- status
draft
- date
2015-10-01
- modified
2015-10-01
- category
openstack
- authors
Mathieu Gagné
This information was valid at the time this article was written.
This blog post is a follow up on my email to the openstack-dev list.
As an operator, you might have proxies performing TLS termination in front of your OpenStack API services. This means API services won't have to perform TLS termination themselves, freeing up resources on the nodes running the API services.
This however has a side-effect where the API service won't return links or perform redirections with the proper scheme as it doesn't know that TLS traffic is terminated upstream by proxies.
There is several ways to configure your API service to use the right scheme. Unfortunately, each OpenStack projects implemented its own way of fixing it.
Cinder allows you to override the request's host_url found in the incoming request and used for versions endpoint.
It also allows you to override the application url used to generate resource links returned by the API:
[DEFAULT]
# Public url to use for versions endpoint. The default is
# None, which will use the request's host_url attribute to
# populate the URL base. If Cinder is operating behind a
# proxy, you will want to change this to represent the proxy's
# URL.
public_endpoint = https://example.com:8776
# Base URL that will be presented to users in links to the
# OpenStack Volume API
osapi_volume_base_URL = https://example.com:8776
Designate allows you to configure a HTTP header which will be used to override the scheme found in incoming request:
[service:api]
secure_proxy_ssl_header = X-Fowarded-Proto
Glance allows you to override the request's host_url found in the incoming request and used for versions endpoint:
[DEFAULT]
# Public url to use for versions endpoint. The default is None,
# which will use the request's host_url attribute to populate the URL base.
# If Glance is operating behind a proxy, you will want to change this to
# represent the proxy's URL.
public_endpoint = https://example.com:9292
Heat allows you to configure a HTTP header which will be used to override the scheme found in the incoming request:
[DEFAULT]
# The HTTP Header that will be used to determine which
# the original request protocol scheme was, even if it was
# removed by an SSL terminator proxy.
secure_proxy_ssl_header = X-Fowarded-Proto
Ironic allows you to override the request's host_url found in the incoming request and used to generate resource links returned by the API:
[api]
# Public URL to use when building the links to the API
# resources (for example, "https://ironic.rocks:6384"). If
# None the links will be built using the request's host URL.
# If the API is operating behind a proxy, you will want to
# change this to represent the proxy's URL.
public_endpoint = https://example.com:6385
Keystone allows you to configure a HTTP header which will be used to override the scheme found in the incoming request.
It also allows you to override the application url used to generate resource links returned by the API:
[DEFAULT]
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
# to the base host URL of the request. E.g. a request to
# http://server:5000/v3/users will default to http://server:5000. You should
# only need to set this value if the base URL contains a path (e.g. /prefix/v3)
# or the endpoint should be found on a different server.
public_endpoint = https://example.com:5000
# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
# this does NOT affect how Keystone listens for connections). Defaults to the
# base host URL of the request. E.g. a request to http://server:35357/v3/users
# will default to http://server:35357. You should only need to set this value
# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
# found on a different server.
admin_endpoint = https://example.com:35357
# The HTTP header used to determine the scheme for the original request, even
# if it was removed by an SSL terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO".
secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
Manila allows you to configure a HTTP header which will be used to override the scheme found in the incoming request:
[oslo_middleware]
# The HTTP Header that will be used to determine what
# the original request protocol scheme was, even if it was
# hidden by an SSL termination proxy.
secure_proxy_ssl_header = X-Forwarded-Proto
Nova allows you to configure a HTTP header which will be used to override the scheme found in the incoming request.
It also allows you to override the application url used to generate resource links:
[DEFAULT]
# The HTTP header used to determine the scheme for the
# original request, even if it was removed by an SSL
# terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO".
secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
# Base URL that will be presented to users in links to the
# OpenStack Compute API
osapi_compute_link_prefix = https://example.com:8774
Searchlight allows you to override the request's host_url found in the incoming request and used to generate versions endpoint:
[DEFAULT]
# Public url to use for versions endpoint. The default
# is None, which will use the request's host_url
# attribute to populate the URL base. If Searchlight is
# operating behind a proxy, you will want to change
# this to represent the proxy's URL.
public_endpoint = https://example.com:9393