It is also possible to use oslo_middleware ssl filter in your API paste
file with cinder like:
[filter:ssl]
paste.filter_factory = oslo_middleware.ssl:SSLMiddleware.factory
[pipeline:apiversions]
pipeline = ssl faultwrap osvolumeversionapp
On Wed, Feb 22, 2017 at 2:54 PM Mathieu Gagné wrote:
>
Hi,
I attended to write a blog post about that subject more than a year
ago but never completed it.
Here is the text in a GitHub Gist:
https://gist.github.com/mgagne/f298c151b61d44cb5fea
Information might be outdated for latest versions but can still give
you a clue about what to look for.
--
M
I would appreciate it if you can let us know which one it is for Cinder, as it
looks like there is no SSL middleware for Cinder which allows doing this.
Thanks
> On Feb 22, 2017, at 1:43 PM, Chris Suttles wrote:
>
> There's a similar option in heat.conf:
>
> secure_proxy_ssl_header = X-Forwar
There's a similar option in heat.conf:
secure_proxy_ssl_header = X-Forwarded-Proto
Pretty sure that's needed for most services; I will scrub my configs and
check. We are running a pretty simple install of Newton, and doing haproxy
for SSL termination of all API endpoints.
On Wed, Feb 22, 2017 at
Cinder faces the same issue unfortunately and it will result in failed RefStack
runs (does this mean everyone who's ran RefStack uses no HTTPS for APIs or uses
SSL inside Eventlet?)
We're still trying to figure that one out.
Sent from my iPhone
> On Feb 22, 2017, at 12:58 PM, Chris Apsey wro
Mathieu,
That did the trick - thank you. On a related note, heat is exhibiting
the same behavior on some of the API calls (stack list works fine, stack
show does not because a http URL is returned in the 302 response field,
etc.).
I attempted the combination of
'oslo_middleware/enable_prox
Do you have this in your haproxy front end config?
reqadd X-Forwarded-Proto:\ https
And this in your keystone.conf ?
secure_proxy_ssl_header=HTTP_X_FORWARDED_PROTO
I think that’s what I had to do to tell haproxy to add a headder that keystone
then matched to know when to return https.
> On Fe
Hi,
The problem is that Keystone doesn't know about HAProxy terminating
the SSL connection and therefore doesn't know it needs to generate
URLs with https:// protocol.
You can override the "auto-detected" URLs with those configurations:
- [DEFAULT]/public_endpoint
- [DEFAULT]/admin_endpoint
See
I'm having a strange issue with keystone after migrating all public
endpoints to https (haproxy terminates the SSL connection for each
service):
openstack endpoint list
+--+---+--++-+---+---