Reviewed: https://review.openstack.org/326798 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825 Submitter: Jenkins Branch: master
commit b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825 Author: Jamie Lennox <[email protected]> Date: Wed Jun 8 11:59:09 2016 +1000 Use http-proxy-to-wsgi middleware from oslo.middleware The HTTP_X_FORWARDED_PROTO handling fails to handle the case of redirecting the /v1 request to /v1/ because it is handled purely by routes and does not enter the glance wsgi code. This means a https request is redirect to http and fails. oslo.middleware has middleware for handling the X-Forwarded-Proto header in a standard way so that services don't have to and so we should use that instead of our own mechanism. Leaving the existing header handling around until removal should not be a problem as the worst that will happen is it overwrites an existing 'https' header value set by the middleware. Closes-Bug: #1558683 Closes-Bug: #1590608 Change-Id: I481d88020b6e8420ce4b9072dd30ec82fe3fb4f7 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1558683 Title: Versions endpoint does not support X-Forwarded-Proto Status in Cinder: Fix Released Status in Glance: Fix Released Bug description: When a project is deployed behind a SSL terminating proxy, the version endpoint returns the wrong URLs. The returned protocol in the reponse URLs is http:// instead of the expected https://. This is because the response built by versions.py git the host information only from the incoming req. If SSL has been terminated by a proxy, then the information in the req indicates http://. Other projects have addressed this by adding the config parameter secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO. This will tell the project to use the value in X-Forwarded-Proto (https or http) when building the URLs in the response. Nova and Keystone support this configuration option. One workaround is to set the public_endpoint parameter. However, the value set for public_endpoint, is also returned when the internal and admin version endpoints are queried, which breaks other things. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1558683/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
