Bug 1810213

Summary: director should configure haproxy to set x-forwarded-port (at least for keystone public endpoint)
Product: Red Hat OpenStack Reporter: Lars Kellogg-Stedman <lars>
Component: puppet-tripleoAssignee: Luca Miccini <lmiccini>
Status: CLOSED ERRATA QA Contact: pkomarov
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: bperkins, dbecker, jjoyce, jschluet, lmiccini, mburns, morazi, ramishra, slinaber, tvignaud
Target Milestone: z12Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-tripleo-8.5.1-9.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-24 11:33:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lars Kellogg-Stedman 2020-03-04 17:48:20 UTC 
Description of problem:

mod_auth_openidc, used to support openid federation in keystone, constructs a redirect url that it sends to the client. When building this url it uses the hostname and port of the incoming request.

Given that the keystone httpd configuration looks like this:

  <VirtualHost a.b.c.d:5000>
  ...  
  </VirtualHost>

mod_auth_openidc ends up using port 5000 in the redirect url, which in a typical install will fail because the public keystone endpoint is listening for ssl connections on port 13000.

mod_auth_openidc will use headers provided by the front-end proxy if they are available. Specifically, if haproxy were to set the X-Forwarded-Port header correctly, then mod_auth_openidc would generate the correct URL.

E.g:

  listen keystone_public
    bind 129.10.5.100:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
    bind 172.16.32.19:5000 transparent
    mode http
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    http-request set-header X-Forwarded-Port %[dst_port]
    ...

Version-Release number of selected component (if applicable):

  openstack-tripleo-heat-templates-8.4.1-16.el7ost.noarch
Comment 1 Luca Miccini 2020-03-05 12:06:14 UTC 
Hi Lars,

just to be on the same page - you're asking for a backport of https://review.opendev.org/#/c/576867/ to queens/osp13 right?

Cheers
Luca
Comment 15 errata-xmlrpc 2020-06-24 11:33:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2718