[Openstack-security] [Bug 1504610] Re: Murano API cannot cope with being behind an SSL terminator

Nikolay Starodubtsev nstarodubtsev at mirantis.com
Mon Oct 12 09:13:34 UTC 2015 

** Changed in: murano/liberty
    Milestone: None => liberty-rc2

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1504610

Title:
  Murano API cannot cope with being behind an SSL terminator

Status in murano:
  Confirmed
Status in murano liberty series:
  Confirmed
Status in murano mitaka series:
  Confirmed

Bug description:
  On environments with SSL/https for all endpoints Murano deployments
  fail because Murano works under SSL terminator.

  Steps To Reproduce:
  1. Deploy Murano in http mode and configure HA Proxy with SSL termination
  2. Deploy Murano application

  Observed Result:
  Deployment will fail with the error about unreachable http Murano endpoint.

  We have the same issue for Heat which is already fixed now:
  https://bugs.launchpad.net/heat/+bug/1235555

  HAProxy serves as the SSL termination for all of the LCP Services, Client HTTPS Request -> HAProxy HTTPS Listener -> Murano HTTP ListenerHAProxy uses the X-Forwarded-Proto to try and tell the application that the original request was HTTPS, unfortunately it does not appear Murano/webob adheres to the use of this header.https://github.com/Pylons/webob/blob/master/webob/request.py#L437
  See the change issue related to heat api,https://review.openstack.org/#/c/64142/

To manage notifications about this bug go to:
https://bugs.launchpad.net/murano/+bug/1504610/+subscriptions

More information about the Openstack-security mailing list