puppet-openstack-cloud

Novnc proxy not working with SSL

Bug #1462531 reported by Dimitri Savineau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-openstack-cloud
Fix Released
High
Emilien Macchi

Bug Description

Running novnc proxy behind haproxy with SSL result an error :

client -- SSL --> haproxy 6080 -- TCP --> proxy 6080 -- TCP --> compute 59xx

9109: TRACE nova.console.websocketproxy Traceback (most recent call last):
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 874, in top_new_client
9109: TRACE nova.console.websocketproxy client = self.do_handshake(startsock, address)
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 809, in do_handshake
9109: TRACE nova.console.websocketproxy self.RequestHandlerClass(retsock, address, self)
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/nova/console/websocketproxy.py", line 150, in __init__
9109: TRACE nova.console.websocketproxy websockify.ProxyRequestHandler.__init__(self, *args, **kwargs)
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 112, in __init__
9109: TRACE nova.console.websocketproxy SimpleHTTPRequestHandler.__init__(self, req, addr, server)
9109: TRACE nova.console.websocketproxy File "/usr/lib64/python2.7/SocketServer.py", line 649, in __init__
9109: TRACE nova.console.websocketproxy self.handle()
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 540, in handle
9109: TRACE nova.console.websocketproxy SimpleHTTPRequestHandler.handle(self)
9109: TRACE nova.console.websocketproxy File "/usr/lib64/python2.7/BaseHTTPServer.py", line 340, in handle
9109: TRACE nova.console.websocketproxy self.handle_one_request()
9109: TRACE nova.console.websocketproxy File "/usr/lib64/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
9109: TRACE nova.console.websocketproxy method()
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 506, in do_GET
9109: TRACE nova.console.websocketproxy if not self.handle_websocket():
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 494, in handle_websocket
9109: TRACE nova.console.websocketproxy self.new_websocket_client()
9109: TRACE nova.console.websocketproxy File "/usr/lib/python2.7/site-packages/nova/console/websocketproxy.py", line 108, in new_websocket_client
9109: TRACE nova.console.websocketproxy raise exception.ValidationError(detail=detail)
9109: TRACE nova.console.websocketproxy ValidationError: Origin header protocol does not match this host.
9109: TRACE nova.console.websocketproxy

This is due to the fix of a CVE push to nova https://bugs.launchpad.net/nova/+bug/1409142

We need now to configure novncproxy_base_url on the controller nodes with the same value we have on the compute nodes because the default value is http://127.0.0.1:6080/vnc_auto.html

https://bugs.launchpad.net/puppet-nova/+bug/1436969

A simple fix should be to use nova::vncproxy::common on the controller nodes :

https://github.com/stackforge/puppet-nova/blob/master/manifests/vncproxy/common.pp

This bug affects J.1.1.0 and above

Tags: nova novnc ssl
Revision history for this message
Dimitri Savineau (dsavineau) wrote :

The problem only occurs when cloud::compute::consoleproxy and cloud::compute::hypervisor are not on the same node.
Because novncproxy_base_url is configured by nova::compute in cloud::compute::hypervisor.

Revision history for this message
Emilien Macchi (emilienm) wrote :

Will be fixed when https://review.openstack.org/#/c/190464/ got merged upstream.

Changed in puppet-openstack-cloud:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-openstack-cloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/192285

Changed in puppet-openstack-cloud:
assignee: nobody → Emilien Macchi (emilienm)
status: Confirmed → In Progress
OpenStack Infra (hudson-openstack)
Changed in puppet-openstack-cloud:
status: In Progress → Fix Committed
Emilien Macchi (emilienm)
Changed in puppet-openstack-cloud:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.