horizon_external_ssl: false causes horizon endpoint to fail with redirect error

Bug #1647503 reported by Miguel Alejandro Cantu
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Confirmed
Medium
Unassigned

Bug Description

According to the release notes:
" - In previous releases connections to Horizon originally terminated SSL
    at the Horizon container. While that is still an option, SSL is now
    assumed to be terminated at the load balancer. If you wish to terminate
    SSL at the horizon node change the ``horizon_external_ssl`` option to
    **false**. "

I tried setting the horizon_external_ssl variable to false, but that resulted in the horizon public endpoint becoming inaccessible. Curling the endpoint always results in a 302:
https://gist.github.com/alextricity25/cc58ea36036e38057027f53980e701f1

Using the web browser to access horizon resulted in an error message:
"The page isn’t redirecting properly".

I don't know a lot about what's causing this. I could be bad haproxy settings, or bad apache configurations. Please let me know if you need any more info.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

It appears to me that it's not an option any more to terminate SSL at the horizon container. There is only the external_ssl option. So either we need to consider this a bug and patch it up to make it optional, or we need to add a known issue release note.

Considering that end-to-end SSL is a likely requirement (ie SSL to the LB, and SSL to the container) I think that catering for SSL at the container *and* SSL at the LB should ideally be possible.

To resolve this bug though, the simpler implementation of just one or the other would be fine. I think we have this implemented for the Keystone role, so it would be worth looking at that for prior art.

Revision history for this message
Travis Truman (travis-truman) wrote :

I may take a look at addressing this as it has bitten me more than once.

summary: - horizon_external_ssl: flase causes horizon endpoint to fail with
+ horizon_external_ssl: false causes horizon endpoint to fail with
redirect error
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.