nova-serialproxy should support X-Forwarded-Proto
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
melanie witt | ||
Rocky |
Fix Committed
|
Medium
|
s10 |
Bug Description
Setup description
------------------
Multinode deployment with kolla with keepalived and haproxy with SSL
termination. nova-serialproxy is configured with base_url=wss://
because I want my users to connect through a secure channel.
Problem description
-------------------
Get a serial-proxy url with token like this (works fine):
openstack console url show --insecure --serial <uuid>
Connect to the url (in my case: simple python websocket):
python serial.py wss://hostname:
Result:
nova-serialproxy closes the connection
Log contains "Origin header protocol does not match this host."
Expected result:
connection works
Problem analysis
----------------
haproxy accepts the wss:// connection and forwards the connection to the
serialproxy process. HAproxy changes the Origin header to 'http' and adds
a header 'X-Forwarded-Proto: https'.
'websocketproxy.py' accepts the connection and fails because the URL
in 'Origin'has not the same scheme/protocol as issued in the
'console url show' command.
AFAIK the behaviour of haproxy is ok and the serialproxy should offer a
possiblity to check the value of 'X-Forwarded-Proto' as source protocol.
Seems like it would be reasonable to add handling of X-Forwarded-Proto and prefer it over Origin if it's present. I can try proposing a patch and see what people think about it.