tripleo

mod_auth_openidc needs to have the x-forwarded-port header set in proxied requests

Bug #1777884 reported by Lars Kellogg-Stedman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Lars Kellogg-Stedman
tripleo rocky-3

Bug Description

Keystone OpenID federation makes use of the mod_auth_openidc module. This module is responsible for generating browser redirects as part of the openid protocol negotiation. With our standard configuration, in which haproxy listens on port 13000 and proxies the requests to a virtual host on port 5000, mod_auth_openidc will generate redirect urls that erroneously use port 5000 rather than 13000.

mod_auth_openidc will make use of the x-forwarded-port header if it exists, so setting this as part of proxied requests allows it to generate correct redirects.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/576867

Changed in tripleo:
assignee: nobody → Lars Kellogg-Stedman (larsks)
status: New → In Progress
Bogdan Dobrelya (bogdando)
Changed in tripleo:
milestone: none → rocky-3
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/576867
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=bf9a9620c68eb3934a897038ccc36a1a2a10bf66
Submitter: Zuul
Branch: master

commit bf9a9620c68eb3934a897038ccc36a1a2a10bf66
Author: Lars Kellogg-Stedman <email address hidden>
Date: Wed Jun 20 09:54:10 2018 -0400

    set x-forwarded-port header for proxied requests

    This is required for keystone federation to work correctly when
    mod_auth_openidc.

    Change-Id: Ib79fbd47169388bfb044a8183725a3d1de5bc480
    Closes-bug: 1777884

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 9.2.0

This issue was fixed in the openstack/puppet-tripleo 9.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/711442

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.opendev.org/711442
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2b22b2b915f51dcec29bc3139d54534a13b68347
Submitter: Zuul
Branch: stable/queens

commit 2b22b2b915f51dcec29bc3139d54534a13b68347
Author: Lars Kellogg-Stedman <email address hidden>
Date: Wed Jun 20 09:54:10 2018 -0400

    set x-forwarded-port header for proxied requests

    This is required for keystone federation to work correctly when
    mod_auth_openidc.

    Change-Id: Ib79fbd47169388bfb044a8183725a3d1de5bc480
    Closes-bug: 1777884
    (cherry picked from commit bf9a9620c68eb3934a897038ccc36a1a2a10bf66)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo queens-eol

This issue was fixed in the openstack/puppet-tripleo queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.