+1 ________________________________________ From: Mathieu Gagné [mga...@internap.com] Sent: Thursday, September 17, 2015 5:38 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services
Hi, While debugging LP bug #1491579 [1], we identified [2] an issue where an API sitting being a proxy performing SSL termination would not generate the right redirection. The protocol ends up being the wrong one (http instead of https) and this could hang your request indefinitely if tcp/80 is not opened and a firewall drops your connection. I suggested [3] adding support for the X-Fowarded-Proto header, thinking Nova didn't supported it yet. In fact, someone suggested setting the public_endpoint config instead. So today I stumbled across this review [4] which added the secure_proxy_ssl_header config to Nova. It allows the API to detect SSL termination based on the (suggested) header X-Forwarded-Proto just like previously suggested. I also found this bug report [5] (opened in 2014) which also happens to complain about bad URLs when API is sitting behind a proxy. Multiple projects applied patches to try to fix the issue (based on Launchpad comments): * Glance added public_endpoint config * Cinder added public_endpoint config * Heat added secure_proxy_ssl_header config (through heat.api.openstack:sslmiddleware_filter) * Nova added secure_proxy_ssl_header config * Manila added secure_proxy_ssl_header config (through oslo_middleware.ssl:SSLMiddleware.factory) * Ironic added public_endpoint config * Keystone added secure_proxy_ssl_header config (LP #1370022) As you can see, there is a lot of inconsistency between projects. (there is more but lets start with that one) My wish is for a common and consistent way for *ALL* OpenStack APIs to support the same solution for this common problem. Let me tell you (and I guess I can speak for all operators), we will be very happy to have ONE config to remember of and set for *ALL* OpenStack services. How can we get the ball rolling so we can fix it together once and for all in a timely fashion? [1] https://bugs.launchpad.net/python-novaclient/+bug/1491579 [2] https://bugs.launchpad.net/python-novaclient/+bug/1491579/comments/15 [3] https://bugs.launchpad.net/python-novaclient/+bug/1491579/comments/17 [4] https://review.openstack.org/#/c/206479/ [5] https://bugs.launchpad.net/glance/+bug/1384379 -- Mathieu __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev