[openstack-dev] [all] Consistent support for SSL termination proxies across all API services

ZZelle zzelle at gmail.com
Wed Sep 23 12:01:15 UTC 2015


Hi,

SSLMiddleware takes into account a Header[1] to set wsgi.url_scheme
which allows a proxy to provide the original protocol to Heat/Neutron/...


Does that solution work in the HA Proxy case where there is one
> terminating address for multiple backend servers? Because there is the
> concern that this impacts not only the Location header, but the link
> documents inside the responses which clients are expected to be able to
> link.follow. This is an honest question, I don't know how the
> oslo_middleware.ssl acts in these cases. And HA Proxy 1 to N mapping is
> very common deployment model.
>

It ensures the protocol provided in headers will be used to generate
correct Location Headers and links.

BUT there are some limitations:

* It doesn't work when the service itself acts as a proxy (typically nova
image-list)
* it doesn't work when you rewrite from
https://<proxy-host>:<proxy-port>/<base>/...
to http://<host>:<port>/...
  because the <base> information is not provided in the headers (except if
you exploit a webob limitation)


Cédric/ZZelle at IRC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150923/e7a9c0a4/attachment.html>


More information about the OpenStack-dev mailing list