OpenStack Compute (nova)

nova-serialproxy should support X-Forwarded-Proto

Bug #1788180 reported by Georg Hoesch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
melanie witt
Rocky
Fix Committed
Medium
s10

Bug Description

Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL
termination. nova-serialproxy is configured with base_url=wss://
because I want my users to connect through a secure channel.

Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
  openstack console url show --insecure --serial <uuid>

Connect to the url (in my case: simple python websocket):
  python serial.py wss://hostname:6083?token=<token>

Result:
  nova-serialproxy closes the connection
  Log contains "Origin header protocol does not match this host."

Expected result:
  connection works

Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.

'websocketproxy.py' accepts the connection and fails because the URL
in 'Origin'has not the same scheme/protocol as issued in the
'console url show' command.

AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
possiblity to check the value of 'X-Forwarded-Proto' as source protocol.

See original description
Tags: console
Georg Hoesch (hoesch)
description: updated
description: updated
melanie witt (melwitt)
tags: added: console
Revision history for this message
melanie witt (melwitt) wrote :

Seems like it would be reasonable to add handling of X-Forwarded-Proto and prefer it over Origin if it's present. I can try proposing a patch and see what people think about it.

Changed in nova:
assignee: nobody → melanie witt (melwitt)
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/631103

Changed in nova:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/631103
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=890e2d320e8e8e7b501af8e21cc6b751fb204d04
Submitter: Zuul
Branch: master

commit 890e2d320e8e8e7b501af8e21cc6b751fb204d04
Author: melanie witt <email address hidden>
Date: Wed Jan 16 00:27:42 2019 +0000

    Use X-Forwarded-Proto as origin protocol if present

    When using a haproxy with SSL termination to provide secure console
    connections, haproxy will change the Origin header scheme to 'http'
    and add the 'X-Forwarded-Proto: https' header. This causes a failure
    in the Nova console proxy code which verifies that the Origin header
    scheme matches the access_url scheme for the connection, because the
    Origin header coming from haproxy is 'http' while the access_url
    scheme is 'https' or 'wss'.

    This looks for the X-Forwarded-Proto header and uses its scheme for
    the verification instead, if it is present.

    Closes-Bug: #1788180

    Change-Id: I43401dc8368853654bf443273a0a1b5b9b63e3f0

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/634814

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/rocky)

Reviewed: https://review.openstack.org/634814
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=218c0f5f974d5ffd646b6b816bfb3fc494829e7b
Submitter: Zuul
Branch: stable/rocky

commit 218c0f5f974d5ffd646b6b816bfb3fc494829e7b
Author: melanie witt <email address hidden>
Date: Wed Jan 16 00:27:42 2019 +0000

    Use X-Forwarded-Proto as origin protocol if present

    When using a haproxy with SSL termination to provide secure console
    connections, haproxy will change the Origin header scheme to 'http'
    and add the 'X-Forwarded-Proto: https' header. This causes a failure
    in the Nova console proxy code which verifies that the Origin header
    scheme matches the access_url scheme for the connection, because the
    Origin header coming from haproxy is 'http' while the access_url
    scheme is 'https' or 'wss'.

    This looks for the X-Forwarded-Proto header and uses its scheme for
    the verification instead, if it is present.

    Closes-Bug: #1788180

    Change-Id: I43401dc8368853654bf443273a0a1b5b9b63e3f0
    (cherry picked from commit 890e2d320e8e8e7b501af8e21cc6b751fb204d04)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 19.0.0.0rc1

This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 18.2.0

This issue was fixed in the openstack/nova 18.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.