Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL termination.
nova-serialproxy is configured with base_url=wss:// because I want my users to
connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
python serial.py wss://hostname:6083?token=<token>
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'
has not the same scheme/protocol as issued in the 'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to
check the value of 'X-Forwarded-Proto' as source protocol.
Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL termination.
nova-serialproxy is configured with base_url=wss:// because I want my users to
connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket): 6083?token= <token>
python serial.py wss://hostname:
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL in 'Origin'
has not the same scheme/protocol as issued in the 'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a possiblity to
check the value of 'X-Forwarded-Proto' as source protocol.