horizon_external_ssl: false causes horizon endpoint to fail with redirect error

Bug #1647503 reported by Miguel Alejandro Cantu on 2016-12-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

According to the release notes:
" - In previous releases connections to Horizon originally terminated SSL
    at the Horizon container. While that is still an option, SSL is now
    assumed to be terminated at the load balancer. If you wish to terminate
    SSL at the horizon node change the ``horizon_external_ssl`` option to
    **false**. "

I tried setting the horizon_external_ssl variable to false, but that resulted in the horizon public endpoint becoming inaccessible. Curling the endpoint always results in a 302:

Using the web browser to access horizon resulted in an error message:
"The page isn’t redirecting properly".

I don't know a lot about what's causing this. I could be bad haproxy settings, or bad apache configurations. Please let me know if you need any more info.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium

It appears to me that it's not an option any more to terminate SSL at the horizon container. There is only the external_ssl option. So either we need to consider this a bug and patch it up to make it optional, or we need to add a known issue release note.

Considering that end-to-end SSL is a likely requirement (ie SSL to the LB, and SSL to the container) I think that catering for SSL at the container *and* SSL at the LB should ideally be possible.

To resolve this bug though, the simpler implementation of just one or the other would be fine. I think we have this implemented for the Keystone role, so it would be worth looking at that for prior art.

Travis Truman (travis-truman) wrote :

I may take a look at addressing this as it has bitten me more than once.

summary: - horizon_external_ssl: flase causes horizon endpoint to fail with
+ horizon_external_ssl: false causes horizon endpoint to fail with
redirect error
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers