| 2016-03-17 17:30:58 |
Dave McCowan |
description |
When a project is deployed behind a SSL terminating proxy, the version endpoint returns the wrong URLs. The returned protocol in the reponse URLs is http:// instead of the expected https://.
This is because the response built by versions.py git the host information only from the incoming req. If SSL has been terminated by a proxy, then the information in the req indicates http://. Other projects have addressed this by adding the config parameter secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO. This will tell the project to use the value in X-Forwarded-Proto (https or http) when building the URLs in the response. Nova and Keystone support this configuration option. |
When a project is deployed behind a SSL terminating proxy, the version endpoint returns the wrong URLs. The returned protocol in the reponse URLs is http:// instead of the expected https://.
This is because the response built by versions.py git the host information only from the incoming req. If SSL has been terminated by a proxy, then the information in the req indicates http://. Other projects have addressed this by adding the config parameter secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO. This will tell the project to use the value in X-Forwarded-Proto (https or http) when building the URLs in the response. Nova and Keystone support this configuration option.
One workaround is to set the public_endpoint parameter. However, the value set for public_endpoint, is also returned when the internal and admin version endpoints are queried, which breaks other things. |
|
