haproxy should not use IP address for HTTP redirect rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Unassigned |
Bug Description
Description
===========
Currently, the horizon proxy is configured to redirect HTTP requests to HTTPS if the 'Host' field contains the public virtual IP address. The problem with this is that the 'Host' field may contain the FQDN instead of the IP address, in which case request is not redirected and will be plain HTTP. The easiest way to solve this is to simply redirect all HTTP requests to HTTPS, regardless of the 'Host' field in the header.
Steps to reproduce
==================
Use curl to connect to horizon via SSL terminated proxy (haproxy). Use curl to send a request to both the virtual IP address for hozizon and another request with the hostname
$ curl -Lkv http://
$ curl -Lkv http://
Note the "Host" field of the request header. It will be either the IP address or hostname, depending on what was used in the curl command. Since the redirect rule is matching the IP address, haproxy will not redirect if you use the hostname. However, in my testing it seems that when the hostname was used and haproxy did not redirect, horizon itself would do a redirect. If you look at the haproxy logs (and have ''option tcplog" set in haproxy.cfg) you will see that when the IP address is used for the request haproxy does a redirect:
Jun 8 14:54:08 overcloud-
That is correct. If you use the hostname, there is no log entry for the redirect, so something else (horizon) is doing the redirect.
Expected result
===============
I would expect that haproxy would handle the redirect for all incoming HTTP requests to horizon, regardless of the Host field in the header.
Actual result
=============
See above.
Environment
===========
Mitaka, but this redirect rule is the current release as well.
Changed in tripleo: | |
assignee: | nobody → Ryan O'Hara (rohara) |
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Remove the condition to match 'Host' field of request header in horizon HTTPS redirect rule.