Magnum issues http requests to other services when internal/admin endpoint is https
Hi, We have reconfigured our cloud with a Nginx sever handling TLS in front of every API service, as described in https://docs.openstack.org/security-guide/secure-communication/secure-refere.... Previously we used to have Magnum/Heat/Barbican endpoints using http rather than https (not good!). Since this change, we have seen problems in Magnum (starting in Antelope when we did the change but still present in Caracal) where some "internal" requests to Barbican and Heat are done in http rather than https. We worked around this defining a redirect to https on 497 status code, as documented in Nginx documentation but it is not really satisfying as it means all clients, not only Magnum service, could use http on the https port and get serviced. I remember seing an issue on Launchpad about this issue but forgot the issue number. We were wondering wether it would not be better, at least until the problem is fixed, to define the internal+admin endpoints with http rather than https. According to our tests, it fixes the problem, as expected. Thanks in advance for any thought or experience on this. Best regards, Michel
On 1/7/2024 7:14 pm, Michel Jouvin wrote:
Hi,
We have reconfigured our cloud with a Nginx sever handling TLS in front of every API service, as described in https://docs.openstack.org/security-guide/secure-communication/secure-refere.... Previously we used to have Magnum/Heat/Barbican endpoints using http rather than https (not good!). Since this change, we have seen problems in Magnum (starting in Antelope when we did the change but still present in Caracal) where some "internal" requests to Barbican and Heat are done in http rather than https. We worked around this defining a redirect to https on 497 status code, as documented in Nginx documentation but it is not really satisfying as it means all clients, not only Magnum service, could use http on the https port and get serviced. I remember seing an issue on Launchpad about this issue but forgot the issue number.
Hi Michel, Can I clarify, do you mean Magnum is making HTTP call to Barbican, when in catalog the Barbican endpoints are all HTTPS? Can you dump your Barbican endpoints in `openstack catalog list`? Anonymised is fine. Also, What does your magnum.conf look like in terms of clients config? Regards, Jake
Hi Jake, Thanks for your answer. I had a quick look, unfortunately the log files with the error have been purged (log rotation) and since then, I reconfigured the endpoint to use http directly to the service instead of https through the proxy. Thus I have to revert the configuration change and redo the test on our test instance. I'll try to do it asap but cannot promise for today... Best regards, Michel Le 03/07/2024 à 06:21, Jake Yip a écrit :
On 1/7/2024 7:14 pm, Michel Jouvin wrote:
Hi,
We have reconfigured our cloud with a Nginx sever handling TLS in front of every API service, as described in https://docs.openstack.org/security-guide/secure-communication/secure-refere.... Previously we used to have Magnum/Heat/Barbican endpoints using http rather than https (not good!). Since this change, we have seen problems in Magnum (starting in Antelope when we did the change but still present in Caracal) where some "internal" requests to Barbican and Heat are done in http rather than https. We worked around this defining a redirect to https on 497 status code, as documented in Nginx documentation but it is not really satisfying as it means all clients, not only Magnum service, could use http on the https port and get serviced. I remember seing an issue on Launchpad about this issue but forgot the issue number.
Hi Michel,
Can I clarify, do you mean Magnum is making HTTP call to Barbican, when in catalog the Barbican endpoints are all HTTPS?
Can you dump your Barbican endpoints in `openstack catalog list`? Anonymised is fine. Also, What does your magnum.conf look like in terms of clients config?
Regards, Jake
participants (2)
-
Jake Yip
-
Michel Jouvin