> around. That would avoid having anything to
configure in each service, just setting a proper header in your proxy.
Which means less configuration to do for OpenStack – always a good thing
IMHO.

-- 
Julien Danjou
# Free Software hacker
# http://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150923/1b63389f/attachment.pgp>


More information about the OpenStack-dev mailing list