Public bug reported: This is a re-post of an issue that was reported for an older OpenStack version. Unfortunately, I am confronted with the same problem in OpenStack Mitaka. Keystone has a proper support for the case, when you use SSL terminating via HAProxy.
Have a look here: https://bugzilla.redhat.com/show_bug.cgi?id=1259351 Description of problem: When using haproxy with SSL termination in front of neutron, neutron will return version URL's with http:// prefix instead of https://. This causes API clients to fail. How reproducible: Steps to Reproduce: 1. Configure HAproxy in front of Neutron with SSL termination (so client talks to neutron over SSL, HAproxy talks to Neutron over plain HTTP) 2. curl https://openstack-api.example.com:9696 Actual results: {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "http://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]} Expected results: {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]} Additional info: I patched this issue in /usr/lib/python2.7/site- packages/neutron/api/views/versions.py: def get_view_builder(req): base_url = req.application_url if req.environ.get('HTTP_X_FORWARDED_PROTO', None) != None: base_url = base_url.replace('http://', 'https://') return ViewBuilder(base_url) Then neutron returns the proper https URL. The X-Forwarded-Proto header is inserted by haproxy. Note: this issue is present in other openstack api's as well but can be worked around by setting public_endpoint explicitly. This option is not available in neutron however. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1620967 Title: Neutron API behind SSL terminating haproxy returns http version URL's instead of https Status in neutron: New Bug description: This is a re-post of an issue that was reported for an older OpenStack version. Unfortunately, I am confronted with the same problem in OpenStack Mitaka. Keystone has a proper support for the case, when you use SSL terminating via HAProxy. Have a look here: https://bugzilla.redhat.com/show_bug.cgi?id=1259351 Description of problem: When using haproxy with SSL termination in front of neutron, neutron will return version URL's with http:// prefix instead of https://. This causes API clients to fail. How reproducible: Steps to Reproduce: 1. Configure HAproxy in front of Neutron with SSL termination (so client talks to neutron over SSL, HAproxy talks to Neutron over plain HTTP) 2. curl https://openstack-api.example.com:9696 Actual results: {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "http://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]} Expected results: {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://openstack-api.example.com:9696/v2.0";, "rel": "self"}]}]} Additional info: I patched this issue in /usr/lib/python2.7/site- packages/neutron/api/views/versions.py: def get_view_builder(req): base_url = req.application_url if req.environ.get('HTTP_X_FORWARDED_PROTO', None) != None: base_url = base_url.replace('http://', 'https://') return ViewBuilder(base_url) Then neutron returns the proper https URL. The X-Forwarded-Proto header is inserted by haproxy. Note: this issue is present in other openstack api's as well but can be worked around by setting public_endpoint explicitly. This option is not available in neutron however. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1620967/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
