Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/28/2015 05:01 AM, Julien Danjou wrote: > On Wed, Sep 23 2015, Julien Danjou wrote: > > > […] > >> I'm willing to clear that out and come with specs and patches if that >> can help. :) > > Following-up on myself, I went ahead and I wrote a more complete version > of the current proxy

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Wed, Sep 23 2015, Julien Danjou wrote: […] > I'm willing to clear that out and come with specs and patches if that > can help. :) Following-up on myself, I went ahead and I wrote a more complete version of the current proxy middleware we have – which also supports RFC7239:

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/24/2015 03:40 AM, Julien Danjou wrote: > On Thu, Sep 24 2015, Jamie Lennox wrote: > > Hi Jamie, > >> So this is a long thread and i may have missed something in it, >> however this exact topic came up as a blocker on a devstack patch to >> get TLS testing in the gate with HAproxy. >> >>

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Thu, Sep 24 2015, Jamie Lennox wrote: Hi Jamie, > So this is a long thread and i may have missed something in it, > however this exact topic came up as a blocker on a devstack patch to > get TLS testing in the gate with HAproxy. > > The long term solution we had come up with (but granted not

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/22/2015 05:30 PM, Mathieu Gagné wrote: > On 2015-09-22 4:52 PM, Sean Dague wrote: >> On 09/22/2015 03:16 PM, Mathieu Gagné wrote: >>> >>> The oslo_middleware.ssl middleware looks to offer little overhead and >>> offer the maximum flexibility. I appreciate the wish to use the Keystone >>>

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Wed, Sep 23 2015, ZZelle wrote: > * It doesn't work when the service itself acts as a proxy (typically nova > image-list) > * it doesn't work when you rewrite from > https://://... > to http://:/... > because the information is not provided in the headers (except if > you exploit a webob

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Wed, Sep 23 2015, Sean Dague wrote: > Does that solution work in the HA Proxy case where there is one > terminating address for multiple backend servers? Yep. > Because there is the concern that this impacts not only the Location > header, but the link documents inside the responses which

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Hi, SSLMiddleware takes into account a Header[1] to set wsgi.url_scheme which allows a proxy to provide the original protocol to Heat/Neutron/... Does that solution work in the HA Proxy case where there is one > terminating address for multiple backend servers? Because there is the > concern

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/23/2015 07:36 AM, Julien Danjou wrote: > On Wed, Sep 23 2015, Sean Dague wrote: > >> Does that solution work in the HA Proxy case where there is one >> terminating address for multiple backend servers? > > Yep. Ok, how exactly does that work? Because it seems like oslo_middleware.ssl is

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Wed, Sep 23 2015, Sean Dague wrote: > Ok, how exactly does that work? Because it seems like > oslo_middleware.ssl is only changing the protocol if the proxy sets it. > > But the host in the urls will still be the individual host, which isn't > the proxy hostname/ip. Sorry if I'm being daft

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Hi > Ok, how exactly does that work? Because it seems like > oslo_middleware.ssl is only changing the protocol if the proxy sets it. > > But the host in the urls will still be the individual host, which isn't > the proxy hostname/ip. Sorry if I'm being daft here, just want to > understand how

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

So this is a long thread and i may have missed something in it, however this exact topic came up as a blocker on a devstack patch to get TLS testing in the gate with HAproxy. The long term solution we had come up with (but granted not proposed anywhere public) is that we should transition

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 2015-09-22 1:46 PM, Sean Dague wrote: > On 09/22/2015 12:12 PM, Mathieu Gagné wrote: >> On 2015-09-22 7:00 AM, Sean Dague wrote: >>> >>> My feeling on this one is that we've got this thing in OpenStack... the >>> Service Catalog. It definitively tells the world what the service >>> addresses

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/22/2015 11:34 AM, Ben Nemec wrote: > On 09/22/2015 06:00 AM, Sean Dague wrote: >> On 09/18/2015 02:30 PM, Ben Nemec wrote: >>> I've been dealing with this issue lately myself, so here's my two cents: >>> >>> It seems to me that solving this at the service level is actually kind >>> of wrong.

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/22/2015 12:12 PM, Mathieu Gagné wrote: > On 2015-09-22 7:00 AM, Sean Dague wrote: >> >> My feeling on this one is that we've got this thing in OpenStack... the >> Service Catalog. It definitively tells the world what the service >> addresses are. >> >> We should use that in the services

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 2015-09-22 4:52 PM, Sean Dague wrote: > On 09/22/2015 03:16 PM, Mathieu Gagné wrote: >> >> The oslo_middleware.ssl middleware looks to offer little overhead and >> offer the maximum flexibility. I appreciate the wish to use the Keystone >> catalog but I don't feel this is the right answer. >>

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/22/2015 03:16 PM, Mathieu Gagné wrote: > On 2015-09-22 1:46 PM, Sean Dague wrote: >> On 09/22/2015 12:12 PM, Mathieu Gagné wrote: >>> On 2015-09-22 7:00 AM, Sean Dague wrote: My feeling on this one is that we've got this thing in OpenStack... the Service Catalog. It

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Tue, Sep 22, 2015 at 05:30:36PM -0400, Mathieu Gagné wrote: > On 2015-09-22 4:52 PM, Sean Dague wrote: > > On 09/22/2015 03:16 PM, Mathieu Gagné wrote: > >> > >> The oslo_middleware.ssl middleware looks to offer little overhead and > >> offer the maximum flexibility. I appreciate the wish to

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 2015-09-22 7:00 AM, Sean Dague wrote: > > My feeling on this one is that we've got this thing in OpenStack... the > Service Catalog. It definitively tells the world what the service > addresses are. > > We should use that in the services themselves to reflect back their > canonical addresses.

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/18/2015 02:30 PM, Ben Nemec wrote: > I've been dealing with this issue lately myself, so here's my two cents: > > It seems to me that solving this at the service level is actually kind > of wrong. As you've discovered, that requires changes in a bunch of > different places to address what

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 09/22/2015 06:00 AM, Sean Dague wrote: > On 09/18/2015 02:30 PM, Ben Nemec wrote: >> I've been dealing with this issue lately myself, so here's my two cents: >> >> It seems to me that solving this at the service level is actually kind >> of wrong. As you've discovered, that requires changes in

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

I've been dealing with this issue lately myself, so here's my two cents: It seems to me that solving this at the service level is actually kind of wrong. As you've discovered, that requires changes in a bunch of different places to address what is really an external issue. Since it's the

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

+1 From: Mathieu Gagné [mga...@internap.com] Sent: Thursday, September 17, 2015 5:38 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On Thu, Sep 17, 2015 at 08:38:54PM -0400, Mathieu Gagné wrote: > Hi, > > While debugging LP bug #1491579 [1], we identified [2] an issue where an > API sitting being a proxy performing SSL termination would not generate > the right redirection. The protocol ends up being the wrong one (http >

[openstack-dev] [all] Consistent support for SSL termination proxies across all API services

Hi, While debugging LP bug #1491579 [1], we identified [2] an issue where an API sitting being a proxy performing SSL termination would not generate the right redirection. The protocol ends up being the wrong one (http instead of https) and this could hang your request indefinitely if tcp/80 is

Re: [openstack-dev] [all] Consistent support for SSL termination proxies across all API services

On 18 Sep 2015 05:13, "Jim Rollenhagen" wrote: > FWIW, in Ironic, we added the public_endpoint config to fix the bug > quickly, but we'd really prefer to support both that and the > secure_proxy_ssl_header option. It would use public_endpoint if it is > set, then fall