[openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Julien Danjou julien at danjou.info
Wed Sep 23 11:36:04 UTC 2015


On Wed, Sep 23 2015, Sean Dague wrote:

> Does that solution work in the HA Proxy case where there is one
> terminating address for multiple backend servers?

Yep.

> Because there is the concern that this impacts not only the Location
> header, but the link documents inside the responses which clients are
> expected to be able to link.follow. This is an honest question, I
> don't know how the oslo_middleware.ssl acts in these cases. And HA
> Proxy 1 to N mapping is very common deployment model.

It should, but some project like Keystone does not handle that
correctly. I just submitted a patch that fixes this kind of thing by
using correctly the WSGI environment variable to build a correct URL.
That fixes also the use cases where Keystone does not run on / but on
e.g. /identity (the bug I initially wanted to fix).

  https://review.openstack.org/#/c/226464/

If you use `wsgiref.util.application_uri(environment)' it should do
everything correctly. With the SSL middleware enabled that Mathieu
talked about, it will translate correctly http to https too.

The {public,admin}_endpoint are only useful in the case where you map
http://myproxy/identity -> http://mykeystone/ using a proxy

Because the prefix is not passed to Keystone. If you map 1:1 the path
part, we could also leverage X-Forwarded-Host and X-Forwarded-Port to
avoid having {public,admin}_endpoint options.


-- 
Julien Danjou
-- Free Software hacker
-- http://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150923/4f29cafa/attachment.pgp>


More information about the OpenStack-dev mailing list