Reviewed: https://review.openstack.org/631103 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=890e2d320e8e8e7b501af8e21cc6b751fb204d04 Submitter: Zuul Branch: master
commit 890e2d320e8e8e7b501af8e21cc6b751fb204d04 Author: melanie witt <[email protected]> Date: Wed Jan 16 00:27:42 2019 +0000 Use X-Forwarded-Proto as origin protocol if present When using a haproxy with SSL termination to provide secure console connections, haproxy will change the Origin header scheme to 'http' and add the 'X-Forwarded-Proto: https' header. This causes a failure in the Nova console proxy code which verifies that the Origin header scheme matches the access_url scheme for the connection, because the Origin header coming from haproxy is 'http' while the access_url scheme is 'https' or 'wss'. This looks for the X-Forwarded-Proto header and uses its scheme for the verification instead, if it is present. Closes-Bug: #1788180 Change-Id: I43401dc8368853654bf443273a0a1b5b9b63e3f0 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1788180 Title: nova-serialproxy should support X-Forwarded-Proto Status in OpenStack Compute (nova): Fix Released Bug description: Setup description ------------------ Multinode deployment with kolla with keepalived and haproxy with SSL termination. nova-serialproxy is configured with base_url=wss:// because I want my users to connect through a secure channel. Problem description ------------------- Get a serial-proxy url with token like this (works fine): openstack console url show --insecure --serial <uuid> Connect to the url (in my case: simple python websocket): python serial.py wss://hostname:6083?token=<token> Result: nova-serialproxy closes the connection Log contains "Origin header protocol does not match this host." Expected result: connection works Problem analysis ---------------- haproxy accepts the wss:// connection and forwards the connection to the serialproxy process. HAproxy changes the Origin header to 'http' and adds a header 'X-Forwarded-Proto: https'. 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'has not the same scheme/protocol as issued in the 'console url show' command. AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to check the value of 'X-Forwarded-Proto' as source protocol. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1788180/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
