[Openstack-operators] HTTP/S Termination with Haproxy + Keystone

Mathieu Gagné mgagne at calavera.ca
Wed Feb 22 02:46:00 UTC 2017 

Hi,

The problem is that Keystone doesn't know about HAProxy terminating
the SSL connection and therefore doesn't know it needs to generate
URLs with https:// protocol.

You can override the "auto-detected" URLs with those configurations:
- [DEFAULT]/public_endpoint
- [DEFAULT]/admin_endpoint

See documentation for a bit more explanation about those
configurations:
https://docs.openstack.org/draft/config-reference/identity/api.html
--
Mathieu


On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <bitskrieg at bitskrieg.net> wrote:
> I'm having a strange issue with keystone after migrating all public
> endpoints to https (haproxy terminates the SSL connection for each service):
>
> openstack endpoint list
>
> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
> | ID                               | Region    | Service Name | Service Type
> | Enabled | Interface | URL                                             |
> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
> ...
> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone     | identity
> | True    | public    | https://some.domain.place:5000/v3                 |
> ...
>
> I have also updated my rc files appropriately.  Whenever I try and use the
> CLI against the public endpoints in debug mode, everything starts out
> looking good:
>
> REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept:
> application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1
> python-requests/2.11.1 CPython/2.7.9"
>
> But then, the response body gives a non-https URL:
>
> RESP BODY: {"version": {"status": "stable", "updated":
> "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type":
> "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links":
> [{"href": "http://some.domain.place:5000/v3/", "rel": "self"}]}}
>
> and then the attempt to authenticate fails:
>
> Making authentication request to
> http://some.domain.place:5000/v3/auth/tokens
> Starting new HTTP connection (1): some.domain.place
> Unable to establish connection to
> http://some.domain.place:5000/v3/auth/tokens
>
> I've restarted apache2 on my keystone hosts and I have scoured the database
> for any reference to a non-https public endpoint for keystone; I cannot find
> one.
>
> Does anyone know why my response body is giving the wrong URL?  Horizon
> works perfectly fine with the https endpoints; it's just the command line
> clients that are having issues.
>
> Thanks in advance,
>
> --
> v/r
>
> Chris Apsey
> bitskrieg at bitskrieg.net
> https://www.bitskrieg.net
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list