OpenStack-Ansible

gnocchi : wrong endpoint URL in responses

Bug #1822113 reported by Gilles Mocellin on 2019-03-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	New	Undecided	Unassigned

Bug Description

Hello,

The metric API (gnocchi) returns a wrong URL when I issue a GET on /, http instead of https :

$ curl -s https://my.external-url.tld:8041/ | jq .
{
  "build": "4.2.0",
  "versions": [
    {
      "status": "CURRENT",
      "updated": "2015-03-19",
      "id": "v1.0",
      "links": [
        {
          "href": "http://my.external-url.tld:8041/v1/",
          "rel": "self"
        }
      ]
    }
  ]
}

I don't know if it's a haproxy or gnocchi problem. I bet on gnocchi.

Many requests still work, except "metric list" where we can see a call to http endpoint instead of https :
$ openstack metric list
Unable to establish connection to http://my.external-url.tld:8041/v1/metric?limit=1000&marker=2d8d79f9-419c-482d-a3d7-689463865677&sort=id%3Aasc: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))

Revision history for this message

Gilles Mocellin (gilles-mocellin) wrote on 2019-05-24:

Perhaps something in common with
https://bugs.launchpad.net/openstack-ansible/+bug/1713663

oslo.middleware enable_proxy_headers_parsing not set ?

Revision history for this message

Gilles Mocellin (gilles-mocellin) wrote on 2019-06-27:

Just to tell that I have upgraded to Rocky, and the problem is still there.

Revision history for this message

Gilles Mocellin (gilles-mocellin) wrote on 2019-07-01:

Same issue in Gnocchi GitHub :
https://github.com/gnocchixyz/python-gnocchiclient/issues/102

In fact, when launching gnocchi CLI with --debug, we can see that there's a first response, and pagination. The second page is called with HTTP instead of HTTPS and make the entire command fail.

Solution is to configure HAproxy and Gnocchi to forward and support X-Forwarded-Proto
HAproxy :
http-request del-header X-Forwarded-Proto if { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }

Gnochhi :
[oslo_middleware]
enable_proxy_headers_parsing = True

There is another Bug that lead to another saying it's not secure to use the
enable_proxy_headers_parsing = True
https://bugs.launchpad.net/openstack-ansible/+bug/1713663

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-gnocchixyz-python-gnocchiclient #102
[closed] Edit

Bug watches keep track of this bug in other bug trackers.