Mirantis OpenStack

Bug #1503193
Comment #0

Comment 0 for bug 1503193

Revision history for this message

Dmitry Sutyagin (dsutyagin) wrote on 2015-10-06:

Fuel 6.0

Customer tried to enable SSL termination on haproxy for all services, haproxy only listens to port 443.

Changed novncproxy_base_url:
from "http://.../vnc_auto.html"
to "https://.../vnc_auto.html?port=443" (https - needed for initial connection, ?port=443 needed to tell javascript to use port 443 for wss, otherwise it will connect to port 80)

Result:

/var/log/nova/consoleauth.log:
2015-10-05T21:23:42.572675+00:00 warning: Checking Token: 8f9a0e2f-0b0c-4e77-b816-bb618de5e2e8/websockify, False

/var/log/nova/nova-novncproxy.log:
2015-10-05T21:23:42.577323+00:00 info: handler exception: Invalid Token
2015-10-05T21:23:42.579856+00:00 debug: exception
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy Traceback (most recent call last):
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 874, in top_new_client
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy client = self.do_handshake(startsock, address)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 809, in do_handshake
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy self.RequestHandlerClass(retsock, address, self)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/nova/console/websocketproxy.py", line 150, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy websockify.ProxyRequestHandler.__init__(self, *args, **kwargs)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 112, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy SimpleHTTPRequestHandler.__init__(self, req, addr, server)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/SocketServer.py", line 638, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy self.handle()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 540, in handle
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy SimpleHTTPRequestHandler.handle(self)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy self.handle_one_request()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy method()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 506, in do_GET
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy if not self.handle_websocket():
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 494, in handle_websocket
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy self.new_websocket_client()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy File "/usr/lib/python2.7/dist-packages/nova/console/websocketproxy.py", line 91, in new_websocket_client
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy raise Exception(_("Invalid Token"))
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy Exception: Invalid Token
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy

The issue happens In /usr/lib/python2.6/site-packages/nova/console/websocketproxy.py:

token = urlparse.parse_qs(query).get("token", [""]).pop()

Will return <TOKEN>/websockify, so token will be concatenated with /websockify text, and cannot be validated.

The workaround I used to fix was to add an extra line:
token = token.split('/')[0]

After this change noVNC starts working well over https.

Also found a related bug - https://bugs.launchpad.net/mos/+bug/1460070

Fuel 6.0

Customer tried to enable SSL termination on haproxy for all services, haproxy only listens to port 443.

Result:

/var/log/nova/consoleauth.log:
2015-10-05T21:23:42.572675+00:00 warning:  Checking Token: 8f9a0e2f-0b0c-4e77-b816-bb618de5e2e8/websockify, False

/var/log/nova/nova-novncproxy.log:
2015-10-05T21:23:42.577323+00:00 info:  handler exception: Invalid Token
2015-10-05T21:23:42.579856+00:00 debug:  exception
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy Traceback (most recent call last):
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 874, in top_new_client
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     client = self.do_handshake(startsock, address)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 809, in do_handshake
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     self.RequestHandlerClass(retsock, address, self)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/nova/console/websocketproxy.py", line 150, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     websockify.ProxyRequestHandler.__init__(self, *args, **kwargs)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 112, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     SimpleHTTPRequestHandler.__init__(self, req, addr, server)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/SocketServer.py", line 638, in __init__
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     self.handle()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 540, in handle
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     SimpleHTTPRequestHandler.handle(self)
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     self.handle_one_request()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     method()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 506, in do_GET
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     if not self.handle_websocket():
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/websockify/websocket.py", line 494, in handle_websocket
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     self.new_websocket_client()
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy   File "/usr/lib/python2.7/dist-packages/nova/console/websocketproxy.py", line 91, in new_websocket_client
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy     raise Exception(_("Invalid Token"))
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy Exception: Invalid Token
2015-10-05 23:23:42.578 108841 TRACE nova.console.websocketproxy

The issue happens In /usr/lib/python2.6/site-packages/nova/console/websocketproxy.py:

token = urlparse.parse_qs(query).get("token", [""]).pop()

Will return <TOKEN>/websockify, so token will be concatenated with /websockify text, and cannot be validated.

The workaround I used to fix was to add an extra line:
token = token.split('/')[0]

After this change noVNC starts working well over https.

Also found a related bug - https://bugs.launchpad.net/mos/+bug/1460070