tls-termination.rst

TLS termination proxy support in OpenStack

status

draft

date

2015-10-01

modified

2015-10-01

category

openstack

authors

Mathieu Gagné

This information was valid at the time this article was written.

This blog post is a follow up on my email to the openstack-dev list.

As an operator, you might have proxies performing TLS termination in front of your OpenStack API services. This means API services won't have to perform TLS termination themselves, freeing up resources on the nodes running the API services.

This however has a side-effect where the API service won't return links or perform redirections with the proper scheme as it doesn't know that TLS traffic is terminated upstream by proxies.

There is several ways to configure your API service to use the right scheme. Unfortunately, each OpenStack projects implemented its own way of fixing it.

The current state

Cinder

Cinder allows you to override the request's host_url found in the incoming request and used for versions endpoint.

It also allows you to override the application url used to generate resource links returned by the API:

[DEFAULT]
# Public url to use for versions endpoint. The default is
# None, which will use the request's host_url attribute to
# populate the URL base. If Cinder is operating behind a
# proxy, you will want to change this to represent the proxy's
# URL.
public_endpoint = https://example.com:8776

# Base URL that will be presented to users in links to the
# OpenStack Volume API
osapi_volume_base_URL = https://example.com:8776

Designate

Designate allows you to configure a HTTP header which will be used to override the scheme found in incoming request:

[service:api]
secure_proxy_ssl_header = X-Fowarded-Proto

Glance

Glance allows you to override the request's host_url found in the incoming request and used for versions endpoint:

[DEFAULT]
# Public url to use for versions endpoint. The default is None,
# which will use the request's host_url attribute to populate the URL base.
# If Glance is operating behind a proxy, you will want to change this to
# represent the proxy's URL.
public_endpoint = https://example.com:9292

Heat

Heat allows you to configure a HTTP header which will be used to override the scheme found in the incoming request:

[DEFAULT]
# The HTTP Header that will be used to determine which
# the original request protocol scheme was, even if it was
# removed by an SSL terminator proxy.
secure_proxy_ssl_header = X-Fowarded-Proto

Ironic

Ironic allows you to override the request's host_url found in the incoming request and used to generate resource links returned by the API:

[api]
# Public URL to use when building the links to the API
# resources (for example, "https://ironic.rocks:6384"). If
# None the links will be built using the request's host URL.
# If the API is operating behind a proxy, you will want to
# change this to represent the proxy's URL.
public_endpoint = https://example.com:6385

Keystone

Keystone allows you to configure a HTTP header which will be used to override the scheme found in the incoming request.

It also allows you to override the application url used to generate resource links returned by the API:

[DEFAULT]
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
# to the base host URL of the request. E.g. a request to
# http://server:5000/v3/users will default to http://server:5000. You should
# only need to set this value if the base URL contains a path (e.g. /prefix/v3)
# or the endpoint should be found on a different server.
public_endpoint = https://example.com:5000

# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
# this does NOT affect how Keystone listens for connections). Defaults to the
# base host URL of the request. E.g. a request to http://server:35357/v3/users
# will default to http://server:35357. You should only need to set this value
# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
# found on a different server.
admin_endpoint = https://example.com:35357

# The HTTP header used to determine the scheme for the original request, even
# if it was removed by an SSL terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO".
secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO

Manila

Manila allows you to configure a HTTP header which will be used to override the scheme found in the incoming request:

[oslo_middleware]
# The HTTP Header that will be used to determine what
# the original request protocol scheme was, even if it was
# hidden by an SSL termination proxy.
secure_proxy_ssl_header = X-Forwarded-Proto

Nova

Nova allows you to configure a HTTP header which will be used to override the scheme found in the incoming request.

It also allows you to override the application url used to generate resource links:

[DEFAULT]

# The HTTP header used to determine the scheme for the
# original request, even if it was removed by an SSL
# terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO".
secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO

# Base URL that will be presented to users in links to the
# OpenStack Compute API
osapi_compute_link_prefix = https://example.com:8774

Searchlight

Searchlight allows you to override the request's host_url found in the incoming request and used to generate versions endpoint:

[DEFAULT]
# Public url to use for versions endpoint. The default
# is None, which will use the request's host_url
# attribute to populate the URL base. If Searchlight is
# operating behind a proxy, you will want to change
# this to represent the proxy's URL.
public_endpoint = https://example.com:9393