enforce_ssl redirects to IP address, not hostname
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Fix Released
|
Undecided
|
Daniel Axtens |
Bug Description
If enforce_ssl is set to true in openstack-
This is easy to reproduce:
1. Generate a self-signed ssl certs with : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
2. Set ssl_cert and ssl_key values via
# juju set openstack-dashboard ssl_cert="$(cat cert.pem | base64)"
# juju set openstack-dashboard ssl_key="$(cat key.pem | base64)"
3. I set domain names for the horizon for testing purposes via
juju set openstack-dashboard os-public-
4. I set the /etc/hosts appropriately so I verify that http://
5. Set enforce-ssl to True to redirect http -> https
6. Access http://
I expect to be redirected to a hostname, not an IP.
This boils down to the template used to construct the site:
{% if ssl_addr -%}
RedirectPermanent / https://{{ ssl_addr }}:443/
{%- endif %}
ssl_addr is set in horizon_context.py, and is always an IP address:
if config('vip'):
This is part of an odd quirk whereby the openstack-dashboard doesn't use the standard https tooling but does its own. This means that it only supports one SSL certificate. Presumably this one hostname should represent the public hostname/interface.
This is related to but not quite the same as https:/
Changed in charm-openstack-dashboard: | |
assignee: | nobody → Daniel Axtens (daxtens) |
tags: | added: canonical-bootstack |
tags: | added: adrastea |
Changed in charm-openstack-dashboard: | |
milestone: | none → 17.08 |
Changed in charm-openstack-dashboard: | |
status: | Fix Committed → Fix Released |
Fix proposed to branch: master /review. openstack. org/463850
Review: https:/