Bug 1451496
| Summary: | backport request neutron: Add http_proxy_to_wsgi to api-paste | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Andreas Karis <akaris> | |
| Component: | openstack-neutron | Assignee: | Bernard Cafarelli <bcafarel> | |
| Status: | CLOSED ERRATA | QA Contact: | Alexander Stafeyev <astafeye> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 8.0 (Liberty) | CC: | akaris, amuller, bcafarel, ccollett, chrisw, cpaquin, dcadzow, jjoyce, nyechiel, oblaut, srevivo, tfreger | |
| Target Milestone: | zstream | Keywords: | FeatureBackport, Triaged, ZStream | |
| Target Release: | 8.0 (Liberty) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-neutron-7.2.0-11.el7ost | Doc Type: | Enhancement | |
| Doc Text: |
This enhancement adds http_proxy_to_wsgi to api-paste. As a result, this places the HTTPProxyToWSGI middleware in front of the Neutron-API. The purpose of this middleware is to setup the request URL correctly in case there is a proxy (for example, a loadbalancer such as HAProxy) in front of neutron.
For example, when TLS connections are being terminated in the proxy, and you attempt to get the versions from the `/` neutron resource, the protocol is incorrect and reports as 'http' instead of 'https'. The HTTPProxyToWSGI middleware handles such cases and helps keystone discovery work correctly. HTTPProxyToWSGI is off by default and needs to be enabled with a configuration value.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1451508 (view as bug list) | Environment: | ||
| Last Closed: | 2017-07-12 13:17:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Andreas Karis
2017-05-16 19:22:24 UTC
here is a manual workaround that I used: https://review.openstack.org/#/c/384294/5/etc/api-paste.ini So we can fix this about the same way as cinder - slightly more complex: First, fix haproxy ~~~ listen neutron bind 10.0.0.4:13696 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:9696 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:9696 check fall 5 inter 2000 rise 2 ~~~ Important are: ~~~ mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } ~~~ Change neutron api-paste.ini configuration: ~~~ [root@overcloud-controller-0 neutron]# crudini --set /etc/neutron/neutron.conf DEFAULT api_paste_config /etc/neutron/api-paste.https.ini [root@overcloud-controller-0 neutron]# crudini --get /etc/neutron/neutron.conf DEFAULT api_paste_config /etc/neutron/api-paste.https.ini ~~~ Create new /etc/neutron/api-paste.https.ini file: ~~~ [root@overcloud-controller-0 neutron]# cat /etc/neutron/api-paste.https.ini [composite:neutron] use = egg:Paste#urlmap /: neutronversions_composite /v2.0: neutronapi_v2_0 [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory noauth = http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0 keystone = http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 [composite:neutronversions_composite] use = call:neutron.auth:pipeline_factory noauth = http_proxy_to_wsgi neutronversions keystone = http_proxy_to_wsgi neutronversions [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory [filter:catch_errors] paste.filter_factory = oslo_middleware:CatchErrors.factory [filter:http_proxy_to_wsgi] paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory [filter:keystonecontext] paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:extensions] paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_factory [app:neutronversions] paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] paste.app_factory = neutron.api.v2.router:APIRouter.factory ~~~ Restart all neutron services: ~~~ systemctl list-units | grep neutron | awk '{print $1}' | xargs -I {} systemctl restart {} ~~~ Verify: ~~~ [stack@undercloud-2 ~]$ curl https://osp.example.net:13696/ {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://osp.example.net:13696/v2.0", "rel": "self"}]}]}[stack@undercloud-2 ~]$ ~~~ Hi,
I don't get this to work with this patch - I tried:
[root@overcloud-controller-0 neutron]# crudini --set /etc/neutron/neutron.conf oslo_middleware enable_proxy_headers_parsing true
[root@overcloud-controller-0 neutron]# systemctl restart neutron-server
Or how am I supposed to enable this?
What indeed does work, with or without the above, is:
[root@overcloud-controller-0 neutron]# diff /usr/share/neutron/api-paste.ini{.bak,}
3c3
< /: neutronversions
---
> /: neutronversions_composite
4a5,9
>
> [composite:neutronversions_composite]
> use = call:neutron.auth:pipeline_factory
> noauth = http_proxy_to_wsgi neutronversions
> keystone = http_proxy_to_wsgi neutronversions
[root@overcloud-controller-0 neutron]# systemctl restart neutron-server
[stack@undercloud-2 ~]$ curl https://osp.example.net:13696/
{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://osp.example.net:13696/v2.0", "rel": "self"}]}]}[stack@undercloud-2 ~]$
Thanks,
Andreas
Indeed this is enabled by setting enable_proxy_headers_parsing to True in /etc/neutron/neutron.ini, section [oslo_middleware] And with this backport, this is not enabled on /, the root resource did not have its own middleware pipeline until Newton. It should work on /v2.0 URL, can you confirm? If I read correctly, for Horizon you need it also for the root resource? Then we have to backport https://review.openstack.org/#/c/367529/ in addition (to add the pipeline) Resetting bug status until confirmation here (and potential second backport) Hi, This is actually not for horizon. This is for a 3rd party vendor tool that curls / and then determines the URL. Meaning that this unfortunately will have to work on / as well. And yes, this is the modification that I needed to make manually to api-paste.ini to get it to work: https://review.openstack.org/#/c/367529/2/etc/api-paste.ini Can we backport this as well? - Andreas Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1742 |