[Openstack-operators] HTTP/S Termination with Haproxy + Keystone

Mohammed Naser mnaser at vexxhost.com
Wed Feb 22 18:05:33 UTC 2017


Cinder faces the same issue unfortunately and it will result in failed RefStack runs (does this mean everyone who's ran RefStack uses no HTTPS for APIs or uses SSL inside Eventlet?)

We're still trying to figure that one out. 

Sent from my iPhone

> On Feb 22, 2017, at 12:58 PM, Chris Apsey <bitskrieg at bitskrieg.net> wrote:
> 
> Mathieu,
> 
> That did the trick - thank you.  On a related note, heat is exhibiting the same behavior on some of the API calls (stack list works fine, stack show does not because a http URL is returned in the 302 response field, etc.).
> 
> I attempted the combination of 'oslo_middleware/enable_proxy_headers_parsing' and 'oslo_middleware/secure_proxy_ssl_header' referenced here https://docs.openstack.org/newton/config-reference/orchestration/api.html along with the appropriate haproxy configuration suggested by Mike, but no dice.  The URL doesn't change.  Beyond that, it looks like that option is deprecated anyway (at least in heat), although I have not found any indication about what is supposed to 'replace' those options going forward.
> 
> Ideas?
> 
> Thanks so much,
> 
> ---
> v/r
> 
> Chris Apsey
> bitskrieg at bitskrieg.net
> https://www.bitskrieg.net
> 
>> On 2017-02-21 21:46, Mathieu Gagné wrote:
>> Hi,
>> The problem is that Keystone doesn't know about HAProxy terminating
>> the SSL connection and therefore doesn't know it needs to generate
>> URLs with https:// protocol.
>> You can override the "auto-detected" URLs with those configurations:
>> - [DEFAULT]/public_endpoint
>> - [DEFAULT]/admin_endpoint
>> See documentation for a bit more explanation about those
>> configurations:
>> https://docs.openstack.org/draft/config-reference/identity/api.html
>> --
>> Mathieu
>>> On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <bitskrieg at bitskrieg.net> wrote:
>>> I'm having a strange issue with keystone after migrating all public
>>> endpoints to https (haproxy terminates the SSL connection for each service):
>>> openstack endpoint list
>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
>>> | ID                               | Region    | Service Name | Service Type
>>> | Enabled | Interface | URL                                             |
>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
>>> ...
>>> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone     | identity
>>> | True    | public    | https://some.domain.place:5000/v3                 |
>>> ...
>>> I have also updated my rc files appropriately.  Whenever I try and use the
>>> CLI against the public endpoints in debug mode, everything starts out
>>> looking good:
>>> REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept:
>>> application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1
>>> python-requests/2.11.1 CPython/2.7.9"
>>> But then, the response body gives a non-https URL:
>>> RESP BODY: {"version": {"status": "stable", "updated":
>>> "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type":
>>> "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links":
>>> [{"href": "http://some.domain.place:5000/v3/", "rel": "self"}]}}
>>> and then the attempt to authenticate fails:
>>> Making authentication request to
>>> http://some.domain.place:5000/v3/auth/tokens
>>> Starting new HTTP connection (1): some.domain.place
>>> Unable to establish connection to
>>> http://some.domain.place:5000/v3/auth/tokens
>>> I've restarted apache2 on my keystone hosts and I have scoured the database
>>> for any reference to a non-https public endpoint for keystone; I cannot find
>>> one.
>>> Does anyone know why my response body is giving the wrong URL?  Horizon
>>> works perfectly fine with the https endpoints; it's just the command line
>>> clients that are having issues.
>>> Thanks in advance,
>>> --
>>> v/r
>>> Chris Apsey
>>> bitskrieg at bitskrieg.net
>>> https://www.bitskrieg.net
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



More information about the OpenStack-operators mailing list