We're using haproxy on 3 controllers to load balance and enforce SSL to Openstack APIs, so naturally, Horizon is configured without SSL, and SSL is enforced in HAPROXY via this line:
redirect scheme https if !{ ssl_fc }
When attempting to use the console, error 1006 was received (unable to connect). Using firefox developer tools, it was found that the "websockify" request includes port 80 hard-coded in the response (over https) and therefore, the redirect is bungled.
(see screenshot1).
After disabling the SSL enforcement on HAproxy for VNC
("redirect scheme https if !{ hdr(Host) -m beg vnc.alpha.cloud.ecg.so } !{ ssl_fc }"), the problem is resolved, but VNC continues unencrypted (see screenshot2).
Further details:
root@node-2:/etc/haproxy/conf.d# dpkg -l | grep nova
ii nova-api 1:2014.2-fuel6.0~mira19 OpenStack Compute - API frontend
ii nova-cert 1:2014.2-fuel6.0~mira19 OpenStack Compute - certificate management
ii nova-common 1:2014.2-fuel6.0~mira19 OpenStack Compute - common files
ii nova-conductor 1:2014.2-fuel6.0~mira19 OpenStack Compute - conductor service
ii nova-consoleauth 1:2014.2-fuel6.0~mira19 OpenStack Compute - Console Authenticator
ii nova-novncproxy 1:2014.2-fuel6.0~mira19 OpenStack Compute - NoVNC proxy
ii nova-objectstore 1:2014.2-fuel6.0~mira19 OpenStack Compute - object store
ii nova-scheduler 1:2014.2-fuel6.0~mira19 OpenStack Compute - virtual machine scheduler
ii python-nova 1:2014.2-fuel6.0~mira19 OpenStack Compute Python libraries
ii python-novaclient 1:2.20.0-fuel6.0~mira16 client library for OpenStack Compute API
Hi @Karen! Can you please explain me - how I can reproduce this ? (step-by-step)
where I should add string "redirect scheme https if !{ ssl_fc }" (in haproxy.cfg ?)
How I can restart haproxy ?
Thanks!