Murano

Murano API cannot cope with being behind an SSL terminator

Bug #1504610 reported by Timur Nurlygayanov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Fix Released
High
Nikolay Starodubtsev
Murano mitaka-1 "m1"
Liberty
Fix Released
High
Nikolay Starodubtsev
Murano 1.0.1
Mitaka
Fix Released
High
Nikolay Starodubtsev
Murano mitaka-1 "m1"

Bug Description

On environments with SSL/https for all endpoints Murano deployments fail because Murano works under SSL terminator.

Steps To Reproduce:
1. Deploy Murano in http mode
2. Configure haproxy with SSL termination
3. Configure haproxy to set "X-Forwarded-Proto: http" header for murano backend
4. curl -k https://haproxy-frontend.ip:port/

Observed Result:
Murano response would contain
  "links": [{"rel": "self", "href": "http://haproxy-frontend.ip:port/v1/"}]

Expected Result: https link

We have the same issue for Heat which is already fixed now:
https://bugs.launchpad.net/heat/+bug/1235555

HAProxy serves as the SSL termination for all of the LCP Services, Client HTTPS Request -> HAProxy HTTPS Listener -> Murano HTTP ListenerHAProxy uses the X-Forwarded-Proto to try and tell the application that the original request was HTTPS, unfortunately it does not appear Murano/webob adheres to the use of this header.https://github.com/Pylons/webob/blob/master/webob/request.py#L437
See the change issue related to heat api,https://review.openstack.org/#/c/64142/

See original description
Tags: api
Timur Nurlygayanov (tnurlygayanov)
Changed in murano:
importance: Undecided → High
Kirill Zaitsev (kzaitsev)
tags: added: engine security
tags: added: api
removed: engine
Changed in murano:
milestone: none → mitaka-1
Kirill Zaitsev (kzaitsev)
tags: removed: security
Revision history for this message
Kirill Zaitsev (kzaitsev) wrote :

We've been able to successfully deploy a simple application behind an SSL termination for murano-api with haproxy as a terminator.

Which version of murano are you using?

Can you please share your haproxy config, murano-api and haproxy logs. Could you also tell us which app are you trying to deploy and share deployment logs for the app.

Kirill Zaitsev (kzaitsev)
no longer affects: murano/liberty
Kirill Zaitsev (kzaitsev)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/234134

Changed in murano:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/234175

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (stable/liberty)

Reviewed: https://review.openstack.org/234175
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=2dec955ccea504146b4edad18d159edc37902dc6
Submitter: Jenkins
Branch: stable/liberty

commit 2dec955ccea504146b4edad18d159edc37902dc6
Author: Nikolay Starodubtsev <email address hidden>
Date: Tue Oct 13 13:25:38 2015 +0300

    New middleware to handle ssl termination proxies

    Murano doesn't handle request properly if it is behind an SSL
    termination proxy. In this case HTTP redirection and returned URLs
    use http instead of https.

    New middleware helps to handle the situation below properly. The purpose of the
    SSLMiddleware is to update the wsgi.url_scheme environment variable of
    the request with the value contained in an HTTP header that can be
    configured in the configuration file (by default: 'X-Forwarded-Proto')

    Closes-Bug: #1504610
    Change-Id: Id7cfa1bce00c965b618a4f3e4ca2c915a57bbe52

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (master)

Reviewed: https://review.openstack.org/234134
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=8e01d101c7a13e5b0bcdba273fced058887b0506
Submitter: Jenkins
Branch: master

commit 8e01d101c7a13e5b0bcdba273fced058887b0506
Author: Nikolay Starodubtsev <email address hidden>
Date: Tue Oct 13 13:25:38 2015 +0300

    New middleware to handle ssl termination proxies

    Murano doesn't handle request properly if it is behind an SSL
    termination proxy. In this case HTTP redirection and returned URLs
    use http instead of https.

    New middleware helps to handle the situation below properly. The purpose of the
    SSLMiddleware is to update the wsgi.url_scheme environment variable of
    the request with the value contained in an HTTP header that can be
    configured in the configuration file (by default: 'X-Forwarded-Proto')

    Closes-Bug: #1504610
    Change-Id: Id7cfa1bce00c965b618a4f3e4ca2c915a57bbe52

Changed in murano:
status: In Progress → Fix Committed
Kirill Zaitsev (kzaitsev)
Changed in murano:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.