[openstack-dev] [all] Consistent support for SSL termination proxies across all API services
Ben Nemec
openstack at nemebean.com
Fri Sep 18 18:30:38 UTC 2015
I've been dealing with this issue lately myself, so here's my two cents:
It seems to me that solving this at the service level is actually kind
of wrong. As you've discovered, that requires changes in a bunch of
different places to address what is really an external issue. Since
it's the terminating proxy that is converting HTTPS traffic to HTTP that
feels like the right place for a fix IMHO.
My solution has been to have the proxy (HAProxy in my case) rewrite the
Location header on redirects (one example for the TripleO puppet config
here: https://review.openstack.org/#/c/223330/1/manifests/loadbalancer.pp).
I'm not absolutely opposed to having a way to make the services aware of
external SSL termination to allow use of a proxy that can't do header
rewriting, but I think proxy configuration should be the preferred way
to handle it.
-Ben
On 09/17/2015 07:38 PM, Mathieu Gagné wrote:
> Hi,
>
> While debugging LP bug #1491579 [1], we identified [2] an issue where an
> API sitting being a proxy performing SSL termination would not generate
> the right redirection. The protocol ends up being the wrong one (http
> instead of https) and this could hang your request indefinitely if
> tcp/80 is not opened and a firewall drops your connection.
>
> I suggested [3] adding support for the X-Fowarded-Proto header, thinking
> Nova didn't supported it yet. In fact, someone suggested setting the
> public_endpoint config instead.
>
> So today I stumbled across this review [4] which added the
> secure_proxy_ssl_header config to Nova. It allows the API to detect SSL
> termination based on the (suggested) header X-Forwarded-Proto just like
> previously suggested.
>
> I also found this bug report [5] (opened in 2014) which also happens to
> complain about bad URLs when API is sitting behind a proxy.
>
> Multiple projects applied patches to try to fix the issue (based on
> Launchpad comments):
>
> * Glance added public_endpoint config
> * Cinder added public_endpoint config
> * Heat added secure_proxy_ssl_header config (through
> heat.api.openstack:sslmiddleware_filter)
> * Nova added secure_proxy_ssl_header config
> * Manila added secure_proxy_ssl_header config (through
> oslo_middleware.ssl:SSLMiddleware.factory)
> * Ironic added public_endpoint config
> * Keystone added secure_proxy_ssl_header config (LP #1370022)
>
> As you can see, there is a lot of inconsistency between projects. (there
> is more but lets start with that one)
>
> My wish is for a common and consistent way for *ALL* OpenStack APIs to
> support the same solution for this common problem. Let me tell you (and
> I guess I can speak for all operators), we will be very happy to have
> ONE config to remember of and set for *ALL* OpenStack services.
>
> How can we get the ball rolling so we can fix it together once and for
> all in a timely fashion?
>
> [1] https://bugs.launchpad.net/python-novaclient/+bug/1491579
> [2] https://bugs.launchpad.net/python-novaclient/+bug/1491579/comments/15
> [3] https://bugs.launchpad.net/python-novaclient/+bug/1491579/comments/17
> [4] https://review.openstack.org/#/c/206479/
> [5] https://bugs.launchpad.net/glance/+bug/1384379
>
More information about the OpenStack-dev
mailing list