<div>It is also possible to use oslo_middleware ssl filter in your API paste file with cinder like:</div><div><pre style="word-wrap:break-word;white-space:pre-wrap">[filter:ssl]
paste.filter_factory = oslo_middleware.ssl:SSLMiddleware.factory
[pipeline:apiversions]
pipeline = ssl faultwrap osvolumeversionapp</pre></div><div><br><div class="gmail_quote"><div>On Wed, Feb 22, 2017 at 2:54 PM Mathieu Gagné <<a href="mailto:mgagne@calavera.ca">mgagne@calavera.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br class="gmail_msg">
<br class="gmail_msg">
I attended to write a blog post about that subject more than a year<br class="gmail_msg">
ago but never completed it.<br class="gmail_msg">
<br class="gmail_msg">
Here is the text in a GitHub Gist:<br class="gmail_msg">
<a href="https://gist.github.com/mgagne/f298c151b61d44cb5fea" rel="noreferrer" class="gmail_msg" target="_blank">https://gist.github.com/mgagne/f298c151b61d44cb5fea</a><br class="gmail_msg">
<br class="gmail_msg">
Information might be outdated for latest versions but can still give<br class="gmail_msg">
you a clue about what to look for.<br class="gmail_msg">
<br class="gmail_msg">
--<br class="gmail_msg">
Mathieu<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
On Wed, Feb 22, 2017 at 3:37 PM, Mohammed Naser <<a href="mailto:mnaser@vexxhost.com" class="gmail_msg" target="_blank">mnaser@vexxhost.com</a>> wrote:<br class="gmail_msg">
> I would appreciate it if you can let us know which one it is for Cinder, as<br class="gmail_msg">
> it looks like there is no SSL middleware for Cinder which allows doing this.<br class="gmail_msg">
><br class="gmail_msg">
> Thanks<br class="gmail_msg">
><br class="gmail_msg">
> On Feb 22, 2017, at 1:43 PM, Chris Suttles <<a href="mailto:suttles@gmail.com" class="gmail_msg" target="_blank">suttles@gmail.com</a>> wrote:<br class="gmail_msg">
><br class="gmail_msg">
> There's a similar option in heat.conf:<br class="gmail_msg">
><br class="gmail_msg">
> secure_proxy_ssl_header = X-Forwarded-Proto<br class="gmail_msg">
><br class="gmail_msg">
> Pretty sure that's needed for most services; I will scrub my configs and<br class="gmail_msg">
> check. We are running a pretty simple install of Newton, and doing haproxy<br class="gmail_msg">
> for SSL termination of all API endpoints.<br class="gmail_msg">
><br class="gmail_msg">
> On Wed, Feb 22, 2017 at 9:58 AM, Chris Apsey <<a href="mailto:bitskrieg@bitskrieg.net" class="gmail_msg" target="_blank">bitskrieg@bitskrieg.net</a>><br class="gmail_msg">
> wrote:<br class="gmail_msg">
>><br class="gmail_msg">
>> Mathieu,<br class="gmail_msg">
>><br class="gmail_msg">
>> That did the trick - thank you.  On a related note, heat is exhibiting the<br class="gmail_msg">
>> same behavior on some of the API calls (stack list works fine, stack show<br class="gmail_msg">
>> does not because a http URL is returned in the 302 response field, etc.).<br class="gmail_msg">
>><br class="gmail_msg">
>> I attempted the combination of<br class="gmail_msg">
>> 'oslo_middleware/enable_proxy_headers_parsing' and<br class="gmail_msg">
>> 'oslo_middleware/secure_proxy_ssl_header' referenced here<br class="gmail_msg">
>> <a href="https://docs.openstack.org/newton/config-reference/orchestration/api.html" rel="noreferrer" class="gmail_msg" target="_blank">https://docs.openstack.org/newton/config-reference/orchestration/api.html</a><br class="gmail_msg">
>> along with the appropriate haproxy configuration suggested by Mike, but no<br class="gmail_msg">
>> dice.  The URL doesn't change.  Beyond that, it looks like that option is<br class="gmail_msg">
>> deprecated anyway (at least in heat), although I have not found any<br class="gmail_msg">
>> indication about what is supposed to 'replace' those options going forward.<br class="gmail_msg">
>><br class="gmail_msg">
>> Ideas?<br class="gmail_msg">
>><br class="gmail_msg">
>> Thanks so much,<br class="gmail_msg">
>><br class="gmail_msg">
>> ---<br class="gmail_msg">
>> v/r<br class="gmail_msg">
>><br class="gmail_msg">
>> Chris Apsey<br class="gmail_msg">
>> <a href="mailto:bitskrieg@bitskrieg.net" class="gmail_msg" target="_blank">bitskrieg@bitskrieg.net</a><br class="gmail_msg">
>> <a href="https://www.bitskrieg.net" rel="noreferrer" class="gmail_msg" target="_blank">https://www.bitskrieg.net</a><br class="gmail_msg">
>><br class="gmail_msg">
>> On 2017-02-21 21:46, Mathieu Gagné wrote:<br class="gmail_msg">
>>><br class="gmail_msg">
>>> Hi,<br class="gmail_msg">
>>><br class="gmail_msg">
>>> The problem is that Keystone doesn't know about HAProxy terminating<br class="gmail_msg">
>>> the SSL connection and therefore doesn't know it needs to generate<br class="gmail_msg">
>>> URLs with https:// protocol.<br class="gmail_msg">
>>><br class="gmail_msg">
>>> You can override the "auto-detected" URLs with those configurations:<br class="gmail_msg">
>>> - [DEFAULT]/public_endpoint<br class="gmail_msg">
>>> - [DEFAULT]/admin_endpoint<br class="gmail_msg">
>>><br class="gmail_msg">
>>> See documentation for a bit more explanation about those<br class="gmail_msg">
>>> configurations:<br class="gmail_msg">
>>> <a href="https://docs.openstack.org/draft/config-reference/identity/api.html" rel="noreferrer" class="gmail_msg" target="_blank">https://docs.openstack.org/draft/config-reference/identity/api.html</a><br class="gmail_msg">
>>> --<br class="gmail_msg">
>>> Mathieu<br class="gmail_msg">
>>><br class="gmail_msg">
>>><br class="gmail_msg">
>>> On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <<a href="mailto:bitskrieg@bitskrieg.net" class="gmail_msg" target="_blank">bitskrieg@bitskrieg.net</a>><br class="gmail_msg">
>>> wrote:<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> I'm having a strange issue with keystone after migrating all public<br class="gmail_msg">
>>>> endpoints to https (haproxy terminates the SSL connection for each<br class="gmail_msg">
>>>> service):<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> openstack endpoint list<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+<br class="gmail_msg">
>>>> | ID                               | Region    | Service Name | Service<br class="gmail_msg">
>>>> Type<br class="gmail_msg">
>>>> | Enabled | Interface | URL<br class="gmail_msg">
>>>> |<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+<br class="gmail_msg">
>>>> ...<br class="gmail_msg">
>>>> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone     | identity<br class="gmail_msg">
>>>> | True    | public    | <a href="https://some.domain.place:5000/v3" rel="noreferrer" class="gmail_msg" target="_blank">https://some.domain.place:5000/v3</a><br class="gmail_msg">
>>>> |<br class="gmail_msg">
>>>> ...<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> I have also updated my rc files appropriately.  Whenever I try and use<br class="gmail_msg">
>>>> the<br class="gmail_msg">
>>>> CLI against the public endpoints in debug mode, everything starts out<br class="gmail_msg">
>>>> looking good:<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> REQ: curl -g -i -X GET <a href="https://some.domain.place:5000/v3" rel="noreferrer" class="gmail_msg" target="_blank">https://some.domain.place:5000/v3</a> -H "Accept:<br class="gmail_msg">
>>>> application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1<br class="gmail_msg">
>>>> python-requests/2.11.1 CPython/2.7.9"<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> But then, the response body gives a non-https URL:<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> RESP BODY: {"version": {"status": "stable", "updated":<br class="gmail_msg">
>>>> "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json",<br class="gmail_msg">
>>>> "type":<br class="gmail_msg">
>>>> "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links":<br class="gmail_msg">
>>>> [{"href": "<a href="http://some.domain.place:5000/v3/" rel="noreferrer" class="gmail_msg" target="_blank">http://some.domain.place:5000/v3/</a>", "rel": "self"}]}}<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> and then the attempt to authenticate fails:<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> Making authentication request to<br class="gmail_msg">
>>>> <a href="http://some.domain.place:5000/v3/auth/tokens" rel="noreferrer" class="gmail_msg" target="_blank">http://some.domain.place:5000/v3/auth/tokens</a><br class="gmail_msg">
>>>> Starting new HTTP connection (1): some.domain.place<br class="gmail_msg">
>>>> Unable to establish connection to<br class="gmail_msg">
>>>> <a href="http://some.domain.place:5000/v3/auth/tokens" rel="noreferrer" class="gmail_msg" target="_blank">http://some.domain.place:5000/v3/auth/tokens</a><br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> I've restarted apache2 on my keystone hosts and I have scoured the<br class="gmail_msg">
>>>> database<br class="gmail_msg">
>>>> for any reference to a non-https public endpoint for keystone; I cannot<br class="gmail_msg">
>>>> find<br class="gmail_msg">
>>>> one.<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> Does anyone know why my response body is giving the wrong URL?  Horizon<br class="gmail_msg">
>>>> works perfectly fine with the https endpoints; it's just the command<br class="gmail_msg">
>>>> line<br class="gmail_msg">
>>>> clients that are having issues.<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> Thanks in advance,<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> --<br class="gmail_msg">
>>>> v/r<br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> Chris Apsey<br class="gmail_msg">
>>>> <a href="mailto:bitskrieg@bitskrieg.net" class="gmail_msg" target="_blank">bitskrieg@bitskrieg.net</a><br class="gmail_msg">
>>>> <a href="https://www.bitskrieg.net" rel="noreferrer" class="gmail_msg" target="_blank">https://www.bitskrieg.net</a><br class="gmail_msg">
>>>><br class="gmail_msg">
>>>> _______________________________________________<br class="gmail_msg">
>>>> OpenStack-operators mailing list<br class="gmail_msg">
>>>> <a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
>><br class="gmail_msg">
>><br class="gmail_msg">
>> _______________________________________________<br class="gmail_msg">
>> OpenStack-operators mailing list<br class="gmail_msg">
>> <a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
> _______________________________________________<br class="gmail_msg">
> OpenStack-operators mailing list<br class="gmail_msg">
> <a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
> _______________________________________________<br class="gmail_msg">
> OpenStack-operators mailing list<br class="gmail_msg">
> <a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
><br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
OpenStack-operators mailing list<br class="gmail_msg">
<a href="mailto:OpenStack-operators@lists.openstack.org" class="gmail_msg" target="_blank">OpenStack-operators@lists.openstack.org</a><br class="gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br class="gmail_msg">
</blockquote></div></div>