Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/07/2016 11:16 PM, Adam Young wrote: On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 You can't change the contents of a SAML AuthnRequest, often they are signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML messages are validated to assure they match the metadata associated with EntityID (issuer). The addresses used inbound and outbound have to be correctly handled by the proxy configuration without modifying the content of the message being passed on the transport. Got a a little further by twerking HA proxy settings. Added in redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 whicxh tells HA proxy to translate Location headers (used in redirects) from http to https. As of now, it looks good up until the response comes back from the IdP and mod mellon rejects it. I think this is due to Mellon issuing a request for http://: but it gets translated through the proxy as https://:. mod_auth_mellon is failing the following check in auth_mellon_handler.c url = am_reconstruct_url(r); ... if (response->parent.Destination) { if (strcmp(response->parent.Destination, url)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Invalid Destination on Response. Should be: %s", url); lasso_login_destroy(login); return HTTP_BAD_REQUEST; } } It does not spit out the parent.Destination value, but considering I am seeing http and not https in the error message, I assume that at least the protocol does not match. Full error message at the bottom. Assuming the problem is just that the URL is http and not https, I have an approach that should work. I need to test it out, but want to record it here, and also get feedback: I can clone the current 10-keystone_wsgi_main.conf which listens for straight http on port 5000. If I make a file 11-keystone_wsgi_main.conf that listens on port 13000 (not on the external VIP) but that enables SSL, I should be able to make HA proxy talk to that port and re-encrypt traffic, maintaining the 'https://' protocol. However, I am not certain that Destination means the SP URL. It seems like it should mean the IdP. Further on in auth_mellon_handler.c destination_url = lasso_provider_get_metadata_one( provider, "SingleSignOnService HTTP-Redirect"); if (destination_url == NULL) { /* HTTP-Redirect unsupported - try HTTP-POST. */ http_method = LASSO_HTTP_METHOD_POST; destination_url = lasso_provider_get_metadata_one( provider, "SingleSignOnService HTTP-POST"); } Looking in the metadata, it seems that this value should be: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; /> So maybe something has rewritten the value used as the url ? Here is the full error message Invalid Destination on Response. Should be: http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse, referer: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk!
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/06/2016 08:44 AM, John Dennis wrote: On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 You can't change the contents of a SAML AuthnRequest, often they are signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML messages are validated to assure they match the metadata associated with EntityID (issuer). The addresses used inbound and outbound have to be correctly handled by the proxy configuration without modifying the content of the message being passed on the transport. Got a a little further by twerking HA proxy settings. Added in redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 whicxh tells HA proxy to translate Location headers (used in redirects) from http to https. As of now, it looks good up until the response comes back from the IdP and mod mellon rejects it. I think this is due to Mellon issuing a request for http://: but it gets translated through the proxy as https://:. mod_auth_mellon is failing the following check in auth_mellon_handler.c url = am_reconstruct_url(r); ... if (response->parent.Destination) { if (strcmp(response->parent.Destination, url)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Invalid Destination on Response. Should be: %s", url); lasso_login_destroy(login); return HTTP_BAD_REQUEST; } } It does not spit out the parent.Destination value, but considering I am seeing http and not https in the error message, I assume that at least the protocol does not match. Full error message at the bottom. Assuming the problem is just that the URL is http and not https, I have an approach that should work. I need to test it out, but want to record it here, and also get feedback: I can clone the current 10-keystone_wsgi_main.conf which listens for straight http on port 5000. If I make a file 11-keystone_wsgi_main.conf that listens on port 13000 (not on the external VIP) but that enables SSL, I should be able to make HA proxy talk to that port and re-encrypt traffic, maintaining the 'https://' protocol. However, I am not certain that Destination means the SP URL. It seems like it should mean the IdP. Further on in auth_mellon_handler.c destination_url = lasso_provider_get_metadata_one( provider, "SingleSignOnService HTTP-Redirect"); if (destination_url == NULL) { /* HTTP-Redirect unsupported - try HTTP-POST. */ http_method = LASSO_HTTP_METHOD_POST; destination_url = lasso_provider_get_metadata_one( provider, "SingleSignOnService HTTP-POST"); } Looking in the metadata, it seems that this value should be: Location="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; /> So maybe something has rewritten the value used as the url ? Here is the full error message Invalid Destination on Response. Should be: http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse, referer: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml?SAMLRequest=nZJba%2BMwEEb%2FitG7I%2BXi1Igk4OYCge5S0m4f%2BlKEM2lFLcmrGWc3%2F35HDu22D22hIDCMZ%2FTpHGmGxjWtrjp68jv43QFS9tc1HnX%2FYy666HUwaFF74wA11fqm%2BnGlRwOl2xgo1KERb0Y%2BnzCIEMkGL7Ltai4e1LoYq%2FFoXapJWU2GhSouN5vhelpNyqIcX2xEdgcRuX8ueJyHEDvYeiTjiUtqOM1VmavprRppXkVxL7IVM1hvqJ96ImpRS2n34MnSaWBOofOP%2BR6aJqfhhVID4n5pWICMYBqHMrSQEupn%2BQIoE5nIlsEjpODPEOtzk667GPmbW9c2trYksk2INfSm5%2BJgGoTEc81K7BFeK9WLoRTWOYg3EI%2B2hl%2B7q%2F80ryf8AEcXSil5HEvH9eBlG5B2gG06mljMEo3uVcbFd7d0QGZvyMzk291m5%2Bf0k61sV9eBwU8J25kvpKWK3eeHvlVTNB4ty2MdHPZnyRdDrIhiB0IuzpHvH%2B3iHw%3D%3D=http%3A%2F%2Fopenstack.ayoung-dell-t1700.test%3A5000%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttp%3A%2F%2Fopenstack.ayoung-dell-t1700.test%2Fdashboard%2Fauth%2Fwebsso%2F=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1=oJzAwE7ma3m0gZtO%2FvPQKCnk18u4OsjKcRQ3wiDu7txUGiPr4Cc9XIzKIGwzSGPSaWi8j1qbN76XwdNICOk!
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/05/2016 06:06 PM, Adam Young wrote: Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 You can't change the contents of a SAML AuthnRequest, often they are signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML messages are validated to assure they match the metadata associated with EntityID (issuer). The addresses used inbound and outbound have to be correctly handled by the proxy configuration without modifying the content of the message being passed on the transport. -- John __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
Adam, that should be fixed by https://review.openstack.org/#/c/341354/ which merged not too many days ago. Before that commit we had another configuration which was already deprecated in keystone upstream. On 6 Aug 2016 05:04, "Adam Young" <ayo...@redhat.com> wrote: > On 08/05/2016 06:40 PM, Fox, Kevin M wrote: > > -- > *From:* Adam Young [ayo...@redhat.com] > *Sent:* Friday, August 05, 2016 3:06 PM > *To:* openstack-dev@lists.openstack.org > *Subject:* Re: [openstack-dev] [keystone][tripleo] Federation, > mod_mellon, and HA Proxy > > On 08/05/2016 04:54 PM, Adam Young wrote: > > On 08/05/2016 04:52 PM, Adam Young wrote: > > Today I discovered that we need to modify the HA proxy config to tell it > to rewrite redirects. Otherwise, I get a link to > > http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse > > > Which should be https, not http. > > > I mimicked the lines in the horizon config so that the keystone section > looks like this: > > > listen keystone_public > bind 10.0.0.4:13000 transparent ssl crt > /etc/pki/tls/private/overcloud_endpoint.pem > bind 172.16.2.5:5000 transparent > mode http > redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } > rsprep ^Location:\ http://(.*) <http://UrlBlockedError.aspx> Location:\ > https://\1 > http-request set-header X-Forwarded-Proto https if { ssl_fc } > http-request set-header X-Forwarded-Proto http if !{ ssl_fc } > server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 > rise 2 > server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 > rise 2 > server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 > rise 2 > > And.. it seemed to work the first time, but not the second. Now I get > > "Secure Connection Failed > > The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted > while the page was loading." > > Guessing the first success was actually a transient error. > > So it looks like my change was necessary but not sufficient. > > This is needed to make mod_auth_mellon work when loaded into Apache, and > Apache is running behind HA proxy (Tripleo setup). > > > There is no SSL setup inside the Keystone server, it is just doing > straight HTTP. While I'd like to change this long term, I'd like to get > things working this way first, but am willing to make whatever changes are > needed to get SAML and Federation working soonest. > > > > > Ah...just noticed the redirect is to :5000, not port :13000 which is the > HA Proxy port. > > > OK, this is due to the SAML request: > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > ID="_5089011BEBD0F6B82074F67E904F598D" > Version="2.0" > IssueInstant="2016-08-05T21:55:18Z" > > Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; > <https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml> > > Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" > ForceAuthn="false" > IsPassive="false" > > AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > <https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse> > > > > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > AllowCreate="true" > /> > > > > My guess is HA proxy is not passing on the proper, and the mod_auth_mellon > does not know to rewrite it from 5000 to 13000 > > > "rewriting is more expensive then getting the web server to return the > right prefix. Is that an option? Usually its just a bug that needs a minor > patch to fix. > > Thanks, > Kevin" > > > Well, I think in this case, the expense is not something to worry about: > SAML is way more chatty than normal traffic, and the rewrite won't be a > drop a in the bucket. > > I think the right thing to do is to get HA proxy top pass on the correct > URL, including the port, to the backend, but I don't think it is done in > the rsprep directive. As John Dennis pointed out to me, the > mod_auth_mellon code uses the apache ap_construct_url(r->pool, > cfg->endpoint_path, r) where r is the current request reco
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/05/2016 06:40 PM, Fox, Kevin M wrote: *From:* Adam Young [ayo...@redhat.com] *Sent:* Friday, August 05, 2016 3:06 PM *To:* openstack-dev@lists.openstack.org *Subject:* Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone section looks like this: listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.5:5000 transparent mode http redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 rise 2 And.. it seemed to work the first time, but not the second. Now I get "Secure Connection Failed The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted while the page was loading." Guessing the first success was actually a transient error. So it looks like my change was necessary but not sufficient. This is needed to make mod_auth_mellon work when loaded into Apache, and Apache is running behind HA proxy (Tripleo setup). There is no SSL setup inside the Keystone server, it is just doing straight HTTP. While I'd like to change this long term, I'd like to get things working this way first, but am willing to make whatever changes are needed to get SAML and Federation working soonest. Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 "rewriting is more expensive then getting the web server to return the right prefix. Is that an option? Usually its just a bug that needs a minor patch to fix. Thanks, Kevin" Well, I think in this case, the expense is not something to worry about: SAML is way more chatty than normal traffic, and the rewrite won't be a drop a in the bucket. I think the right thing to do is to get HA proxy top pass on the correct URL, including the port, to the backend, but I don't think it is done in the rsprep directive. As John Dennis pointed out to me, the mod_auth_mellon code uses the apache ap_construct_url(r->pool, cfg->endpoint_path, r) where r is the current request record. And that has to be passed from HA proxy to Apache. HA proxy is terminating SSL, and then calling Apache via server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2 and two others. Everything appears to be properly translated except the port. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
rewriting is more expensive then getting the web server to return the right prefix. Is that an option? Usually its just a bug that needs a minor patch to fix. Thanks, Kevin From: Adam Young [ayo...@redhat.com] Sent: Friday, August 05, 2016 3:06 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone section looks like this: listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.5:5000 transparent mode http redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 rise 2 And.. it seemed to work the first time, but not the second. Now I get "Secure Connection Failed The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted while the page was loading." Guessing the first success was actually a transient error. So it looks like my change was necessary but not sufficient. This is needed to make mod_auth_mellon work when loaded into Apache, and Apache is running behind HA proxy (Tripleo setup). There is no SSL setup inside the Keystone server, it is just doing straight HTTP. While I'd like to change this long term, I'd like to get things working this way first, but am willing to make whatever changes are needed to get SAML and Federation working soonest. Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml;<https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse;<https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse> > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/05/2016 04:54 PM, Adam Young wrote: On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone section looks like this: listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.5:5000 transparent mode http redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 rise 2 And.. it seemed to work the first time, but not the second. Now I get "Secure Connection Failed The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted while the page was loading." Guessing the first success was actually a transient error. So it looks like my change was necessary but not sufficient. This is needed to make mod_auth_mellon work when loaded into Apache, and Apache is running behind HA proxy (Tripleo setup). There is no SSL setup inside the Keystone server, it is just doing straight HTTP. While I'd like to change this long term, I'd like to get things working this way first, but am willing to make whatever changes are needed to get SAML and Federation working soonest. Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. OK, this is due to the SAML request: https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml; Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse; > https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata My guess is HA proxy is not passing on the proper, and the mod_auth_mellon does not know to rewrite it from 5000 to 13000 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
On 08/05/2016 04:52 PM, Adam Young wrote: Today I discovered that we need to modify the HA proxy config to tell it to rewrite redirects. Otherwise, I get a link to http://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse Which should be https, not http. I mimicked the lines in the horizon config so that the keystone section looks like this: listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.5:5000 transparent mode http redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.8:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.6:5000 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:5000 check fall 5 inter 2000 rise 2 And.. it seemed to work the first time, but not the second. Now I get "Secure Connection Failed The connection to openstack.ayoung-dell-t1700.test:5000 was interrupted while the page was loading." Guessing the first success was actually a transient error. So it looks like my change was necessary but not sufficient. This is needed to make mod_auth_mellon work when loaded into Apache, and Apache is running behind HA proxy (Tripleo setup). There is no SSL setup inside the Keystone server, it is just doing straight HTTP. While I'd like to change this long term, I'd like to get things working this way first, but am willing to make whatever changes are needed to get SAML and Federation working soonest. Ah...just noticed the redirect is to :5000, not port :13000 which is the HA Proxy port. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev