<p dir="ltr">Adam, that should be fixed by <a href="https://review.openstack.org/#/c/341354/">https://review.openstack.org/#/c/341354/</a> which merged not too many days ago. Before that commit we had another configuration which was already deprecated in keystone upstream. </p>
<div class="gmail_extra"><br><div class="gmail_quote">On 6 Aug 2016 05:04, "Adam Young" <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>On 08/05/2016 06:40 PM, Fox, Kevin M
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div lang="x-western">
        <div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
          <div style="font-family:Times New Roman;color:#000000;font-size:16px">
            <hr>
            <div style="direction:ltr"><font color="#000000" face="Tahoma" size="2"><b>From:</b> Adam
                Young [<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>]<br>
                <b>Sent:</b> Friday, August 05, 2016 3:06 PM<br>
                <b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
                <b>Subject:</b> Re: [openstack-dev] [keystone][tripleo]
                Federation, mod_mellon, and HA Proxy<br>
              </font><br>
            </div>
            <div>
              <div>On 08/05/2016 04:54 PM, Adam
                Young wrote:<br>
              </div>
              <blockquote type="cite">On 08/05/2016 04:52 PM, Adam Young
                wrote: <br>
                <blockquote type="cite">Today I discovered that we need
                  to modify the HA proxy config to tell it to rewrite
                  redirects.  Otherwise, I get a link to
                  <br>
                  <br>
                  <a href="http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse" target="_blank">http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse</a>
                  <br>
                  <br>
                  <br>
                  Which should be https, not http. <br>
                  <br>
                  <br>
                  I mimicked the lines in the horizon config so that the
                  keystone section looks like this:
                  <br>
                  <br>
                  <br>
                  listen keystone_public <br>
                    bind <a href="http://10.0.0.4:13000" target="_blank">10.0.0.4:13000</a> transparent ssl crt
                  /etc/pki/tls/private/overcloud_endpoint.pem
                  <br>
                    bind <a href="http://172.16.2.5:5000" target="_blank">172.16.2.5:5000</a> transparent <br>
                    mode http <br>
                    redirect scheme https code 301 if { hdr(host) -i
                  10.0.0.4 } !{ ssl_fc } <br>
                    rsprep ^Location:\ <a href="http://UrlBlockedError.aspx" target="_blank">
                    http://(.*)</a> Location:\ https://\1 <br>
                    http-request set-header X-Forwarded-Proto https if {
                  ssl_fc } <br>
                    http-request set-header X-Forwarded-Proto http if !{
                  ssl_fc } <br>
                    server overcloud-controller-0 <a href="http://172.16.2.8:5000" target="_blank">172.16.2.8:5000</a> check
                  fall 5 inter 2000 rise 2 <br>
                    server overcloud-controller-1 <a href="http://172.16.2.6:5000" target="_blank">172.16.2.6:5000</a> check
                  fall 5 inter 2000 rise 2 <br>
                    server overcloud-controller-2 <a href="http://172.16.2.9:5000" target="_blank">172.16.2.9:5000</a> check
                  fall 5 inter 2000 rise 2 <br>
                  <br>
                  And.. it seemed to work the first time, but not the
                  second.  Now I get <br>
                  <br>
                  "Secure Connection Failed <br>
                  <br>
                  The connection to
                  openstack.ayoung-dell-t1700.test:5000 was interrupted
                  while the page was loading."
                  <br>
                  <br>
                  Guessing the first success was actually a transient
                  error. <br>
                  <br>
                  So it looks like my change was necessary but not
                  sufficient. <br>
                  <br>
                  This is needed to make mod_auth_mellon work when
                  loaded into Apache, and Apache is running behind  HA
                  proxy (Tripleo setup).
                  <br>
                  <br>
                  <br>
                  There is no SSL setup inside the Keystone server, it
                  is just doing straight HTTP.  While I'd like to change
                  this long term, I'd like to get things working this
                  way first, but am willing to make whatever changes are
                  needed to get SAML and Federation working soonest. <br>
                  <br>
                  <br>
                  <br>
                  <br>
                </blockquote>
                Ah...just noticed the redirect is to :5000, not port
                :13000 which is the HA Proxy port.
                <br>
              </blockquote>
              <br>
              OK, this is due to the SAML request:<br>
              <br>
              <br>
              <pre><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_5089011BEBD0F6B82074F67E904F598D"
                    Version="2.0"
                    IssueInstant="2016-08-05T21:55:18Z"
                    Destination=<a href="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml" target="_blank">"https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"</a>
                    Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
                    ForceAuthn="false"
                    IsPassive="false"
                    AssertionConsumerServiceURL=<a href="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse" target="_blank">"https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"</a>
                    >
    <saml:Issuer><a href="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata" target="_blank">https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</a></saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>
</pre>
              <br>
              My guess is HA proxy is not passing on the proper, and the
              mod_auth_mellon does not know to rewrite it from 5000 to
              13000<br>
              <br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    "rewriting is more expensive then getting the web server to return
    the right prefix. Is that an option? Usually its just a bug that
    needs a minor patch to fix.<br>
    <br>
    Thanks,<br>
    Kevin"<br>
    <br>
    <br>
    Well, I think in this case, the expense is not something to worry
    about:  SAML is way more chatty than normal traffic, and the rewrite
    won't be a drop a in the bucket.<br>
    <br>
    I think the right thing to do is to get HA proxy top pass on the
    correct URL, including the port, to the backend, but I don't think
    it is done in the rsprep directive.  As John Dennis pointed out to
    me, the mod_auth_mellon code uses the apache
    ap_construct_url(r->pool, cfg->endpoint_path, r) where r is
    the current request record.  And that has to be passed from HA proxy
    to Apache.<br>
    <br>
    HA proxy is terminating SSL, and then calling Apache via <br>
    <br>
    <br>
     
    server overcloud-controller-0 <a href="http://172.16.2.8:5000" target="_blank">172.16.2.8:5000</a> check fall 5 inter
    2000 rise 2<br>
    and two others.  Everything appears to be properly translated except
    the port.<br>
    <br>
    <br>
    <br>
    <br>
    <blockquote type="cite">
      <div lang="x-western">
        <div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">
          <div style="font-family:Times New Roman;color:#000000;font-size:16px">
            <div>
              <blockquote type="cite"><br>
                <br>
__________________________________________________________________________
                <br>
                OpenStack Development Mailing List (not for usage
                questions) <br>
                Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a> <br>
                <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
                <br>
              </blockquote>
              <p><br>
              </p>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <div style="font-family:-moz-fixed;font-size:12px" lang="x-western">
        <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div>

<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div>