Bug 1401607

Summary: [RFE] Redirect for horizon dashboard from http to https in haproxy
Product: Red Hat OpenStack Reporter: Andreas Karis <akaris>
Component: openstack-tripleoAssignee: James Slagle <jslagle>
Status: CLOSED CURRENTRELEASE QA Contact: Arik Chernetsky <achernet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: aschultz, beth.white, bperkins, dh3, jrist, mburns, opavlenk, rdopiera, rhel-osp-director-maint, rscarazz, srelf
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: NeedsAllocation
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-15 12:53:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andreas Karis 2016-12-05 16:32:30 UTC 
Description of problem:
In OSP 7, haproxy does not redirect from http to https for SSL enabled configurations. I created this RFE in case that this is not yet fixed in more recent versions.

Version-Release number of selected component (if applicable):
OSP 7  (RFE is for more recent versions, >= 10)

Steps to reproduce:
I just deployed a 1 controller + 1 compute lab with SSL and RHEL OSP 7.3. This is the relevant section of haproxy.cfg about horizon:
~~~
[root@overcloud-controller-0 ~]# cat /etc/haproxy/haproxy.cfg | grep horizon -A10
listen horizon
  bind 10.0.0.4:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.4:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0 172.16.2.7:80 check fall 5 inter 2000 rise 2
~~~

How to make this work manually"
~~~
+  bind 10.0.0.4:80 transparent
+  redirect scheme https code 301 if !{ ssl_fc }
~~~

So the final result:
~~~
listen horizon
  bind 10.0.0.4:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.4:80 transparent
  bind 10.0.0.4:80 transparent
  redirect scheme https code 301 if !{ ssl_fc }
  mode http
  cookie SERVERID insert indirect nocache
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0 172.16.2.7:80 check fall 5 inter 2000 rise 2
~~~
and restart haproxy.

We need to modify tripleo so that it adds this redirect (if the customer wishes to add it)
Comment 6 Raoul Scarazzini 2018-03-15 10:23:29 UTC 
If you deploy today an osp10 environment with ssl you get this config:

listen horizon
  bind 172.16.2.11:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.11:80 transparent
  bind 172.16.99.5:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.99.5:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option forwardfor
  redirect scheme https code 301 if !{ ssl_fc }
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0.internalapi.localdomain 172.16.2.16:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-1.internalapi.localdomain 172.16.2.5:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-2.internalapi.localdomain 172.16.2.14:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2

So the redirect is present and working.