SSL termination in external loadbalancer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
We encountered a bug while trying to access public endpoints over HTTPS.
Following setup:
external loadbalancer | internal haproxy | keystone
As you can see we put an external loadbalancer in front of the internal one. In our scenario the external loadbalancer terminates SSL and then redirects to the internal haproxy without SSL. The problem is that keystone always returns HTTP URLs instead of HTTPS.
The reason for this is that keystone simply doesn't know about HTTPS due to the fact that the internal haproxy deletes the X-Forwarded-Proto header. If you look closer at haproxy.cfg and take one step further, you will see that haproxy only adds the HTTPS header if the front connection was made via an SSL.
Fix --> Tell haproxy to delete the X-Forwarded-Proto header only in case of { ssl_fc }.
Changed in kolla: | |
assignee: | nobody → Nenad Radojevic (nradojevic) |
Changed in kolla: | |
status: | New → Triaged |
milestone: | none → newton-rc2 |
Changed in kolla: | |
importance: | Undecided → Medium |
Changed in kolla: | |
milestone: | newton-rc2 → ocata-1 |
Changed in kolla: | |
milestone: | ocata-1 → ocata-2 |
Changed in kolla: | |
milestone: | ocata-2 → ocata-3 |
Changed in kolla: | |
assignee: | Nenad Radojevic (nradojevic) → nobody |
Changed in kolla: | |
milestone: | ocata-3 → ocata-rc1 |
Changed in kolla: | |
milestone: | ocata-rc1 → pike-1 |
Changed in kolla: | |
milestone: | pike-2 → pike-3 |
Changed in kolla: | |
milestone: | pike-3 → pike-rc1 |
Changed in kolla: | |
milestone: | pike-rc1 → queens-1 |
Changed in kolla: | |
milestone: | queens-2 → queens-3 |
Changed in kolla: | |
milestone: | queens-3 → queens-rc1 |
Changed in kolla: | |
milestone: | queens-rc1 → queens-rc2 |
Changed in kolla: | |
milestone: | queens-rc2 → rocky-1 |
affects: | kolla → kolla-ansible |
Changed in kolla-ansible: | |
milestone: | rocky-2 → none |
importance: | Undecided → Wishlist |
Changed in kolla-ansible: | |
status: | New → In Progress |
While I couldn't actually confirm this because I don't have an external load balancer, the logic of the bug report looks sound. Hence I marked it confirmed - as in confirming it looks like a real problem.