[openstack-dev] [all] Consistent support for SSL termination proxies across all API services

ZZelle zzelle at gmail.com
Wed Sep 23 20:11:31 UTC 2015


Hi


> Ok, how exactly does that work? Because it seems like
> oslo_middleware.ssl is only changing the protocol if the proxy sets it.
>
> But the host in the urls will still be the individual host, which isn't
> the proxy hostname/ip. Sorry if I'm being daft here, just want to
> understand how that flow ends up working.
>

Host and X-Forwarded-Proto headers are provided by the proxy to the service.
Host and X-Forwarded-Proto headers are either built by the proxy or
forwarded (if there are many proxies).


> Will that cover the case of webob's request.application_uri? If so I
> think that covers the REST documents in at least Nova (one good data
> point, and one that I know has been copied around). At least as far as
> the protocol is concerned, it's still got a potential url issue.


I let Julien answers :)


> It also looks like there are new standards for Forwarded headers, so the
> middleware should probably support those as well.
> http://tools.ietf.org/html/rfc7239.
>

Good to know! I can update SSLMiddleware to handle it as the rfc uses the
format:

  "Forwarded: proto=https"

which is different from de facto standard (supported by SSLMiddleware):

  "X-Forwarded-Proto: https"

Cédric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150923/7e731b73/attachment.html>


More information about the OpenStack-dev mailing list