Description of problem: Backport https://review.openstack.org/#/c/384294/5 Add http_proxy_to_wsgi to api-paste This sets up the HTTPProxyToWSGI middleware in front of Neutron-API. The purpose of this middleware is to set up the request URL correctly in case there is a proxy (For instance, a loadbalancer such as HAProxy) in front of Neutron. So, for instance, when TLS connections are being terminated in the proxy, and one tries to get the versions from the / resource of Neutron, one will notice that the protocol is incorrect; It will show 'http' instead of 'https'. So this middleware handles such cases. Thus helping Keystone discovery work correctly. The HTTPProxyToWSGI is off by default and needs to be enabled via a configuration value. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
here is a manual workaround that I used: https://review.openstack.org/#/c/384294/5/etc/api-paste.ini So we can fix this about the same way as cinder - slightly more complex: First, fix haproxy ~~~ listen neutron bind 10.0.0.4:13696 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.2.4:9696 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server overcloud-controller-0 172.16.2.6:9696 check fall 5 inter 2000 rise 2 ~~~ Important are: ~~~ mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } ~~~ Change neutron api-paste.ini configuration: ~~~ [root@overcloud-controller-0 neutron]# crudini --set /etc/neutron/neutron.conf DEFAULT api_paste_config /etc/neutron/api-paste.https.ini [root@overcloud-controller-0 neutron]# crudini --get /etc/neutron/neutron.conf DEFAULT api_paste_config /etc/neutron/api-paste.https.ini ~~~ Create new /etc/neutron/api-paste.https.ini file: ~~~ [root@overcloud-controller-0 neutron]# cat /etc/neutron/api-paste.https.ini [composite:neutron] use = egg:Paste#urlmap /: neutronversions_composite /v2.0: neutronapi_v2_0 [composite:neutronapi_v2_0] use = call:neutron.auth:pipeline_factory noauth = http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0 keystone = http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 [composite:neutronversions_composite] use = call:neutron.auth:pipeline_factory noauth = http_proxy_to_wsgi neutronversions keystone = http_proxy_to_wsgi neutronversions [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory [filter:catch_errors] paste.filter_factory = oslo_middleware:CatchErrors.factory [filter:http_proxy_to_wsgi] paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory [filter:keystonecontext] paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory [filter:extensions] paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_factory [app:neutronversions] paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] paste.app_factory = neutron.api.v2.router:APIRouter.factory ~~~ Restart all neutron services: ~~~ systemctl list-units | grep neutron | awk '{print $1}' | xargs -I {} systemctl restart {} ~~~ Verify: ~~~ [stack@undercloud-2 ~]$ curl https://osp.example.net:13696/ {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://osp.example.net:13696/v2.0", "rel": "self"}]}]}[stack@undercloud-2 ~]$ ~~~
https://access.redhat.com/solutions/3034681
Hi, I don't get this to work with this patch - I tried: [root@overcloud-controller-0 neutron]# crudini --set /etc/neutron/neutron.conf oslo_middleware enable_proxy_headers_parsing true [root@overcloud-controller-0 neutron]# systemctl restart neutron-server Or how am I supposed to enable this? What indeed does work, with or without the above, is: [root@overcloud-controller-0 neutron]# diff /usr/share/neutron/api-paste.ini{.bak,} 3c3 < /: neutronversions --- > /: neutronversions_composite 4a5,9 > > [composite:neutronversions_composite] > use = call:neutron.auth:pipeline_factory > noauth = http_proxy_to_wsgi neutronversions > keystone = http_proxy_to_wsgi neutronversions [root@overcloud-controller-0 neutron]# systemctl restart neutron-server [stack@undercloud-2 ~]$ curl https://osp.example.net:13696/ {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://osp.example.net:13696/v2.0", "rel": "self"}]}]}[stack@undercloud-2 ~]$ Thanks, Andreas
Indeed this is enabled by setting enable_proxy_headers_parsing to True in /etc/neutron/neutron.ini, section [oslo_middleware] And with this backport, this is not enabled on /, the root resource did not have its own middleware pipeline until Newton. It should work on /v2.0 URL, can you confirm? If I read correctly, for Horizon you need it also for the root resource? Then we have to backport https://review.openstack.org/#/c/367529/ in addition (to add the pipeline)
Resetting bug status until confirmation here (and potential second backport)
Hi, This is actually not for horizon. This is for a 3rd party vendor tool that curls / and then determines the URL. Meaning that this unfortunately will have to work on / as well. And yes, this is the modification that I needed to make manually to api-paste.ini to get it to work: https://review.openstack.org/#/c/367529/2/etc/api-paste.ini Can we backport this as well? - Andreas
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1742