[Openstack-operators] HTTP/S Termination with Haproxy + Keystone
Mathieu Gagné
mgagne at calavera.ca
Wed Feb 22 20:52:42 UTC 2017
Hi,
I attended to write a blog post about that subject more than a year
ago but never completed it.
Here is the text in a GitHub Gist:
https://gist.github.com/mgagne/f298c151b61d44cb5fea
Information might be outdated for latest versions but can still give
you a clue about what to look for.
--
Mathieu
On Wed, Feb 22, 2017 at 3:37 PM, Mohammed Naser <mnaser at vexxhost.com> wrote:
> I would appreciate it if you can let us know which one it is for Cinder, as
> it looks like there is no SSL middleware for Cinder which allows doing this.
>
> Thanks
>
> On Feb 22, 2017, at 1:43 PM, Chris Suttles <suttles at gmail.com> wrote:
>
> There's a similar option in heat.conf:
>
> secure_proxy_ssl_header = X-Forwarded-Proto
>
> Pretty sure that's needed for most services; I will scrub my configs and
> check. We are running a pretty simple install of Newton, and doing haproxy
> for SSL termination of all API endpoints.
>
> On Wed, Feb 22, 2017 at 9:58 AM, Chris Apsey <bitskrieg at bitskrieg.net>
> wrote:
>>
>> Mathieu,
>>
>> That did the trick - thank you. On a related note, heat is exhibiting the
>> same behavior on some of the API calls (stack list works fine, stack show
>> does not because a http URL is returned in the 302 response field, etc.).
>>
>> I attempted the combination of
>> 'oslo_middleware/enable_proxy_headers_parsing' and
>> 'oslo_middleware/secure_proxy_ssl_header' referenced here
>> https://docs.openstack.org/newton/config-reference/orchestration/api.html
>> along with the appropriate haproxy configuration suggested by Mike, but no
>> dice. The URL doesn't change. Beyond that, it looks like that option is
>> deprecated anyway (at least in heat), although I have not found any
>> indication about what is supposed to 'replace' those options going forward.
>>
>> Ideas?
>>
>> Thanks so much,
>>
>> ---
>> v/r
>>
>> Chris Apsey
>> bitskrieg at bitskrieg.net
>> https://www.bitskrieg.net
>>
>> On 2017-02-21 21:46, Mathieu Gagné wrote:
>>>
>>> Hi,
>>>
>>> The problem is that Keystone doesn't know about HAProxy terminating
>>> the SSL connection and therefore doesn't know it needs to generate
>>> URLs with https:// protocol.
>>>
>>> You can override the "auto-detected" URLs with those configurations:
>>> - [DEFAULT]/public_endpoint
>>> - [DEFAULT]/admin_endpoint
>>>
>>> See documentation for a bit more explanation about those
>>> configurations:
>>> https://docs.openstack.org/draft/config-reference/identity/api.html
>>> --
>>> Mathieu
>>>
>>>
>>> On Tue, Feb 21, 2017 at 8:56 PM, Chris Apsey <bitskrieg at bitskrieg.net>
>>> wrote:
>>>>
>>>> I'm having a strange issue with keystone after migrating all public
>>>> endpoints to https (haproxy terminates the SSL connection for each
>>>> service):
>>>>
>>>> openstack endpoint list
>>>>
>>>>
>>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
>>>> | ID | Region | Service Name | Service
>>>> Type
>>>> | Enabled | Interface | URL
>>>> |
>>>>
>>>> +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
>>>> ...
>>>> | 99d302d00ab3461cb9362236c865a430 | RegionOne | keystone | identity
>>>> | True | public | https://some.domain.place:5000/v3
>>>> |
>>>> ...
>>>>
>>>> I have also updated my rc files appropriately. Whenever I try and use
>>>> the
>>>> CLI against the public endpoints in debug mode, everything starts out
>>>> looking good:
>>>>
>>>> REQ: curl -g -i -X GET https://some.domain.place:5000/v3 -H "Accept:
>>>> application/json" -H "User-Agent: osc-lib keystoneauth1/2.12.1
>>>> python-requests/2.11.1 CPython/2.7.9"
>>>>
>>>> But then, the response body gives a non-https URL:
>>>>
>>>> RESP BODY: {"version": {"status": "stable", "updated":
>>>> "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json",
>>>> "type":
>>>> "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links":
>>>> [{"href": "http://some.domain.place:5000/v3/", "rel": "self"}]}}
>>>>
>>>> and then the attempt to authenticate fails:
>>>>
>>>> Making authentication request to
>>>> http://some.domain.place:5000/v3/auth/tokens
>>>> Starting new HTTP connection (1): some.domain.place
>>>> Unable to establish connection to
>>>> http://some.domain.place:5000/v3/auth/tokens
>>>>
>>>> I've restarted apache2 on my keystone hosts and I have scoured the
>>>> database
>>>> for any reference to a non-https public endpoint for keystone; I cannot
>>>> find
>>>> one.
>>>>
>>>> Does anyone know why my response body is giving the wrong URL? Horizon
>>>> works perfectly fine with the https endpoints; it's just the command
>>>> line
>>>> clients that are having issues.
>>>>
>>>> Thanks in advance,
>>>>
>>>> --
>>>> v/r
>>>>
>>>> Chris Apsey
>>>> bitskrieg at bitskrieg.net
>>>> https://www.bitskrieg.net
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
More information about the OpenStack-operators
mailing list