Cinder

Versions endpoint does not support X-Forwarded-Proto

Bug #1558683 reported by Dave McCowan
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Medium
Yuriy Nesenenko
Glance
Fix Released
Undecided
Stuart McLaren
OpenStack Cinder Charm
Fix Released
Undecided
Seyeong Kim
OpenStack Cinder Charm 18.05

Bug Description

When a project is deployed behind a SSL terminating proxy, the version endpoint returns the wrong URLs. The returned protocol in the reponse URLs is http:// instead of the expected https://.

This is because the response built by versions.py git the host information only from the incoming req. If SSL has been terminated by a proxy, then the information in the req indicates http://. Other projects have addressed this by adding the config parameter secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO. This will tell the project to use the value in X-Forwarded-Proto (https or http) when building the URLs in the response. Nova and Keystone support this configuration option.

One workaround is to set the public_endpoint parameter. However, the value set for public_endpoint, is also returned when the internal and admin version endpoints are queried, which breaks other things.

See original description
Revision history for this message
Duncan Thomas (duncan-thomas) wrote :

https://review.openstack.org/#/c/206479/ was how this was fixed in Nova

Sean McGinnis (sean-mcginnis)
Changed in cinder:
importance: Undecided → Medium
Dave McCowan (dave-mccowan)
description: updated
Revision history for this message
Dave McCowan (dave-mccowan) wrote :

https://review.openstack.org/#/c/132235/ is how this was fixed in Keystone

Revision history for this message
Anseela M M (anseela-m00) wrote :

Can you please mention the openstack version?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

You can set this parameter in the glance-api.conf:

 # Public url to use for versions endpoint. The default is None,$
 # which will use the request's host_url attribute to populate the URL base.$
 # If Glance is operating behind a proxy, you will want to change this to$
 # represent the proxy's URL.$
 #public_endpoint=<None>$

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Ah, I missed the last paragraph of the description, sorry:

 One workaround is to set the public_endpoint parameter. However, the value set for public_endpoint, is also returned when the internal and admin version endpoints are queried, which breaks other things.

Stuart McLaren (stuart-mclaren)
Changed in glance:
assignee: nobody → Stuart McLaren (stuart-mclaren)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/294681

Changed in glance:
status: New → In Progress
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Glance patch: https://review.openstack.org/#/c/294681

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/294681
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=513d717d283e511f1a569a760addbbb1bac3970b
Submitter: Jenkins
Branch: master

commit 513d717d283e511f1a569a760addbbb1bac3970b
Author: Stuart McLaren <email address hidden>
Date: Fri Mar 18 15:42:15 2016 +0000

    Handle SSL termination proxies for version list

    Return correct scheme in version URLs if service
    behind an SSL termination proxy.

    This is done by adding a new configuration option,
    secure_proxy_ssl_header, which, when defined, makes
    the wsgi application take the host_url scheme from
    that header. By default, when this option is not
    specified, there is no difference in behavior.

    The intention is to configure any ssl-decrypting
    proxy to set that header, so that glance-api knows
    which protocol to use in the URLs in response.

    This patch is largely based on the equivalent
    nova patch: https://review.openstack.org/#/c/206479.

    Partial-bug: 1558683

    Change-Id: I9a9c0e42a6ad3c18d197f10095958b48d5cb879a

Yuriy Nesenenko (ynesenenko)
Changed in cinder:
assignee: nobody → Yuriy Nesenenko (ynesenenko)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/305152

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/305152
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d7e7e7bdf0f112c8315ae38f04b4849338173d51
Submitter: Jenkins
Branch: master

commit d7e7e7bdf0f112c8315ae38f04b4849338173d51
Author: yuriy_n <email address hidden>
Date: Mon May 23 11:28:25 2016 +0300

    Handle SSL termination proxies for version list

    Cinder list with pagination contains wrong scheme for
    'next' link in case of SSL endpoints. This patch fixes
    it and returns the correct scheme in version URLs if
    service is behind an SSL termination proxy.

    Change-Id: If5aab9cc25a2e7c66a0bb13b5f7488a667b30309
    Closes-Bug: #1558683

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/cinder 9.0.0.0b1

This issue was fixed in the openstack/cinder 9.0.0.0b1 development milestone.

Revision history for this message
Jamie Lennox (jamielennox) wrote :

The Glance patch does not support redirecting /v1 to /v1/ using X-Forwarded-Proto (and probably /v2).

The path of a /v1 request is:

1) paste strips off the initial /v1 and redirects to the correct pipeline
2) The empty redirect [1] is hit which creates a redirect to location='/v1/'
3) webob turns the relative /v1/ into an absolute url [2] using environ['wsgi.url_scheme']. This is still set to 'http' because it has never actually entered the resource controller and the glance Request object that evaluates HTTP_X_FORWARDED_PROTO.

The best solution i can see for this is to use the oslo_middleware.http_proxy_to_wsgi [3] middleware. This will handle the X-Forwarded-Proto handling in middleware before it ever reaches routes or glance's request handling and with greater support for forwarding indication including rfc7239 [4].

[1] https://github.com/openstack/glance/blob/790b01573ace970cd55e75cb7812922629fbd2a7/glance/common/wsgi.py#L695
[2] https://github.com/Pylons/webob/blob/9c1a5af749b341d0bc78ab2e584a751c8866624b/webob/response.py#L1043-L1055
[3] https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/http_proxy_to_wsgi.py
[4] https://tools.ietf.org/html/rfc7239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/326798
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Submitter: Jenkins
Branch: master

commit b0d0b1d0ba7b9d1fadca0e7932c5886bc6cc7825
Author: Jamie Lennox <email address hidden>
Date: Wed Jun 8 11:59:09 2016 +1000

    Use http-proxy-to-wsgi middleware from oslo.middleware

    The HTTP_X_FORWARDED_PROTO handling fails to handle the case of
    redirecting the /v1 request to /v1/ because it is handled purely by
    routes and does not enter the glance wsgi code. This means a https
    request is redirect to http and fails.

    oslo.middleware has middleware for handling the X-Forwarded-Proto header
    in a standard way so that services don't have to and so we should use
    that instead of our own mechanism.

    Leaving the existing header handling around until removal should not be
    a problem as the worst that will happen is it overwrites an existing
    'https' header value set by the middleware.

    Closes-Bug: #1558683
    Closes-Bug: #1590608
    Change-Id: I481d88020b6e8420ce4b9072dd30ec82fe3fb4f7

Changed in glance:
status: In Progress → Fix Released
Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/glance 13.0.0.0b2

This issue was fixed in the openstack/glance 13.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/342639

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/mitaka)

Reviewed: https://review.openstack.org/342639
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=3b7e9cc1d08efc097254110e8bff5c8e9754a516
Submitter: Jenkins
Branch: stable/mitaka

commit 3b7e9cc1d08efc097254110e8bff5c8e9754a516
Author: yuriy_n <email address hidden>
Date: Mon May 23 11:28:25 2016 +0300

    Handle SSL termination proxies for version list

    Cinder list with pagination contains wrong scheme for
    'next' link in case of SSL endpoints. This patch fixes
    it and returns the correct scheme in version URLs if
    service is behind an SSL termination proxy.

    Change-Id: If5aab9cc25a2e7c66a0bb13b5f7488a667b30309
    Closes-Bug: #1558683
    (cherry picked from commit d7e7e7bdf0f112c8315ae38f04b4849338173d51)

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/cinder 8.1.0

This issue was fixed in the openstack/cinder 8.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to charm-cinder (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/521409

Seyeong Kim (seyeongkim)
Changed in charm-cinder:
assignee: nobody → Seyeong Kim (xtrusia)
Edward Hope-Morley (hopem)
Changed in charm-cinder:
status: New → In Progress
milestone: none → 17.11
James Page (james-page)
Changed in charm-cinder:
milestone: 17.11 → 18.02
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to charm-cinder (master)

Reviewed: https://review.openstack.org/521409
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=24588869f25cfa231737db7367aaa36a0b471879
Submitter: Zuul
Branch: master

commit 24588869f25cfa231737db7367aaa36a0b471879
Author: Seyeong Kim <email address hidden>
Date: Mon Nov 20 12:16:55 2017 +0900

    Copied mitaka's api-paste.ini to /templates/mitaka/

    to support http_proxy_to_wsgi

    Change-Id: Icdfcd3963848dccc9e42f72ed899dddc96ca1ebf
    Related-Bug: #1558683

Ryan Beisner (1chb1n)
Changed in charm-cinder:
milestone: 18.02 → 18.05
Revision history for this message
Seyeong Kim (seyeongkim) wrote :

Hello Ryan

This also merged to 18.02 it seems

as 1573766 seems

Changed in charm-cinder:
status: In Progress → Fix Released
Revision history for this message
Seyeong Kim (seyeongkim) wrote :

i changed status but can't for milestone

if Im wrong please revert it

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.