[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
Adam Young
ayoung at redhat.com
Fri Aug 5 20:54:31 UTC 2016
On 08/05/2016 04:52 PM, Adam Young wrote:
> Today I discovered that we need to modify the HA proxy config to tell
> it to rewrite redirects. Otherwise, I get a link to
>
> http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse
>
>
> Which should be https, not http.
>
>
> I mimicked the lines in the horizon config so that the keystone
> section looks like this:
>
>
> listen keystone_public
> bind 10.0.0.4:13000 transparent ssl crt
> /etc/pki/tls/private/overcloud_endpoint.pem
> bind 172.16.2.5:5000 transparent
> mode http
> redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc }
> rsprep ^Location:\ http://(.*) Location:\ https://\1
> http-request set-header X-Forwarded-Proto https if { ssl_fc }
> http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
> server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter
> 2000 rise 2
> server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter
> 2000 rise 2
> server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter
> 2000 rise 2
>
> And.. it seemed to work the first time, but not the second. Now I get
>
> "Secure Connection Failed
>
> The connection to openstack.ayoung-dell-t1700.test:5000 was
> interrupted while the page was loading."
>
> Guessing the first success was actually a transient error.
>
> So it looks like my change was necessary but not sufficient.
>
> This is needed to make mod_auth_mellon work when loaded into Apache,
> and Apache is running behind HA proxy (Tripleo setup).
>
>
> There is no SSL setup inside the Keystone server, it is just doing
> straight HTTP. While I'd like to change this long term, I'd like to
> get things working this way first, but am willing to make whatever
> changes are needed to get SAML and Federation working soonest.
>
>
>
>
Ah...just noticed the redirect is to :5000, not port :13000 which is the
HA Proxy port.
More information about the OpenStack-dev
mailing list