Murano API cannot cope with being behind an SSL terminator
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
Fix Released
|
High
|
Nikolay Starodubtsev | ||
Liberty |
Fix Released
|
High
|
Nikolay Starodubtsev | ||
Mitaka |
Fix Released
|
High
|
Nikolay Starodubtsev |
Bug Description
On environments with SSL/https for all endpoints Murano deployments fail because Murano works under SSL terminator.
Steps To Reproduce:
1. Deploy Murano in http mode
2. Configure haproxy with SSL termination
3. Configure haproxy to set "X-Forwarded-Proto: http" header for murano backend
4. curl -k https:/
Observed Result:
Murano response would contain
"links": [{"rel": "self", "href": "http://
Expected Result: https link
We have the same issue for Heat which is already fixed now:
https:/
HAProxy serves as the SSL termination for all of the LCP Services, Client HTTPS Request -> HAProxy HTTPS Listener -> Murano HTTP ListenerHAProxy uses the X-Forwarded-Proto to try and tell the application that the original request was HTTPS, unfortunately it does not appear Murano/webob adheres to the use of this header.https:/
See the change issue related to heat api,https:/
Changed in murano: | |
importance: | Undecided → High |
tags: | added: engine security |
tags: |
added: api removed: engine |
Changed in murano: | |
milestone: | none → mitaka-1 |
tags: | removed: security |
no longer affects: | murano/liberty |
description: | updated |
Changed in murano: | |
status: | Fix Committed → Fix Released |
We've been able to successfully deploy a simple application behind an SSL termination for murano-api with haproxy as a terminator.
Which version of murano are you using?
Can you please share your haproxy config, murano-api and haproxy logs. Could you also tell us which app are you trying to deploy and share deployment logs for the app.