Bug 1401607 - [RFE] Redirect for horizon dashboard from http to https in haproxy
Summary: [RFE] Redirect for horizon dashboard from http to https in haproxy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: James Slagle
QA Contact: Arik Chernetsky
URL:
Whiteboard: NeedsAllocation
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 16:32 UTC by Andreas Karis
Modified: 2020-01-17 16:18 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-15 12:53:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andreas Karis 2016-12-05 16:32:30 UTC 
Description of problem:
In OSP 7, haproxy does not redirect from http to https for SSL enabled configurations. I created this RFE in case that this is not yet fixed in more recent versions.

Version-Release number of selected component (if applicable):
OSP 7  (RFE is for more recent versions, >= 10)

Steps to reproduce:
I just deployed a 1 controller + 1 compute lab with SSL and RHEL OSP 7.3. This is the relevant section of haproxy.cfg about horizon:
~~~
[root@overcloud-controller-0 ~]# cat /etc/haproxy/haproxy.cfg | grep horizon -A10
listen horizon
  bind 10.0.0.4:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.4:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0 172.16.2.7:80 check fall 5 inter 2000 rise 2
~~~

How to make this work manually"
~~~
+  bind 10.0.0.4:80 transparent
+  redirect scheme https code 301 if !{ ssl_fc }
~~~

So the final result:
~~~
listen horizon
  bind 10.0.0.4:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.4:80 transparent
  bind 10.0.0.4:80 transparent
  redirect scheme https code 301 if !{ ssl_fc }
  mode http
  cookie SERVERID insert indirect nocache
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0 172.16.2.7:80 check fall 5 inter 2000 rise 2
~~~
and restart haproxy.

We need to modify tripleo so that it adds this redirect (if the customer wishes to add it)
Comment 6 Raoul Scarazzini 2018-03-15 10:23:29 UTC 
If you deploy today an osp10 environment with ssl you get this config:

listen horizon
  bind 172.16.2.11:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.2.11:80 transparent
  bind 172.16.99.5:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.16.99.5:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option forwardfor
  redirect scheme https code 301 if !{ ssl_fc }
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0.internalapi.localdomain 172.16.2.16:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-1.internalapi.localdomain 172.16.2.5:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
  server overcloud-controller-2.internalapi.localdomain 172.16.2.14:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2

So the redirect is present and working.
Note You need to log in before you can comment on or make changes to this bug.