Description of problem: Add mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } for all services that require it or may possibly require it. Several backports have already been requested for glance, neutron, cinder to address this at the sevice level. Additional info: [root@overcloud-controller-0 common]# grep 'mode http' /etc/haproxy/haproxy.cfg -C3 listen cinder bind 10.0.0.4:13776 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:8776 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:8776 check fall 5 inter 2000 rise 2 -- listen glance_api bind 10.0.0.4:13292 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.18.0.10:9292 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.18.0.11:9292 check fall 5 inter 2000 rise 2 -- listen haproxy.stats bind 192.0.2.11:1993 transparent mode http stats enable stats uri / stats auth admin:49a3xnNsuzfpWUKgX6Kqyb47x -- listen heat_api bind 10.0.0.4:13004 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:8004 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } rsprep ^Location:\ http://10.0.0.4(.*) Location:\ https://10.0.0.4\1 -- bind 10.0.0.4:80 transparent bind 172.16.2.4:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:80 transparent mode http cookie SERVERID insert indirect nocache redirect scheme https code 301 if { hdr(host) -i 10.0.0.4 } !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 -- listen keystone_admin bind 10.0.0.4:13357 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 192.0.2.11:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 192.0.2.12:35357 check fall 5 inter 2000 rise 2 -- listen keystone_public bind 10.0.0.4:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:5000 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:5000 check fall 5 inter 2000 rise 2 -- listen neutron bind 10.0.0.4:13696 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:9696 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:9696 check fall 5 inter 2000 rise 2 -- listen nova_osapi bind 10.0.0.4:13774 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:8774 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:8774 check fall 5 inter 2000 rise 2
Related backport requests are: https://bugzilla.redhat.com/show_bug.cgi?id=1451402 https://bugzilla.redhat.com/show_bug.cgi?id=1451496 https://bugzilla.redhat.com/show_bug.cgi?id=1451497
https://access.redhat.com/solutions/3034681
@Andreas: Do you have a list of which services you want these options added for?
I think the only 2 which don't have it yet but need it are: * glance works after package upgrade and adding this to glance_api in haproxy.cfg and after change glance-api configuration: ~~~ mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } ~~~ * neutron - adding this to /etc/haproxy/haproxy.cfg ~~~ mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } ~~~
@Andreas: fwiw, other than glance-api and neutron, other services behind HAProxy which don't appear to have that header config are: * manilla * glance_registry * nova_ec2 * nova_metadata * nova_novncproxy * ceilometer * swift_proxy_server * heat_cloudwatch * heat_cfn * ironic Some of these seem very unlikely to be necessary, but I thought I'd mention it. I've got a patch that adds the header for glance-api and neutron, just run into some gerrit oddness, but once I'm past that it will be up for review (downstream).
I have no problem with this as long as it is tested. This is only modifying the HTTP request headers. It would be informative to know how the deployment fails without this change, though. Pardon if I missed this explanation.
It's all detailed here: https://access.redhat.com/solutions/3034681 Chris, for this BZ, I only need the services that are listed in the above article, namely: keystone, nova-api, glance-api, neutron, heat, cinder-api ; the only 2 that are missing AFAIK are glance-api and neutron
*** Bug 1461358 has been marked as a duplicate of this bug. ***
@Andreas: I don't think I can give permission for that. FWIW, my understanding of the situation is that the customer isn't asking in need of a hotfix. Please don't take that as ultimate truth though!
Verified on: openstack-puppet-modules-7.1.5-5.el7ost.noarch listen glance_api bind 10.0.0.5:13292 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.1.4:9292 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.1.5:9292 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.1.8:9292 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.1.7:9292 check fall 5 inter 2000 rise 2 --- listen neutron bind 10.0.0.5:13696 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.5:9696 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:9696 check fall 5 inter 2000 rise 2 server overcloud-controller-1 172.16.2.8:9696 check fall 5 inter 2000 rise 2 server overcloud-controller-2 172.16.2.9:9696 check fall 5 inter 2000 rise 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1744
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days