Set enable_proxy_headers_parsing = True when HAProxy is used

Bug #1713663 reported by Adrien Cunin on 2017-08-29
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Unassigned

Bug Description

[oslo_middleware]
enable_proxy_headers_parsing = True

should be set in the configuration of services that use oslo_middleware, when HAProxy is used.

Obvious example with Designate, currently a request on the public IP returns:

# curl --insecure https://PUBLIC_IP:9001
{
  "versions": {
    "values": [
      {
        "id": "v1",
        "links": [
          {
            "href": "http://PUBLIC_IP:9001/v1",
            "rel": "self"
          }
        ],
        "status": "DEPRECATED"
      },
      {
        "id": "v2",
        "links": [
          {
            "href": "http://PUBLIC_IP:9001/v2",
            "rel": "self"
          }
        ],
        "status": "CURRENT"
      }
    ]
  }
}

Notice http instead of https.

With the config change, https is returned as expected.

Adrien Cunin (adri2000) wrote :

One question is: can we enable that option even when there is HAProxy in front?

https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=f62c3a74c07238d91efb17e9ac64373f08894490 says we shouldn't for security reasons.

https://bugs.launchpad.net/oslo.middleware/+bug/1590635 asks to change the default directly in oslo.middleware.

Adrien Cunin (adri2000) wrote :

See my comment https://bugs.launchpad.net/oslo.middleware/+bug/1590635. Let's wait a bit to see the outcome there.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers