On Wed, Sep 23 2015, Sean Dague wrote: > Does that solution work in the HA Proxy case where there is one > terminating address for multiple backend servers?
Yep. > Because there is the concern that this impacts not only the Location > header, but the link documents inside the responses which clients are > expected to be able to link.follow. This is an honest question, I > don't know how the oslo_middleware.ssl acts in these cases. And HA > Proxy 1 to N mapping is very common deployment model. It should, but some project like Keystone does not handle that correctly. I just submitted a patch that fixes this kind of thing by using correctly the WSGI environment variable to build a correct URL. That fixes also the use cases where Keystone does not run on / but on e.g. /identity (the bug I initially wanted to fix). https://review.openstack.org/#/c/226464/ If you use `wsgiref.util.application_uri(environment)' it should do everything correctly. With the SSL middleware enabled that Mathieu talked about, it will translate correctly http to https too. The {public,admin}_endpoint are only useful in the case where you map http://myproxy/identity -> http://mykeystone/ using a proxy Because the prefix is not passed to Keystone. If you map 1:1 the path part, we could also leverage X-Forwarded-Host and X-Forwarded-Port to avoid having {public,admin}_endpoint options. -- Julien Danjou -- Free Software hacker -- http://julien.danjou.info
signature.asc
Description: PGP signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
