tripleo

haproxy should not use IP address for HTTP redirect rule

Bug #1696781 reported by Ryan O'Hara
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Unassigned
tripleo pike-rc1

Bug Description

Description
===========
Currently, the horizon proxy is configured to redirect HTTP requests to HTTPS if the 'Host' field contains the public virtual IP address. The problem with this is that the 'Host' field may contain the FQDN instead of the IP address, in which case request is not redirected and will be plain HTTP. The easiest way to solve this is to simply redirect all HTTP requests to HTTPS, regardless of the 'Host' field in the header.

Steps to reproduce
==================
Use curl to connect to horizon via SSL terminated proxy (haproxy). Use curl to send a request to both the virtual IP address for hozizon and another request with the hostname

$ curl -Lkv http://10.0.0.5
$ curl -Lkv http://overcloud-controller-0

Note the "Host" field of the request header. It will be either the IP address or hostname, depending on what was used in the curl command. Since the redirect rule is matching the IP address, haproxy will not redirect if you use the hostname. However, in my testing it seems that when the hostname was used and haproxy did not redirect, horizon itself would do a redirect. If you look at the haproxy logs (and have ''option tcplog" set in haproxy.cfg) you will see that when the IP address is used for the request haproxy does a redirect:

Jun 8 14:54:08 overcloud-controller-0 haproxy[23949]: 10.0.0.1:36016 [08/Jun/2017:14:54:08.221] horizon horizon/<NOSRV> -1/-1/0 101 LR 0/0/0/0/3 0/0

That is correct. If you use the hostname, there is no log entry for the redirect, so something else (horizon) is doing the redirect.

Expected result
===============
I would expect that haproxy would handle the redirect for all incoming HTTP requests to horizon, regardless of the Host field in the header.

Actual result
=============
See above.

Environment
===========
Mitaka, but this redirect rule is the current release as well.

Tags: puppet
Ryan O'Hara (rohara)
Changed in tripleo:
assignee: nobody → Ryan O'Hara (rohara)
Revision history for this message
Ryan O'Hara (rohara) wrote :

Remove the condition to match 'Host' field of request header in horizon HTTPS redirect rule.

Revision history for this message
Julie Pichon (jpichon) wrote :

https://review.openstack.org/#/c/472295/

tags: added: puppet
Changed in tripleo:
status: New → Triaged
status: Triaged → In Progress
milestone: none → pike-3
importance: Undecided → High
Revision history for this message
Emilien Macchi (emilienm) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in tripleo:
status: In Progress → Triaged
assignee: Ryan O'Hara (rohara) → nobody
Revision history for this message
Ryan O'Hara (rohara) wrote :

This was already fixed for pike, but there are pending reviews to backport the fix to newton and ocata.

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: pike-3 → pike-rc1
Revision history for this message
Ben Nemec (bnemec) wrote :

The fix has merged, as well as the backports.

Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.