[openstack-dev] [all] Consistent support for SSL termination proxies across all API services
ZZelle
zzelle at gmail.com
Wed Sep 23 12:01:15 UTC 2015
Hi,
SSLMiddleware takes into account a Header[1] to set wsgi.url_scheme
which allows a proxy to provide the original protocol to Heat/Neutron/...
Does that solution work in the HA Proxy case where there is one
> terminating address for multiple backend servers? Because there is the
> concern that this impacts not only the Location header, but the link
> documents inside the responses which clients are expected to be able to
> link.follow. This is an honest question, I don't know how the
> oslo_middleware.ssl acts in these cases. And HA Proxy 1 to N mapping is
> very common deployment model.
>
It ensures the protocol provided in headers will be used to generate
correct Location Headers and links.
BUT there are some limitations:
* It doesn't work when the service itself acts as a proxy (typically nova
image-list)
* it doesn't work when you rewrite from
https://<proxy-host>:<proxy-port>/<base>/...
to http://<host>:<port>/...
because the <base> information is not provided in the headers (except if
you exploit a webob limitation)
Cédric/ZZelle at IRC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150923/e7a9c0a4/attachment.html>
More information about the OpenStack-dev
mailing list