On 02/09/2025 15:33, Takashi Kajinami wrote:
On 9/2/25 11:20 PM, Chang Xue wrote:
Just want to update, I figured out what is wrong with my HAproxy config file, and now it works.
Meanwhile, when I test pagination on other services like Keystone, they don't have the similar issue.I think it's problem just for Neutron and Nova? I don't really think this behavior is specific to some services but is common. You probably have different settings for these services defined in your haproxy. Note that keystone didn't support pagination in old releases and it was relatively recently added.
i think the delta might be that nova and neutron return the fully qualified path including the protocol where as some other service only return relative paths and make the client construct the fully path themselves. so for nova and neutron to work properly you have ot properly configure your revers proxy assuming you are not doing tls termination in the wsgi server. i.e. uwsgi, grunicorn ectra.
Which makes me think the config in HAproxy might be just patching it, but the service itself should be returning https by default or so?
IT SHOULD NOT, because you can't always assume that TLS is enabled.
i agree unless the service is doing tls termination we cant no and must rely on the X-Forawded headers which upstream proxies are required to set if they are doing the termination.
It might be common to use TLS for public endpoints but I've seen multiple deployments using non-TLS for internal endpoints. As I said if you terminate TLS by your loadbalancer then you should make sure that your load balancer tells that the actual public-facing endpoint has HTTPS enabled, to the api services behind it. (and that's what is achieved by the forwarder options).
ya using tls for all endpoint is much more common now but we cant assume it. we recommend using tls for all endpoint to protect the keyston bareer token that is included with each requst but we cant force peopel to do that without breaking them.
Thanks, Chang