Open Stack

Do you have this in your haproxy front end config?

reqadd X-Forwarded-Proto:\ https

And this in your keystone.conf ?

secure_proxy_ssl_header=HTTP_X_FORWARDED_PROTO

I think that’s what I had to do to tell haproxy to add a headder that keystone then matched to know when to return https.

> On Feb 21, 2017, at 8:56 PM, Chris Apsey <bitskrieg at bitskrieg.net> wrote:
> 
> I'm having a strange issue with keystone after migrating all public endpoints to https (haproxy terminates the SSL connection for each service):
> 
> openstack endpoint list
> 
> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
> | ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                             |
> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
> ...
> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone     | identity       | True    | public    | https://some.domain.place:5000/v3                 |
> ...
> 
> I have also updated my rc files appropriately.  Whenever I try and use the CLI against the public endpoints in debug mode, everything starts out looking good:
> 
> REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept: application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1 python-requests/2.11.1 CPython/2.7.9"
> 
> But then, the response body gives a non-https URL:
> 
> RESP BODY: {"version": {"status": "stable", "updated": "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links": [{"href": "http://some.domain.place:5000/v3/", "rel": "self"}]}}
> 
> and then the attempt to authenticate fails:
> 
> Making authentication request to http://some.domain.place:5000/v3/auth/tokens
> Starting new HTTP connection (1): some.domain.place
> Unable to establish connection to http://some.domain.place:5000/v3/auth/tokens
> 
> I've restarted apache2 on my keystone hosts and I have scoured the database for any reference to a non-https public endpoint for keystone; I cannot find one.
> 
> Does anyone know why my response body is giving the wrong URL?  Horizon works perfectly fine with the https endpoints; it's just the command line clients that are having issues.
> 
> Thanks in advance,
> 
> -- 
> v/r
> 
> Chris Apsey
> bitskrieg at bitskrieg.net
> https://www.bitskrieg.net
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3574 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170221/fbff8ce8/attachment.bin>