skyline apiserver

HTTP_X_FORWARDED_PROTO is probably missing, resulting in bad origin address

Bug #2027624 reported by Lukas M on 2023-07-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	skyline apiserver	New	Undecided	Unassigned

Bug Description

HTTP_X_FORWARDED_PROTO is probably missing or is not set correctly ( at least this is working for Horizon ), resulting in bad origin address when using Reverse Proxy and SSO.

Notice the redirect here: `https://openstack.example.com:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://skyline.example.com:None/api/openstack/skyline/api/v1/websso`, port is `None`

This can be breaking for Keystone, see the config snippet
```
[federation]
trusted_dashboard = https://skyline.example.com:None/api/openstack/skyline/api/v1/websso
```

Thanks

Revision history for this message

Shuai Qian (iauhsnaiq) wrote on 2023-07-14:

add port in the url
[federation]
trusted_dashboard = https://<openstack_ip>:9999/api/openstack/skyline/api/v1/websso

Revision history for this message

Lukas M (muhaha) wrote on 2023-07-14:

No, its happening before the Keystone authorization ( I can see in Keystone logs, that https://skyline.example.com:None/api/openstack/skyline/api/v1/websso is not added to trusted dashboards ), Nginx or Gunicorn does not handle reverse proxy a probably HTTP_X_FORWARDED_PROTO is not respected. Thats why its set to None, thus origin URL is generated like :None port. Just like Django does this https://code.djangoproject.com/ticket/27961#comment:3