Re: [openstack-dev] [glance] [trove] [heat] [nova] [all] Handling forwarded requests

2015-03-03 Thread Andrey M . Pavlov
I made a review in keystone that for this issuehttps://review.openstack.org/#/c/132235/And I got solution from old heat solution - https://review.openstack.org/#/c/64142/ I made it for keystone when we faced with problem that is described in the bug:https://bugs.launchpad.net/keystone/+bug/1370022 And I think that having a hardcoded entry in the config without right handling of proxies is not a good idea... Andrey.  03.03.2015, 20:33, "Miguel Grinberg" miguel.s.grinb...@gmail.com:Ian, thanks for raising the issue here. The X-Forwarded headers are the standard way to deal with URLs for services behind proxies. I already commented on the Heat proposal to that effect, I think that is the proper way to support services behind proxies. Now in our case, there is also another source of external URLs, the keystone catalog. One can assume the catalog has the externally visible URL under PUBLIC_URL, so I would like to suggest that if the X-Forwarded headers aren't present, the catalog would be a good second source. I think having a hardcoded entry in the config (as the glance merged patch does) is not a bad idea as an override for special situations, but I really see no need for that to be the only solution to this problem. Web applications have been working behind proxies using the X-Forwarded headers for a long time, it's a nice and proven solution, in my opinion. Miguel On Tue, Mar 3, 2015 at 9:09 AM, Ian Cordasco ian.corda...@rackspace.com wrote:Hey all,  It appears that currently a number of OpenStack services are not generating version catalogs correctly when the service sits behind a proxy. (Reference: https://bugs.launchpad.net/glance/+bug/1384379) Glance already has a fix that was accepted for kilo-1 but it is suboptimal and assumes there’s only one proxy-address that will forward the request (which obviously is not true in every case).  There exists RFC 7239 (http://tools.ietf.org/html/rfc7239) which is recent but defines a “Forwarded” header with explicit parameters that we should be using. There are also the defacto standards of X-Forwarded-By and X-Forwarded-Host that we should be inspecting as well.  Currently, Glance’s solution is being copied over to other projects (Trove, Heat, Nova) and it is clearly suboptimal.  I’m going to work on a more general solution for this, but if anyone can hammer one out faster, don’t be afraid to submit it. This is absolutely a bug that should be a high priority for us.  Cheers, Ian  __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev,__OpenStack Development Mailing List (not for usage questions)Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [glance] [trove] [heat] [nova] [all] Handling forwarded requests

2015-03-03 Thread Miguel Grinberg
Ian, thanks for raising the issue here.

The X-Forwarded headers are the standard way to deal with URLs for services
behind proxies. I already commented on the Heat proposal to that effect, I
think that is the proper way to support services behind proxies.

Now in our case, there is also another source of external URLs, the
keystone catalog. One can assume the catalog has the externally visible URL
under PUBLIC_URL, so I would like to suggest that if the X-Forwarded
headers aren't present, the catalog would be a good second source.

I think having a hardcoded entry in the config (as the glance merged patch
does) is not a bad idea as an override for special situations, but I really
see no need for that to be the only solution to this problem. Web
applications have been working behind proxies using the X-Forwarded headers
for a long time, it's a nice and proven solution, in my opinion.

Miguel

On Tue, Mar 3, 2015 at 9:09 AM, Ian Cordasco ian.corda...@rackspace.com
wrote:

 Hey all,

 It appears that currently a number of OpenStack services are not
 generating version catalogs correctly when the service sits behind a
 proxy. (Reference: https://bugs.launchpad.net/glance/+bug/1384379) Glance
 already has a fix that was accepted for kilo-1 but it is suboptimal and
 assumes there’s only one proxy-address that will forward the request
 (which obviously is not true in every case).

 There exists RFC 7239 (http://tools.ietf.org/html/rfc7239) which is recent
 but defines a “Forwarded” header with explicit parameters that we should
 be using. There are also the defacto standards of X-Forwarded-By and
 X-Forwarded-Host that we should be inspecting as well.

 Currently, Glance’s solution is being copied over to other projects
 (Trove, Heat, Nova) and it is clearly suboptimal.

 I’m going to work on a more general solution for this, but if anyone can
 hammer one out faster, don’t be afraid to submit it. This is absolutely a
 bug that should be a high priority for us.

 Cheers,
 Ian

 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev