[Openstack-operators] HTTP/S Termination with Haproxy + Keystone

Chris Suttles suttles at gmail.com
Wed Feb 22 18:43:52 UTC 2017


There's a similar option in heat.conf:

secure_proxy_ssl_header = X-Forwarded-Proto

Pretty sure that's needed for most services; I will scrub my configs and
check. We are running a pretty simple install of Newton, and doing haproxy
for SSL termination of all API endpoints.

On Wed, Feb 22, 2017 at 9:58 AM, Chris Apsey <bitskrieg at bitskrieg.net>
wrote:

> Mathieu,
>
> That did the trick - thank you.  On a related note, heat is exhibiting the
> same behavior on some of the API calls (stack list works fine, stack show
> does not because a http URL is returned in the 302 response field, etc.).
>
> I attempted the combination of 'oslo_middleware/enable_proxy_headers_parsing'
> and 'oslo_middleware/secure_proxy_ssl_header' referenced here
> https://docs.openstack.org/newton/config-reference/orchestration/api.html
> along with the appropriate haproxy configuration suggested by Mike, but no
> dice.  The URL doesn't change.  Beyond that, it looks like that option is
> deprecated anyway (at least in heat), although I have not found any
> indication about what is supposed to 'replace' those options going forward.
>
> Ideas?
>
> Thanks so much,
>
> ---
> v/r
>
> Chris Apsey
> bitskrieg at bitskrieg.net
> https://www.bitskrieg.net
>
> On 2017-02-21 21:46, Mathieu Gagné wrote:
>
>> Hi,
>>
>> The problem is that Keystone doesn't know about HAProxy terminating
>> the SSL connection and therefore doesn't know it needs to generate
>> URLs with https:// protocol.
>>
>> You can override the "auto-detected" URLs with those configurations:
>> - [DEFAULT]/public_endpoint
>> - [DEFAULT]/admin_endpoint
>>
>> See documentation for a bit more explanation about those
>> configurations:
>> https://docs.openstack.org/draft/config-reference/identity/api.html
>> --
>> Mathieu
>>
>>
>> On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <bitskrieg at bitskrieg.net>
>> wrote:
>>
>>> I'm having a strange issue with keystone after migrating all public
>>> endpoints to https (haproxy terminates the SSL connection for each
>>> service):
>>>
>>> openstack endpoint list
>>>
>>> +----------------------------------+-----------+------------
>>> --+----------------+---------+-----------+------------------
>>> -------------------------------+
>>> | ID                               | Region    | Service Name | Service
>>> Type
>>> | Enabled | Interface | URL                                             |
>>> +----------------------------------+-----------+------------
>>> --+----------------+---------+-----------+------------------
>>> -------------------------------+
>>> ...
>>> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone     | identity
>>> | True    | public    | https://some.domain.place:5000/v3
>>>    |
>>> ...
>>>
>>> I have also updated my rc files appropriately.  Whenever I try and use
>>> the
>>> CLI against the public endpoints in debug mode, everything starts out
>>> looking good:
>>>
>>> REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept:
>>> application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1
>>> python-requests/2.11.1 CPython/2.7.9"
>>>
>>> But then, the response body gives a non-https URL:
>>>
>>> RESP BODY: {"version": {"status": "stable", "updated":
>>> "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json",
>>> "type":
>>> "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links":
>>> [{"href": "http://some.domain.place:5000/v3/", "rel": "self"}]}}
>>>
>>> and then the attempt to authenticate fails:
>>>
>>> Making authentication request to
>>> http://some.domain.place:5000/v3/auth/tokens
>>> Starting new HTTP connection (1): some.domain.place
>>> Unable to establish connection to
>>> http://some.domain.place:5000/v3/auth/tokens
>>>
>>> I've restarted apache2 on my keystone hosts and I have scoured the
>>> database
>>> for any reference to a non-https public endpoint for keystone; I cannot
>>> find
>>> one.
>>>
>>> Does anyone know why my response body is giving the wrong URL?  Horizon
>>> works perfectly fine with the https endpoints; it's just the command line
>>> clients that are having issues.
>>>
>>> Thanks in advance,
>>>
>>> --
>>> v/r
>>>
>>> Chris Apsey
>>> bitskrieg at bitskrieg.net
>>> https://www.bitskrieg.net
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170222/531eb22f/attachment.html>


More information about the OpenStack-operators mailing list