Description of problem: mod_auth_openidc, used to support openid federation in keystone, constructs a redirect url that it sends to the client. When building this url it uses the hostname and port of the incoming request. Given that the keystone httpd configuration looks like this: <VirtualHost a.b.c.d:5000> ... </VirtualHost> mod_auth_openidc ends up using port 5000 in the redirect url, which in a typical install will fail because the public keystone endpoint is listening for ssl connections on port 13000. mod_auth_openidc will use headers provided by the front-end proxy if they are available. Specifically, if haproxy were to set the X-Forwarded-Port header correctly, then mod_auth_openidc would generate the correct URL. E.g: listen keystone_public bind 129.10.5.100:13000 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.16.32.19:5000 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Port %[dst_port] ... Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-8.4.1-16.el7ost.noarch
Hi Lars, just to be on the same page - you're asking for a backport of https://review.opendev.org/#/c/576867/ to queens/osp13 right? Cheers Luca
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2718