Description of problem: When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command - =========================================================== I installed packstack with OSP 6, then installed haproxy and configured haproxy.cfg as follows: cat /etc/haproxy/haproxy.cfg (...) listen keystone_public bind 10.10.182.226:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } server overcloud-controller-0 10.10.182.226:5000 check fall 5 inter 2000 rise 2 [root@undercloud ~]# rpm -qa | grep keystone python-keystonemiddleware-1.3.2-1.el7ost.noarch openstack-keystone-2014.2.3-2.el7ost.noarch python-keystoneclient-0.11.1-2.el7ost.noarch python-keystone-2014.2.3-2.el7ost.noarch Calling HTTP: [root@undercloud ~]# curl -k http://10.10.182.226:5000/v3 {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://10.10.182.226:5000/v3/", "rel": "self"}]}}[root@undercloud ~]# Calling HTTPS via haproxy: [root@undercloud ~]# curl -k https://10.10.182.226:13000/v3 {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://10.10.182.226:13000/v3/", "rel": "self"}]}}[root@undercloud ~]# ==> "href": "http://10.10.182.226:13000/v3/", This is opposed to kilo, where keystone provides the correct protocol information: [stack@undercloud ~]$ curl https://osp.example.net:13000/v3 {"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "https://osp.example.net:13000/v3/", "rel": "self"}]}} ==> "href": "https://osp.example.net:13000/v3/", The reason that this actually works in the first place in kilo is that haproxy provides the X-Forwarded-Proto: https in the header of the request towards keystone. =========================================================== This can be resolved by updating the wsgi.py and config.py for the commit: https://github.com/openstack/keystone/commit/340a692de2661e8bf5a710c325dcf0866c2cbfed Then add the follwing to keystone.conf to tell where to get the original protocol from: # The HTTP header used to determine the scheme for the original request, even # if it was removed by an SSL terminating proxy. (string value) secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO After that - the endpoint was correct in the response. =========================================================== [1] https://bugs.launchpad.net/keystone/+bug/1370022 [2] https://github.com/openstack/keystone/commit/340a692de2661e8bf5a710c325dcf0866c2cbfed =========================================================== Since this feature is part of customer's security hardening, a backport is required for OSP 6 (Juno).
After applying the patch: ====================================================== [root@undercloud site-packages]# diff -rw keystone.backup/ keystone diff -rw keystone.backup/common/config.py keystone/common/config.py 143c143,149 < 'maximum length.')], --- > 'maximum length.'), > cfg.StrOpt('secure_proxy_ssl_header', > help='The HTTP header used to determine the scheme for the ' > 'original request, even if it was removed by an SSL ' > 'terminating proxy. Typical value is ' > '"HTTP_X_FORWARDED_PROTO".'), > ], diff -rw keystone.backup/common/wsgi.py keystone/common/wsgi.py 197a198,207 > scheme = (None if not CONF.secure_proxy_ssl_header > else req.environ.get(CONF.secure_proxy_ssl_header)) > if scheme: > # NOTE(andrey-mp): "wsgi.url_scheme" contains the protocol used > # before the proxy removed it ('https' usually). So if > # the webob.Request instance is modified in order to use this > # scheme instead of the one defined by API, the call to > # webob.Request.relative_url() will return a URL with the correct > # scheme. > req.environ['wsgi.url_scheme'] = scheme /etc/keystone/keystone.conf [DEFAULT] secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO ========================================== [root@undercloud site-packages]# curl -k https://10.10.182.226:13000/v3 {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "https://10.10.182.226:13000/v3/", "rel": "self"}]}}[root@undercloud site-packages]#
This has already been fixed and released via bug#1250711. The fix is in the openstack-keystone-2014.2.3-4.el7ost, which is the currently shipping version in OSP6. Closing this as a duplicate. *** This bug has been marked as a duplicate of bug 1250711 ***