Services should use http_proxy_to_wsgi middleware

Bug #1590608 reported by Jamie Lennox on 2016-06-08
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Aodh
Fix Released
Undecided
Juan Antonio Osorio Robles
Barbican
Fix Released
Undecided
Jeremy Liu
Ceilometer
Fix Released
Undecided
Juan Antonio Osorio Robles
Cinder
Medium
Unassigned
Glance
Undecided
Jamie Lennox
Gnocchi
Fix Released
Undecided
Juan Antonio Osorio Robles
Magnum
Fix Released
Undecided
Deepak Jon
Mistral
Undecided
Unassigned
OpenStack Backup/Restore and DR (Freezer)
Undecided
Jeremy Liu
OpenStack Barbican Charm
Undecided
Unassigned
OpenStack DBaaS (Trove)
Undecided
abdul nizamuddin
OpenStack Heat
Fix Released
Undecided
Juan Antonio Osorio Robles
OpenStack Identity (keystone)
Low
Jamie Lennox
OpenStack Searchlight
Fix Released
Undecided
Pallavi
OpenStack heat charm
Low
Unassigned
Panko
Fix Released
Undecided
Hanxi Liu
Sahara
Fix Released
Medium
Jeremy Liu
cloudkitty
Undecided
Pallavi
congress
Medium
Pallavi
neutron
Undecided
Juan Antonio Osorio Robles
senlin
Undecided
Pallavi

Bug Description

It's a common problem when putting a service behind a load balancer to need to forward the Protocol and hosts of the original request so that the receiving service can construct URLs to the loadbalancer and not the private worker node.

Most services have implemented some form of secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO handling however exactly how this is done is dependent on the service.

oslo.middleware provides the http_proxy_to_wsgi middleware that handles these headers and the newer RFC7239 forwarding header and completely hides the problem from the service.

This middleware should be adopted by all services in preference to their own HTTP_X_FORWARDED_PROTO handling.

Changed in keystone:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
Changed in keystone:
importance: Undecided → Low
Jamie Lennox (jamielennox) wrote :

Adding barbican though this seems to be mostly mitigated by pecan.

Changed in glance:
assignee: nobody → Jamie Lennox (jamielennox)

Reviewed: https://review.openstack.org/326798
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Submitter: Jenkins
Branch: master

commit b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Author: Jamie Lennox <email address hidden>
Date: Wed Jun 8 11:59:09 2016 +1000

    Use http-proxy-to-wsgi middleware from oslo.middleware

    The HTTP_X_FORWARDED_PROTO handling fails to handle the case of
    redirecting the /v1 request to /v1/ because it is handled purely by
    routes and does not enter the glance wsgi code. This means a https
    request is redirect to http and fails.

    oslo.middleware has middleware for handling the X-Forwarded-Proto header
    in a standard way so that services don't have to and so we should use
    that instead of our own mechanism.

    Leaving the existing header handling around until removal should not be
    a problem as the worst that will happen is it overwrites an existing
    'https' header value set by the middleware.

    Closes-Bug: #1558683
    Closes-Bug: #1590608
    Change-Id: I481d88020b6e8420ce4b9072dd30ec82fe3fb4f7

Changed in glance:
status: New → Fix Released

Reviewed: https://review.openstack.org/327418
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8b5c095d6f7e4dca93306f00416784303392a67c
Submitter: Jenkins
Branch: master

commit 8b5c095d6f7e4dca93306f00416784303392a67c
Author: Jamie Lennox <email address hidden>
Date: Thu Jun 9 09:36:19 2016 +1000

    Use http_proxy_to_wsgi from oslo.middleware

    Deprecate our custom usage of the HTTP_X_FORWARDED_PROTO header in
    favour of a standard middleware shared across all services. This will
    enable us to support the newer forwarding standards.

    Closes-Bug: #1590608
    Change-Id: Iad628a863e55cbf20c89ef23ebc7527ba8e1a835

Changed in keystone:
status: In Progress → Fix Released
Changed in trove:
assignee: nobody → Masaki Matsushita (mmasaki)

Fix proposed to branch: master
Review: https://review.openstack.org/337063

Changed in trove:
status: New → In Progress
Changed in keystone:
milestone: none → newton-2

This issue was fixed in the openstack/glance 13.0.0.0b2 development milestone.

This issue was fixed in the openstack/keystone 10.0.0.0b2 development milestone.

Changed in cinder:
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/384294

Changed in neutron:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress

this was added to cinder here https://review.openstack.org/#/c/305152/

Changed in cinder:
status: New → Fix Released

Fix proposed to branch: master
Review: https://review.openstack.org/384301

Changed in gnocchi:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/384305

Changed in aodh:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/384311

Changed in ceilometer:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress

this is also needed in Heat's CFN endpoint. The API endpoint uses it already.

Fix proposed to branch: master
Review: https://review.openstack.org/384314

Changed in heat:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: New → In Progress

Reviewed: https://review.openstack.org/384305
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=0f2a80d8efb86faea7ee94d7eb744bb66ad79ba9
Submitter: Jenkins
Branch: master

commit 0f2a80d8efb86faea7ee94d7eb744bb66ad79ba9
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:23:11 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Aodh. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Aodh.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Aodh, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: If2ada8a94c8e1ceacd4509605b4cd766a78f71d5
    Closes-Bug: #1590608

Changed in aodh:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/384301
Committed: https://git.openstack.org/cgit/openstack/gnocchi/commit/?id=2b1ed8d4528df8c3071343d1cd5764b6a7122fd1
Submitter: Jenkins
Branch: master

commit 2b1ed8d4528df8c3071343d1cd5764b6a7122fd1
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:16:45 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Gnocchi. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Gnocchi.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Gnocchi, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ic5526cf37e70335fa2cc70946a271253f227f129
    Closes-Bug: #1590608

Changed in gnocchi:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/384311
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=30eb0f0ae16c7ffd0f90c3874d3cbc462d5863a0
Submitter: Jenkins
Branch: master

commit 30eb0f0ae16c7ffd0f90c3874d3cbc462d5863a0
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:42:04 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Ceilometer. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Ceilometer.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Ceilometer, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: I24f16dda49bd9e7930ca9f0d32bf0793463aff03
    Closes-Bug: #1590608

Changed in ceilometer:
status: In Progress → Fix Released
Hanxi Liu (hanxi-liu) on 2016-10-10
Changed in panko:
assignee: nobody → Hanxi Liu (hanxi-liu)

Fix proposed to branch: master
Review: https://review.openstack.org/384357

Changed in panko:
status: New → In Progress
Changed in barbican:
assignee: nobody → abdul nizamuddin (abdul-nizamuddin)

Fix proposed to branch: master
Review: https://review.openstack.org/384391

Changed in barbican:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/384395

Changed in trove:
assignee: Masaki Matsushita (mmasaki) → abdul nizamuddin (abdul-nizamuddin)

Reviewed: https://review.openstack.org/384357
Committed: https://git.openstack.org/cgit/openstack/panko/commit/?id=90faa85ecc6cc4e6875c5cb14285f20104830b69
Submitter: Jenkins
Branch: master

commit 90faa85ecc6cc4e6875c5cb14285f20104830b69
Author: Hanxi Liu <email address hidden>
Date: Mon Oct 10 16:39:04 2016 +0800

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Panko. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Panko.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Aodh, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ifa9dad55cfedeb8b804d675d3d4856af6096b039
    Closes-Bug: #1590608

Changed in panko:
status: In Progress → Fix Released

Change abandoned by abdul nizamuddin (<email address hidden>) on branch: master
Review: https://review.openstack.org/384391

Pallavi (pallavi-s) on 2016-10-10
Changed in searchlight:
assignee: nobody → Pallavi (pallavi-s)
Changed in senlin:
assignee: nobody → Pallavi (pallavi-s)
Changed in barbican:
assignee: abdul nizamuddin (abdul-nizamuddin) → nobody
status: In Progress → Confirmed
Pallavi (pallavi-s) on 2016-10-10
Changed in magnum:
assignee: nobody → Pallavi (pallavi-s)
Changed in murano:
assignee: nobody → Pallavi (pallavi-s)
Pallavi (pallavi-s) on 2016-10-10
Changed in cloudkitty:
assignee: nobody → Pallavi (pallavi-s)
no longer affects: murano

Fix proposed to branch: master
Review: https://review.openstack.org/384452

Changed in searchlight:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/384482

Changed in senlin:
status: New → In Progress
Pallavi (pallavi-s) on 2016-10-10
Changed in congress:
assignee: nobody → Pallavi (pallavi-s)

Fix proposed to branch: master
Review: https://review.openstack.org/384489

Changed in cloudkitty:
status: New → In Progress

Change abandoned by Pallavi (<email address hidden>) on branch: master
Review: https://review.openstack.org/384489

Reviewed: https://review.openstack.org/384314
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=6ad6ca33e73686437098c3eec3d35efec0dd03ac
Submitter: Jenkins
Branch: master

commit 6ad6ca33e73686437098c3eec3d35efec0dd03ac
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:46:14 2016 +0300

    Add http_proxy_to_wsgi middleware to Heat CFN endpoint

    This was already used in the API endpoint, but it's also needed in
    the CFN endpoint. It's purpose is to process the X-Forwarded-Proto
    header (or Proxy protocol if used) and set the protocol as directed
    to https if done so. It's only needed if Heat is behind a TLS proxy
    (such as HAProxy) and is also disabled by default.

    Change-Id: Ibd81e1cf6bc1e3f63728b485e295478afa7f573c
    Closes-Bug: #1590608

Changed in heat:
status: In Progress → Fix Released

Fix proposed to branch: master
Review: https://review.openstack.org/385685

Changed in neutron:
assignee: Juan Antonio Osorio Robles (juan-osorio-robles) → Brandon Logan (brandon-logan)
Changed in neutron:
assignee: Brandon Logan (brandon-logan) → Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in barbican:
assignee: nobody → iswarya vakati (v-iswarya)
Changed in barbican:
assignee: iswarya vakati (v-iswarya) → nobody
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/385770
Committed: https://git.openstack.org/cgit/openstack/gnocchi/commit/?id=67cdbb737ae8438a535640ebefecdaaa0bcbfe63
Submitter: Jenkins
Branch: stable/3.0

commit 67cdbb737ae8438a535640ebefecdaaa0bcbfe63
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:16:45 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Gnocchi. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Gnocchi.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Gnocchi, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ic5526cf37e70335fa2cc70946a271253f227f129
    Closes-Bug: #1590608
    (cherry picked from commit 2b1ed8d4528df8c3071343d1cd5764b6a7122fd1)

Reviewed: https://review.openstack.org/385768
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=6d0d7812e178fd3830ab75e70665a71acd6dfbfc
Submitter: Jenkins
Branch: stable/newton

commit 6d0d7812e178fd3830ab75e70665a71acd6dfbfc
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:42:04 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Ceilometer. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Ceilometer.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Ceilometer, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: I24f16dda49bd9e7930ca9f0d32bf0793463aff03
    Closes-Bug: #1590608
    (cherry picked from commit 30eb0f0ae16c7ffd0f90c3874d3cbc462d5863a0)

tags: added: in-stable-newton

Reviewed: https://review.openstack.org/385767
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=3aeca07675a39ed12d0f224e71352faf03269bd8
Submitter: Jenkins
Branch: stable/newton

commit 3aeca07675a39ed12d0f224e71352faf03269bd8
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:23:11 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Aodh. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Aodh.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Aodh, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: If2ada8a94c8e1ceacd4509605b4cd766a78f71d5
    Closes-Bug: #1590608
    (cherry picked from commit 0f2a80d8efb86faea7ee94d7eb744bb66ad79ba9)

Reviewed: https://review.openstack.org/385819
Committed: https://git.openstack.org/cgit/openstack/panko/commit/?id=6312c8e7b4bf2dd0afbeb19819779b78ddf3e942
Submitter: Jenkins
Branch: stable/newton

commit 6312c8e7b4bf2dd0afbeb19819779b78ddf3e942
Author: Hanxi Liu <email address hidden>
Date: Mon Oct 10 16:39:04 2016 +0800

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Panko. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Panko.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Aodh, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ifa9dad55cfedeb8b804d675d3d4856af6096b039
    Closes-Bug: #1590608
    (cherry picked from commit 90faa85ecc6cc4e6875c5cb14285f20104830b69)

Reviewed: https://review.openstack.org/385766
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=92fde856ee5b0292b8555431cf651c7c0dfc00de
Submitter: Jenkins
Branch: stable/newton

commit 92fde856ee5b0292b8555431cf651c7c0dfc00de
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 09:46:14 2016 +0300

    Add http_proxy_to_wsgi middleware to Heat CFN endpoint

    This was already used in the API endpoint, but it's also needed in
    the CFN endpoint. It's purpose is to process the X-Forwarded-Proto
    header (or Proxy protocol if used) and set the protocol as directed
    to https if done so. It's only needed if Heat is behind a TLS proxy
    (such as HAProxy) and is also disabled by default.

    Change-Id: Ibd81e1cf6bc1e3f63728b485e295478afa7f573c
    Closes-Bug: #1590608
    (cherry picked from commit 6ad6ca33e73686437098c3eec3d35efec0dd03ac)

Jeremy Liu (liujiong) on 2016-10-16
Changed in barbican:
assignee: nobody → Jeremy Liu (liujiong)
Jeremy Liu (liujiong) on 2016-10-16
Changed in freezer:
assignee: nobody → Jeremy Liu (liujiong)

Fix proposed to branch: master
Review: https://review.openstack.org/386990

Changed in freezer:
status: New → In Progress

Reviewed: https://review.openstack.org/384294
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=19c354aacd27f6941467e34826774c6199bc4f8f
Submitter: Jenkins
Branch: master

commit 19c354aacd27f6941467e34826774c6199bc4f8f
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 08:56:12 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The
    purpose of this middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Neutron.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Neutron, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b
    Closes-Bug: #1590608

Changed in neutron:
status: In Progress → Fix Released
Jeremy Liu (liujiong) on 2016-10-16
Changed in sahara:
assignee: nobody → Jeremy Liu (liujiong)

Fix proposed to branch: master
Review: https://review.openstack.org/387077

Changed in sahara:
status: New → In Progress

Reviewed: https://review.openstack.org/386990
Committed: https://git.openstack.org/cgit/openstack/freezer-api/commit/?id=fbd1f04abf997ca6a079a9d97f954aabe194bd57
Submitter: Jenkins
Branch: master

commit fbd1f04abf997ca6a079a9d97f954aabe194bd57
Author: Jeremy Liu <email address hidden>
Date: Sun Oct 16 11:13:03 2016 +0800

    Use http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Freezer.
    The purpose of this middleware is to set up the request URL
    correctly in case there is a proxy (For instance, a loadbalancer
    such as HAProxy) in front of Freezer.

    The HTTPProxyToWSGI is off by default and needs to be enabled
    via a configuration value.

    Depends-On: Iffd38a325204a3ec7380a7a56061866477d3d06e
    Change-Id: I44d60863eefeb52891474653aa9fcf1ba57d50a1
    Closes-bug: #1590608

Changed in freezer:
status: In Progress → Fix Released

This issue was fixed in the openstack/gnocchi 3.0.1 release.

Changed in magnum:
assignee: Pallavi (pallavi-s) → Deepak (deepak.os31)
status: New → In Progress

Reviewed: https://review.openstack.org/386989
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=c7e824e0e735aede029cd82f1b3a31009ac69fba
Submitter: Jenkins
Branch: master

commit c7e824e0e735aede029cd82f1b3a31009ac69fba
Author: Jeremy Liu <email address hidden>
Date: Sun Oct 16 10:43:30 2016 +0800

    Use http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Barbican.
    The purpose of thise middleware is to set up the request URL
    correctly in case there is a proxy (For instance, a loadbalancer
    such as HAProxy) in front of Barbican.

    The HTTPProxyToWSGI is off by default and needs to be enabled
    via a configuration value.

    Change-Id: Iad0151ca41684fa2d8eb60c343028e13c3719e66
    Closes-bug: #1590608

Changed in barbican:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/385685
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e6d6a387704f68e20c1907ce5aa7325cea9f6c54
Submitter: Jenkins
Branch: master

commit e6d6a387704f68e20c1907ce5aa7325cea9f6c54
Author: Brandon Logan <email address hidden>
Date: Wed Oct 12 17:52:56 2016 -0500

    Pecan: add http_proxy_to_wsgi middleware

    Pecan does not currently use api paste to load middleware like the
    legacy wsgi, so we need to explicitly import it and wrap the pecan app.
    This is a follow-up to Ice9ee8f4e04050271d59858f92034c230325718b.

    Change-Id: I3e1b08bf1f902cf09c8a39699c00f1b0d22c3277
    Closes-Bug: #1590608

Reviewed: https://review.openstack.org/387077
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=c0f43c2c5f6bd21d258063cb0559daf90c960412
Submitter: Jenkins
Branch: master

commit c0f43c2c5f6bd21d258063cb0559daf90c960412
Author: Jeremy Liu <email address hidden>
Date: Sun Oct 16 23:23:54 2016 +0800

    Use http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Sahara.
    The purpose of this middleware is to set up the request URL
    correctly in case there is a proxy (For instance, a loadbalancer
    such as HAProxy) in front of Sahara.

    The HTTPProxyToWSGI is off by default and needs to be enabled
    via a configuration value.

    Change-Id: Ica7e8671e3880c0db90d382bec89b0994f75b36d
    Closes-bug: #1590608

Changed in sahara:
status: In Progress → Fix Released
Changed in sahara:
importance: Undecided → Medium
milestone: none → ocata-1

This issue was fixed in the openstack/aodh 3.0.1 release.

Reviewed: https://review.openstack.org/387356
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8be6a30d431da15e2389ebe288c133dc9a28d279
Submitter: Jenkins
Branch: stable/newton

commit 8be6a30d431da15e2389ebe288c133dc9a28d279
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Oct 10 08:56:12 2016 +0300

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The
    purpose of this middleware is to set up the request URL correctly in
    case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Neutron.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Neutron, one will notice that the protocol is incorrect; It will show
    'http' instead of 'https'. So this middleware handles such cases.
    Thus helping Keystone discovery work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ice9ee8f4e04050271d59858f92034c230325718b
    Closes-Bug: #1590608
    (cherry picked from commit 19c354aacd27f6941467e34826774c6199bc4f8f)

Reviewed: https://review.openstack.org/384414
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=67121813d5c89bb5fca94008264146117530fd41
Submitter: Jenkins
Branch: master

commit 67121813d5c89bb5fca94008264146117530fd41
Author: Deepak <email address hidden>
Date: Mon Oct 10 16:26:43 2016 +0530

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of magnum. The
    purpose of thise middleware is to set up the request URL correctly in
    case there is a proxy.

    Closes-Bug: #1590608
    Change-Id: I3f22716575af96aea884bd481c023d394a0b00a5

Changed in magnum:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron 9.1.0 release.

This issue was fixed in the openstack/aodh 3.0.1 release.

This issue was fixed in the openstack/neutron 9.1.0 release.

Change abandoned by Dave McCowan (<email address hidden>) on branch: master
Review: https://review.openstack.org/341195
Reason: Duplicate https://review.openstack.org/#/c/386989 has been merged.

This issue was fixed in the openstack/sahara 6.0.0.0b1 development milestone.

This issue was fixed in the openstack/neutron 10.0.0.0b1 development milestone.

This issue was fixed in the openstack/heat 8.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/337063
Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=583d5cd4283895c10e7cac92a8498b6b01676e5f
Submitter: Jenkins
Branch: master

commit 583d5cd4283895c10e7cac92a8498b6b01676e5f
Author: Masaki Matsushita <email address hidden>
Date: Mon Jul 4 15:54:55 2016 +0900

    Use http_proxy_to_wsgi middleware

    This commit enables to handle HTTP_X_FORWARDED_PROTO by using
    http_proxy_to_wsgi middleware of oslo.middleware.

    Change-Id: I6a11c8470205ca78bdb027fa9a06fec3acda33ad
    Closes-Bug: #1590608

Changed in trove:
status: In Progress → Fix Released

This issue was fixed in the openstack/heat 7.0.1 release.

This issue was fixed in the openstack/ceilometer 7.0.1 release.

This issue was fixed in the openstack/aodh 3.0.1 release.

This issue was fixed in the openstack/ceilometer 7.0.1 release.

This issue was fixed in the openstack/heat 7.0.1 release.

Reviewed: https://review.openstack.org/384452
Committed: https://git.openstack.org/cgit/openstack/searchlight/commit/?id=0128b2f7d0c956f30ad8567d79f48e2d15bda916
Submitter: Jenkins
Branch: master

commit 0128b2f7d0c956f30ad8567d79f48e2d15bda916
Author: pallavi <email address hidden>
Date: Mon Oct 10 17:21:02 2016 +0530

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of Searchlight.
    The purpose of thise middleware is to set up the request URL correctly
    in case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of Searchlight.

    So, for instance, when TLS connections are being terminated in the
    proxy, and one tries to get the versions from the / resource of
    Searchlight, one will notice that the protocol is incorrect; It will
    show 'http' instead of 'https'. So this middleware handles such cases.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: I79ef2f9340dd6b0c6eab8079fd5495f619d99adf
    Closes-bug: #1590608
    Co-Authored-By: abdul nizamuddin <email address hidden>

Changed in searchlight:
status: In Progress → Fix Released

This issue was fixed in the openstack/barbican 4.0.0.0b2 development milestone.

This issue was fixed in the openstack/freezer-api 4.0.0.0b2 development milestone.

This issue was fixed in the openstack/trove 7.0.0.0b2 development milestone.

This issue was fixed in the openstack/searchlight 2.0.0.0b2 development milestone.

Reviewed: https://review.openstack.org/384482
Committed: https://git.openstack.org/cgit/openstack/senlin/commit/?id=8542ba8457d93a14e22f7c7b771d4ac629b77142
Submitter: Jenkins
Branch: master

commit 8542ba8457d93a14e22f7c7b771d4ac629b77142
Author: pallavi <email address hidden>
Date: Mon Oct 10 18:16:09 2016 +0530

    Add http_proxy_to_wsgi to api-paste

    This sets up the HTTPProxyToWSGI middleware in front of senlin-api. The
    purpose of this middleware is to set up the request URL correctly in
    the case there is a proxy (For instance, a loadbalancer such as HAProxy)
    in front of senlin-api.

    So, when TLS connections are terminated at the proxy, and one tries to
    get the versions from the '/' resource from senlin-api, one will notice
    that the protocol is incorrect; It will show 'http' instead of 'https'.
    So this middleware handles such cases, thus helping Keystone discovery
    work correctly.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    Change-Id: Ia65ecdcc07084514884258661f840e6edcb200a4
    Closes-Bug: #1590608
    Co-Authored-By: pallavi <email address hidden>

Changed in senlin:
status: In Progress → Fix Released

Change abandoned by amrith (<email address hidden>) on branch: master
Review: https://review.openstack.org/384395
Reason: "abandoned for inactivity, currently over 2 weeks old, and not currently mergeable"

tags: added: neutron-proactive-backport-potential
Jeremy Liu (liujiong) wrote :
Changed in cloudkitty:
status: In Progress → Fix Committed
tags: removed: neutron-proactive-backport-potential

This issue was fixed in the openstack/senlin 3.0.0.0b3 development milestone.

This issue was fixed in the openstack/magnum 4.0.0 release.

This issue was fixed in the openstack/aodh 4.0.0 release.

This issue was fixed in the openstack/ceilometer 8.0.0 release.

This issue was fixed in the openstack/gnocchi 3.1.0 release.

This issue was fixed in the openstack/panko 2.0.0 release.

gordon chung (chungg) on 2017-02-09
Changed in gnocchi:
status: Fix Committed → Fix Released
Changed in cloudkitty:
status: Fix Committed → Fix Released
Eric K (ekcs) on 2017-10-12
Changed in congress:
importance: Undecided → Medium
status: New → Triaged

Reviewed: https://review.openstack.org/533110
Committed: https://git.openstack.org/cgit/openstack/charm-barbican/commit/?id=9f336379c8211f8eac87def3d973fbbe10f9037d
Submitter: Zuul
Branch: master

commit 9f336379c8211f8eac87def3d973fbbe10f9037d
Author: Seyeong Kim <email address hidden>
Date: Fri Jan 12 16:29:58 2018 +0900

    Support http_proxy_to_wsgi for mitaka and above

    Add http_proxy_to_wsgi to template file and related variables
    for mitaka and above
    Please refer to
    https://git.openstack.org/cgit/openstack/barbican/commit/?id=c7e824e0e735aede029cd82f1b3a31009ac69fba

    Change-Id: I224b949b34379e3dab84839bfc12f632ef2f4a1e
    Related-bug: #1590608

Corey Bryant (corey.bryant) wrote :

Fix was commited for charm-barbican. Marking status appropriately. https://review.openstack.org/#/c/533110/

Changed in charm-barbican:
status: New → Fix Committed
James Page (james-page) on 2018-01-25
Changed in charm-heat:
importance: Undecided → Low
status: New → Triaged
James Page (james-page) on 2018-02-12
Changed in charm-barbican:
milestone: none → 18.02
Ryan Beisner (1chb1n) on 2018-03-09
Changed in charm-barbican:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/641649
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=ca1acb656cbd1ec30e327fa67cd9f6e75345b14f
Submitter: Zuul
Branch: master

commit ca1acb656cbd1ec30e327fa67cd9f6e75345b14f
Author: Vlad Gusev <email address hidden>
Date: Thu Mar 7 15:38:57 2019 +0300

    Add http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Mistral API. The
    purpose of this middleware is to set up the request URL correctly in
    the case there is a proxy (for instance, a loadbalancer such as HAProxy)
    in front of the Mistral API.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    It can be enabled with the option in mistral.conf:
    [oslo_middleware]
    enable_proxy_headers_parsing=True

    Closes-Bug: #1590608
    Closes-Bug: #1816364
    Change-Id: I04ba85488b27cb05c3b81ad8c973c3cc3fe56d36

Changed in mistral:
status: New → Fix Released

Reviewed: https://review.openstack.org/647694
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=8922940e0f7d5552462dd80b16cdffe9fb676c4e
Submitter: Zuul
Branch: stable/stein

commit 8922940e0f7d5552462dd80b16cdffe9fb676c4e
Author: Vlad Gusev <email address hidden>
Date: Thu Mar 7 15:38:57 2019 +0300

    Add http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Mistral API. The
    purpose of this middleware is to set up the request URL correctly in
    the case there is a proxy (for instance, a loadbalancer such as HAProxy)
    in front of the Mistral API.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    It can be enabled with the option in mistral.conf:
    [oslo_middleware]
    enable_proxy_headers_parsing=True

    Closes-Bug: #1590608
    Closes-Bug: #1816364
    Change-Id: I04ba85488b27cb05c3b81ad8c973c3cc3fe56d36
    (cherry picked from commit ca1acb656cbd1ec30e327fa67cd9f6e75345b14f)

tags: added: in-stable-stein

Reviewed: https://review.openstack.org/650990
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=6e05155c1df28cde9c42667faa5cf392d2c5b0ef
Submitter: Zuul
Branch: stable/rocky

commit 6e05155c1df28cde9c42667faa5cf392d2c5b0ef
Author: Vlad Gusev <email address hidden>
Date: Thu Mar 7 15:38:57 2019 +0300

    Add http_proxy_to_wsgi middleware

    This sets up the HTTPProxyToWSGI middleware in front of Mistral API. The
    purpose of this middleware is to set up the request URL correctly in
    the case there is a proxy (for instance, a loadbalancer such as HAProxy)
    in front of the Mistral API.

    The HTTPProxyToWSGI is off by default and needs to be enabled via a
    configuration value.

    It can be enabled with the option in mistral.conf:
    [oslo_middleware]
    enable_proxy_headers_parsing=True

    Closes-Bug: #1590608
    Closes-Bug: #1816364
    Change-Id: I04ba85488b27cb05c3b81ad8c973c3cc3fe56d36
    (cherry picked from commit ca1acb656cbd1ec30e327fa67cd9f6e75345b14f)

tags: added: in-stable-rocky

This issue was fixed in the openstack/mistral 9.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers