Public bug reported: Keystone since migration to flask doesn't import nor use http_proxy_to_wsgi middleware.
How to reproduce: 1. Start Keystone with uwsgi as http application 2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf 3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https 4. curl Keystone APi version endpoint: curl https://identity.example.com/ What is expected: { "versions": { "values": [ { "id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [ { "rel": "self", "href": "https://identity.example.com/v3/" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ] } ] } } What is an actual result: { "versions": { "values": [ { "id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [ { "rel": "self", "href": "http://identity.example.com/v3/" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ] } ] } } If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy: https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1885772 Title: Keystone doesn't use http_proxy_to_wsgi middleware Status in OpenStack Identity (keystone): New Bug description: Keystone since migration to flask doesn't import nor use http_proxy_to_wsgi middleware. How to reproduce: 1. Start Keystone with uwsgi as http application 2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf 3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https 4. curl Keystone APi version endpoint: curl https://identity.example.com/ What is expected: { "versions": { "values": [ { "id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [ { "rel": "self", "href": "https://identity.example.com/v3/" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ] } ] } } What is an actual result: { "versions": { "values": [ { "id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [ { "rel": "self", "href": "http://identity.example.com/v3/" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ] } ] } } If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy: https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1885772/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp