[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
Adam Young
ayoung at redhat.com
Fri Aug 5 20:52:35 UTC 2016
Today I discovered that we need to modify the HA proxy config to tell it
to rewrite redirects. Otherwise, I get a link to
http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
Which should be https, not http.
I mimicked the lines in the horizon config so that the keystone section
looks like this:
listen keystone_public
bind 10.0.0.4:13000 transparent ssl crt
/etc/pki/tls/private/overcloud_endpoint.pem
bind 172.16.2.5:5000 transparent
mode http
redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000
rise 2
server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000
rise 2
And.. it seemed to work the first time, but not the second. Now I get
"Secure Connection Failed
The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted
while the page was loading."
Guessing the first success was actually a transient error.
So it looks like my change was necessary but not sufficient.
This is needed to make mod_auth_mellon work when loaded into Apache, and
Apache is running behind HA proxy (Tripleo setup).
There is no SSL setup inside the Keystone server, it is just doing
straight HTTP. While I'd like to change this long term, I'd like to get
things working this way first, but am willing to make whatever changes
are needed to get SAML and Federation working soonest.
More information about the OpenStack-dev
mailing list