[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

Adam Young ayoung at redhat.com
Fri Aug 5 20:52:35 UTC 2016


Today I discovered that we need to modify the HA proxy config to tell it 
to rewrite redirects.  Otherwise, I get a link to

http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse


Which should be https, not http.


I mimicked the lines in the horizon config so that the keystone section 
looks like this:


listen keystone_public
   bind 10.0.0.4:13000 transparent ssl crt 
/etc/pki/tls/private/overcloud_endpoint.pem
   bind 172.16.2.5:5000 transparent
   mode http
   redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
   rsprep ^Location:\ http://(.*) Location:\ https://\1
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
   server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 
rise 2
   server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 
rise 2
   server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 
rise 2

And.. it seemed to work the first time, but not the second.  Now I get

"Secure Connection Failed

The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted 
while the page was loading."

Guessing the first success was actually a transient error.

So it looks like my change was necessary but not sufficient.

This is needed to make mod_auth_mellon work when loaded into Apache, and 
Apache is running behind  HA proxy (Tripleo setup).


There is no SSL setup inside the Keystone server, it is just doing 
straight HTTP.  While I'd like to change this long term, I'd like to get 
things working this way first, but am willing to make whatever changes 
are needed to get SAML and Federation working soonest.







More information about the OpenStack-dev mailing list