Activity log for bug #1788180
| Date | Who | What changed | Old value | New value | Message |
|---|---|---|---|---|---|
| 2018-08-21 13:40:09 | Georg Hoesch | bug | added bug | ||
| 2018-08-21 13:41:04 | Georg Hoesch | description | Setup description ------------------ Multinode deployment with kolla with keepalived and haproxy with SSL termination. nova-serialproxy is configured with base_url=wss:// because I want my users to connect through a secure channel. Problem description ------------------- Get a serial-proxy url with token like this (works fine): openstack console url show --insecure --serial <uuid> Connect to the url (in my case: simple python websocket): python serial.py wss://hostname:6083?token=<token> Result: nova-serialproxy closes the connection Log contains "Origin header protocol does not match this host." Expected result: connection works Problem analysis ---------------- haproxy accepts the wss:// connection and forwards the connection to the serialproxy process. HAproxy changes the Origin header to 'http' and adds a header 'X-Forwarded-Proto: https'. 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin' has not the same scheme/protocol as issued in the 'console url show' command. AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to check the value of 'X-Forwarded-Proto' as source protocol. | Setup description ------------------ Multinode deployment with kolla with keepalived and haproxy with SSL termination. nova-serialproxy is configured with base_url=wss:// because I want my users to connect through a secure channel. Problem description ------------------- Get a serial-proxy url with token like this (works fine): openstack console url show --insecure --serial <uuid> Connect to the url (in my case: simple python websocket): python serial.py wss://hostname:6083?token=<token> Result: nova-serialproxy closes the connection Log contains "Origin header protocol does not match this host." Expected result: connection works Problem analysis ---------------- haproxy accepts the wss:// connection and forwards the connection to the serialproxy process. HAproxy changes the Origin header to 'http' and adds a header 'X-Forwarded-Proto: https'. 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'has not the same scheme/protocol as issued in the 'console url show' command. AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to check the value of 'X-Forwarded-Proto' as source protocol. | |
| 2018-08-21 13:41:55 | Georg Hoesch | description | Setup description ------------------ Multinode deployment with kolla with keepalived and haproxy with SSL termination. nova-serialproxy is configured with base_url=wss:// because I want my users to connect through a secure channel. Problem description ------------------- Get a serial-proxy url with token like this (works fine): openstack console url show --insecure --serial <uuid> Connect to the url (in my case: simple python websocket): python serial.py wss://hostname:6083?token=<token> Result: nova-serialproxy closes the connection Log contains "Origin header protocol does not match this host." Expected result: connection works Problem analysis ---------------- haproxy accepts the wss:// connection and forwards the connection to the serialproxy process. HAproxy changes the Origin header to 'http' and adds a header 'X-Forwarded-Proto: https'. 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'has not the same scheme/protocol as issued in the 'console url show' command. AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to check the value of 'X-Forwarded-Proto' as source protocol. | Setup description ------------------ Multinode deployment with kolla with keepalived and haproxy with SSL termination. nova-serialproxy is configured with base_url=wss:// because I want my users to connect through a secure channel. Problem description ------------------- Get a serial-proxy url with token like this (works fine): openstack console url show --insecure --serial <uuid> Connect to the url (in my case: simple python websocket): python serial.py wss://hostname:6083?token=<token> Result: nova-serialproxy closes the connection Log contains "Origin header protocol does not match this host." Expected result: connection works Problem analysis ---------------- haproxy accepts the wss:// connection and forwards the connection to the serialproxy process. HAproxy changes the Origin header to 'http' and adds a header 'X-Forwarded-Proto: https'. 'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'has not the same scheme/protocol as issued in the 'console url show' command. AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to check the value of 'X-Forwarded-Proto' as source protocol. | |
| 2019-01-15 21:32:11 | melanie witt | tags | console | ||
| 2019-01-16 00:04:09 | melanie witt | nova: importance | Undecided | Medium | |
| 2019-01-16 00:04:09 | melanie witt | nova: status | New | Triaged | |
| 2019-01-16 00:04:09 | melanie witt | nova: assignee | melanie witt (melwitt) | ||
| 2019-01-16 00:35:00 | OpenStack Infra | nova: status | Triaged | In Progress | |
| 2019-01-22 23:12:13 | OpenStack Infra | nova: status | In Progress | Fix Released | |
| 2019-02-05 13:26:10 | Matt Riedemann | nominated for series | nova/rocky | ||
| 2019-02-05 13:26:10 | Matt Riedemann | bug task added | nova/rocky | ||
| 2019-02-05 13:26:21 | Matt Riedemann | nova/rocky: status | New | In Progress | |
| 2019-02-05 13:26:24 | Matt Riedemann | nova/rocky: importance | Undecided | Medium | |
| 2019-02-05 13:26:29 | Matt Riedemann | nova/rocky: assignee | s10 (vlad-esten) | ||
| 2019-02-07 02:20:37 | OpenStack Infra | nova/rocky: status | In Progress | Fix Committed |
