<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I would appreciate it if you can let us know which one it is for Cinder, as it looks like there is no SSL middleware for Cinder which allows doing this.<div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 22, 2017, at 1:43 PM, Chris Suttles <<a href="mailto:suttles@gmail.com" class="">suttles@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">There's a similar option in heat.conf:<br class=""><div class=""><br class="">secure_proxy_ssl_header = X-Forwarded-Proto<br class=""><br class=""></div><div class="">Pretty sure that's needed for most services; I will scrub my configs and check. We are running a pretty simple install of Newton, and doing haproxy for SSL termination of all API endpoints.<br class=""></div><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Feb 22, 2017 at 9:58 AM, Chris Apsey <span dir="ltr" class=""><<a href="mailto:bitskrieg@bitskrieg.net" target="_blank" class="">bitskrieg@bitskrieg.net</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mathieu,<br class="">
<br class="">
That did the trick - thank you. On a related note, heat is exhibiting the same behavior on some of the API calls (stack list works fine, stack show does not because a http URL is returned in the 302 response field, etc.).<br class="">
<br class="">
I attempted the combination of 'oslo_middleware/enable_proxy_<wbr class="">headers_parsing' and 'oslo_middleware/secure_proxy_<wbr class="">ssl_header' referenced here <a href="https://docs.openstack.org/newton/config-reference/orchestration/api.html" rel="noreferrer" target="_blank" class="">https://docs.openstack.org/new<wbr class="">ton/config-reference/orchestra<wbr class="">tion/api.html</a> along with the appropriate haproxy configuration suggested by Mike, but no dice. The URL doesn't change. Beyond that, it looks like that option is deprecated anyway (at least in heat), although I have not found any indication about what is supposed to 'replace' those options going forward.<br class="">
<br class="">
Ideas?<br class="">
<br class="">
Thanks so much,<br class="">
<br class="">
---<span class="im HOEnZb"><br class="">
v/r<br class="">
<br class="">
Chris Apsey<br class="">
<a href="mailto:bitskrieg@bitskrieg.net" target="_blank" class="">bitskrieg@bitskrieg.net</a><br class="">
<a href="https://www.bitskrieg.net/" rel="noreferrer" target="_blank" class="">https://www.bitskrieg.net</a><br class="">
<br class=""></span><div class="HOEnZb"><div class="h5">
On 2017-02-21 21:46, Mathieu Gagné wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br class="">
<br class="">
The problem is that Keystone doesn't know about HAProxy terminating<br class="">
the SSL connection and therefore doesn't know it needs to generate<br class="">
URLs with https:// protocol.<br class="">
<br class="">
You can override the "auto-detected" URLs with those configurations:<br class="">
- [DEFAULT]/public_endpoint<br class="">
- [DEFAULT]/admin_endpoint<br class="">
<br class="">
See documentation for a bit more explanation about those<br class="">
configurations:<br class="">
<a href="https://docs.openstack.org/draft/config-reference/identity/api.html" rel="noreferrer" target="_blank" class="">https://docs.openstack.org/dra<wbr class="">ft/config-reference/identity/<wbr class="">api.html</a><br class="">
--<br class="">
Mathieu<br class="">
<br class="">
<br class="">
On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <<a href="mailto:bitskrieg@bitskrieg.net" target="_blank" class="">bitskrieg@bitskrieg.net</a>> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm having a strange issue with keystone after migrating all public<br class="">
endpoints to https (haproxy terminates the SSL connection for each service):<br class="">
<br class="">
openstack endpoint list<br class="">
<br class="">
+-----------------------------<wbr class="">-----+-----------+------------<wbr class="">--+----------------+---------+<wbr class="">-----------+------------------<wbr class="">------------------------------<wbr class="">-+<br class="">
| ID | Region | Service Name | Service Type<br class="">
| Enabled | Interface | URL |<br class="">
+-----------------------------<wbr class="">-----+-----------+------------<wbr class="">--+----------------+---------+<wbr class="">-----------+------------------<wbr class="">------------------------------<wbr class="">-+<br class="">
...<br class="">
| 99d302d00ab3461cb9362236c865a4<wbr class="">30 | RegionOne | keystone | identity<br class="">
| True | public | <a href="https://some.domain.place:5000/v3" rel="noreferrer" target="_blank" class="">https://some.domain.place:5000<wbr class="">/v3</a> |<br class="">
...<br class="">
<br class="">
I have also updated my rc files appropriately. Whenever I try and use the<br class="">
CLI against the public endpoints in debug mode, everything starts out<br class="">
looking good:<br class="">
<br class="">
REQ: curl -g -i -X GET <a href="https://some.domain.place:5000/v3" rel="noreferrer" target="_blank" class="">https://some.domain.place:5000<wbr class="">/v3</a> -H "Accept:<br class="">
application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1<br class="">
python-requests/2.11.1 CPython/2.7.9"<br class="">
<br class="">
But then, the response body gives a non-https URL:<br class="">
<br class="">
RESP BODY: {"version": {"status": "stable", "updated":<br class="">
"2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type":<br class="">
"application/vnd.openstack.ide<wbr class="">ntity-v3+json"}], "id": "v3.7", "links":<br class="">
[{"href": "<a href="http://some.domain.place:5000/v3/" rel="noreferrer" target="_blank" class="">http://some.domain.place:5000<wbr class="">/v3/</a>", "rel": "self"}]}}<br class="">
<br class="">
and then the attempt to authenticate fails:<br class="">
<br class="">
Making authentication request to<br class="">
<a href="http://some.domain.place:5000/v3/auth/tokens" rel="noreferrer" target="_blank" class="">http://some.domain.place:5000/<wbr class="">v3/auth/tokens</a><br class="">
Starting new HTTP connection (1): some.domain.place<br class="">
Unable to establish connection to<br class="">
<a href="http://some.domain.place:5000/v3/auth/tokens" rel="noreferrer" target="_blank" class="">http://some.domain.place:5000/<wbr class="">v3/auth/tokens</a><br class="">
<br class="">
I've restarted apache2 on my keystone hosts and I have scoured the database<br class="">
for any reference to a non-https public endpoint for keystone; I cannot find<br class="">
one.<br class="">
<br class="">
Does anyone know why my response body is giving the wrong URL? Horizon<br class="">
works perfectly fine with the https endpoints; it's just the command line<br class="">
clients that are having issues.<br class="">
<br class="">
Thanks in advance,<br class="">
<br class="">
--<br class="">
v/r<br class="">
<br class="">
Chris Apsey<br class="">
<a href="mailto:bitskrieg@bitskrieg.net" target="_blank" class="">bitskrieg@bitskrieg.net</a><br class="">
<a href="https://www.bitskrieg.net/" rel="noreferrer" target="_blank" class="">https://www.bitskrieg.net</a><br class="">
<br class="">
______________________________<wbr class="">_________________<br class="">
OpenStack-operators mailing list<br class="">
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank" class="">OpenStack-operators@lists.open<wbr class="">stack.org</a><br class="">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank" class="">http://lists.openstack.org/cgi<wbr class="">-bin/mailman/listinfo/openstac<wbr class="">k-operators</a><br class="">
</blockquote></blockquote>
<br class="">
______________________________<wbr class="">_________________<br class="">
OpenStack-operators mailing list<br class="">
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank" class="">OpenStack-operators@lists.open<wbr class="">stack.org</a><br class="">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank" class="">http://lists.openstack.org/cgi<wbr class="">-bin/mailman/listinfo/openstac<wbr class="">k-operators</a><br class="">
</div></div></blockquote></div><br class=""></div></div></div>
_______________________________________________<br class="">OpenStack-operators mailing list<br class=""><a href="mailto:OpenStack-operators@lists.openstack.org" class="">OpenStack-operators@lists.openstack.org</a><br class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators<br class=""></div></blockquote></div><br class=""></div></body></html>