1472306 – Horizon overcloud deploy with external load balancer missing 'HTTP_X_FORWARDED_PROTO' configuration.

Bug 1472306 - Horizon overcloud deploy with external load balancer missing 'HTTP_X_FORWARDED_PROTO' configuration.

Summary: Horizon overcloud deploy with external load balancer missing 'HTTP_X_FORWARDE...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-horizon
Sub Component:
Version:	10.0 (Newton)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	12.0 (Pike)
Assignee:	Radomir Dopieralski
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1472887
TreeView+	depends on / blocked

Reported:	2017-07-18 12:27 UTC by Benjamin Schmaus
Modified:	2020-12-14 09:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1472887 (view as bug list)
Environment:
Last Closed:	2017-07-26 14:57:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Benjamin Schmaus 2017-07-18 12:27:59 UTC

Description of problem:

When we deploy an overcloud using an external load balancer and terminate SSL on the load balancer, the '/etc/openstack-dashboard/local_settings' configuration file does not have the following  line uncommented:

---
# Set SSL proxy settings:
# Pass this header from the proxy after terminating the SSL,
# and don't forget to strip it from the client's request.
# For more information see:
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
---

This causes a reply with HTTP URLs instead of HTTPS URLs.


Version-Release number of selected component (if applicable):
OSP10

How reproducible:
100%

Steps to Reproduce:
1.Deploy with external load balancer and access URLS in horizon.
2.
3.

Actual results:
http

Expected results:
https

Additional info:

Comment 2 Radomir Dopieralski 2017-07-20 14:55:18 UTC

That configuration line has been removed intentionally, because it prevents the non-https configurations from working.

Comment 3 Benjamin Schmaus 2017-07-20 15:00:55 UTC

So it is by design then?  How does customer achieve the https termination when using a external load balancer then?

Comment 4 Radomir Dopieralski 2017-07-20 19:39:54 UTC

I don't think anybody actually "designed" this. I think this is just an example of a conflict of interest, where to fix one bug we introduced a regression in other place, and to fix that we regressed the original bug in turn.

What is needed is a step back and actual design to make that option be enabled only when it is actually required. I'm not sure yet if this is easily possible right now, but I will find out.

Comment 5 Radomir Dopieralski 2017-07-21 11:50:00 UTC

I'm sorry, I started looking into this issue, and I realized that I confused it with a different issue, namely the SESSION_COOKIE_SECURE setting.

Nevertheless, I'm looking into the puppet-horizon and tripleo-heat-templates files and I can see that the enable_secure_proxy_ssl_header setting that controls this is enabled by default.

Can you tell me how was this instance installed? Did you use tripleo/director, or packstack or something else?

Comment 6 Benjamin Schmaus 2017-07-21 12:12:17 UTC

The customer is using Director for the deployment here.

Comment 7 Radomir Dopieralski 2017-07-26 14:57:59 UTC

I can't reproduce this problem with OSP12, it seems that it has been fixed in OSP11 judging by this line: https://github.com/openstack/puppet-horizon/blob/stable/ocata/spec/classes/horizon_init_spec.rb#L131

Note You need to log in before you can comment on or make changes to this bug.