Mailing List Archive

>
> But, I can not use nova command, endpoint nova have been redirected from https to http. Here: http://prntscr.com/k2e8s6 (command: nova –insecure service list)

First of all, it seems that the nova client is hitting /v2.1 instead of /v2.1/ URI and this seems to be triggering the redirect.

Since openstack CLI works, I presume it must be using the correct URL and hence it’s not getting redirected.

>
> And this is error log: Unable to establish connection to http://192.168.30.70:8774/v2.1/: ('Connection aborted.', BadStatusLine("''",))
>

Looks to me that nova-api does a redirect to an absolute URL. I suspect SSL is terminated on the HAProxy and nova-api itself is configured without SSL so it redirects to an http URL.

In my opinion, nova would be more load-balancer friendly if it used a relative URI in the redirect but that’s outside of the scope of this question and since I don’t know the context behind choosing the absolute URL, I could be wrong on that.

I had a similar problem with heat-api running behind an Apache reverse proxy, and managed to resolve it by applying the workaround from this bug report:

https://bugs.launchpad.net/python-heatclient/+bug/1420907

Setting

X-Forwarded-Proto: https

before forwarding the request to heat-api fixed the issue for me.

--
Bogdan Katy?ski
freenode: bodgix





_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Hi Team Nova develop!



I build OpenStack version Queens with 05 node (03 node controller, 02 node compute). I use HAproxy to load balancer all services.



First, I create endpoint with http protocol. Everything is successful.



Next, I change endpoint from http to https. After complete, I use openstack command normally.



But, I can not use nova command, endpoint nova have been redirected from https to http. Here: <http://prntscr.com/k2e8s6> http://prntscr.com/k2e8s6 (command: nova –insecure service list)



And this is error log: Unable to establish connection to http://192.168.30.70:8774/v2.1/: ('Connection aborted.', BadStatusLine("''",))



Endpoint after change: <https://prnt.sc/k2cgjm> https://prnt.sc/k2cgjm

Horizon error: <https://prnt.sc/k2chwm> https://prnt.sc/k2chwm

Nova version: http://prntscr.com/k2eaxh



My LAB : Ubuntu 16.04 LTS,



Please help me fix this bug.



Thanks and Best Regards!



Nguyen Trong Tan



Openstack group user VietNam.

Thanks you katynski for response.

But, I had config Haproxy correctly. Here is my config: http://prntscr.com/k2ofwv

And, when I use openstack command, that is successful. Here: http://prntscr.com/k2ogau

I don’t think I config wrong. I can create, delete, list, show any VM with openstack command successfully.



Thanks and Best Regards!

Nguyen Trong Tan

Openstack group user VietNam.



-----Original Message-----
From: Bogdan Katynski [mailto:bogdan.katynski@workday.com]
Sent: Wednesday, July 4, 2018 9:50 PM
To: Nguy?n Tr?ng T?n <nguyentrongtan124@gmail.com>
Cc: openstack-operators@lists.openstack.org; openstack@lists.openstack.org; Lê Quang Long (VDC-IT) <longlq.uct@gmail.com>
Subject: Re: [Openstack] Novaclient redirect endpoint https into http


>
> But, I can not use nova command, endpoint nova have been redirected from https to http. Here: http://prntscr.com/k2e8s6 (command: nova –insecure service list)

First of all, it seems that the nova client is hitting /v2.1 instead of /v2.1/ URI and this seems to be triggering the redirect.

Since openstack CLI works, I presume it must be using the correct URL and hence it’s not getting redirected.

>
> And this is error log: Unable to establish connection to http://192.168.30.70:8774/v2.1/: ('Connection aborted.', BadStatusLine("''",))
>

Looks to me that nova-api does a redirect to an absolute URL. I suspect SSL is terminated on the HAProxy and nova-api itself is configured without SSL so it redirects to an http URL.

In my opinion, nova would be more load-balancer friendly if it used a relative URI in the redirect but that’s outside of the scope of this question and since I don’t know the context behind choosing the absolute URL, I could be wrong on that.

I had a similar problem with heat-api running behind an Apache reverse proxy, and managed to resolve it by applying the workaround from this bug report:

https://bugs.launchpad.net/python-heatclient/+bug/1420907

Setting

X-Forwarded-Proto: https

before forwarding the request to heat-api fixed the issue for me.

--
Bogdan Katy?ski
freenode: bodgix







_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Are you using http_to_wsgi_middleware? Gotta enable that in the nova config
and make sure its in your paste config.

On Wed, 4 Jul 2018, 20:22 Nguy?n Tr?ng T?n, <nguyentrongtan124@gmail.com>
wrote:

> Thanks you katynski for response.
>
> But, I had config Haproxy correctly. Here is my config:
> http://prntscr.com/k2ofwv
>
> And, when I use openstack command, that is successful. Here:
> http://prntscr.com/k2ogau
>
> I don’t think I config wrong. I can create, delete, list, show any VM with
> openstack command successfully.
>
>
>
> Thanks and Best Regards!
>
> Nguyen Trong Tan
>
> Openstack group user VietNam.
>
>
>
> -----Original Message-----
> From: Bogdan Katynski [mailto:bogdan.katynski@workday.com]
> Sent: Wednesday, July 4, 2018 9:50 PM
> To: Nguy?n Tr?ng T?n <nguyentrongtan124@gmail.com>
> Cc: openstack-operators@lists.openstack.org; openstack@lists.openstack.org;
> Lê Quang Long (VDC-IT) <longlq.uct@gmail.com>
> Subject: Re: [Openstack] Novaclient redirect endpoint https into http
>
>
> >
> > But, I can not use nova command, endpoint nova have been redirected from
> https to http. Here: http://prntscr.com/k2e8s6 (command: nova –insecure
> service list)
>
> First of all, it seems that the nova client is hitting /v2.1 instead of
> /v2.1/ URI and this seems to be triggering the redirect.
>
> Since openstack CLI works, I presume it must be using the correct URL and
> hence it’s not getting redirected.
>
> >
> > And this is error log: Unable to establish connection to
> http://192.168.30.70:8774/v2.1/: ('Connection aborted.',
> BadStatusLine("''",))
> >
>
> Looks to me that nova-api does a redirect to an absolute URL. I suspect
> SSL is terminated on the HAProxy and nova-api itself is configured without
> SSL so it redirects to an http URL.
>
> In my opinion, nova would be more load-balancer friendly if it used a
> relative URI in the redirect but that’s outside of the scope of this
> question and since I don’t know the context behind choosing the absolute
> URL, I could be wrong on that.
>
> I had a similar problem with heat-api running behind an Apache reverse
> proxy, and managed to resolve it by applying the workaround from this bug
> report:
>
> https://bugs.launchpad.net/python-heatclient/+bug/1420907
>
> Setting
>
> X-Forwarded-Proto: https
>
> before forwarding the request to heat-api fixed the issue for me.
>
> --
> Bogdan Katy?ski
> freenode: bodgix
>
>
>
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>

Thank you Juan Antonio Osorio!



With you response, I had fixed this error. I must add more config in nova.conf.

Here:

[oslo_middleware]

secure_proxy_ssl_header = X-Forwarded-Proto

enable_proxy_headers_parsing = true



Now, I can use nova command normally.



http://prntscr.com/k2oq7o



Thank you very much.





Thanks and Best Regards!



Nguyen Trong Tan



Openstack group user VietNam.







From: Juan Antonio Osorio [mailto:jaosorior@gmail.com]
Sent: Thursday, July 5, 2018 8:37 AM
To: Nguy?n Tr?ng T?n <nguyentrongtan124@gmail.com>
Cc: Bogdan Katynski <bogdan.katynski@workday.com>; openstack@lists.openstack.org; Lê Quang Long (VDC-IT) <longlq.uct@gmail.com>
Subject: Re: [Openstack] Novaclient redirect endpoint https into http



Are you using http_to_wsgi_middleware? Gotta enable that in the nova config and make sure its in your paste config.



On Wed, 4 Jul 2018, 20:22 Nguy?n Tr?ng T?n, <nguyentrongtan124@gmail.com <mailto:nguyentrongtan124@gmail.com> > wrote:

Thanks you katynski for response.

But, I had config Haproxy correctly. Here is my config: http://prntscr.com/k2ofwv

And, when I use openstack command, that is successful. Here: http://prntscr.com/k2ogau

I don’t think I config wrong. I can create, delete, list, show any VM with openstack command successfully.



Thanks and Best Regards!

Nguyen Trong Tan

Openstack group user VietNam.



-----Original Message-----
From: Bogdan Katynski [mailto:bogdan.katynski@workday.com <mailto:bogdan.katynski@workday.com> ]
Sent: Wednesday, July 4, 2018 9:50 PM
To: Nguy?n Tr?ng T?n <nguyentrongtan124@gmail.com <mailto:nguyentrongtan124@gmail.com> >
Cc: openstack-operators@lists.openstack.org <mailto:openstack-operators@lists.openstack.org> ; openstack@lists.openstack.org <mailto:openstack@lists.openstack.org> ; Lê Quang Long (VDC-IT) <longlq.uct@gmail.com <mailto:longlq.uct@gmail.com> >
Subject: Re: [Openstack] Novaclient redirect endpoint https into http


>
> But, I can not use nova command, endpoint nova have been redirected from https to http. Here: http://prntscr.com/k2e8s6 (command: nova –insecure service list)

First of all, it seems that the nova client is hitting /v2.1 instead of /v2.1/ URI and this seems to be triggering the redirect.

Since openstack CLI works, I presume it must be using the correct URL and hence it’s not getting redirected.

>
> And this is error log: Unable to establish connection to http://192.168.30.70:8774/v2.1/: ('Connection aborted.', BadStatusLine("''",))
>

Looks to me that nova-api does a redirect to an absolute URL. I suspect SSL is terminated on the HAProxy and nova-api itself is configured without SSL so it redirects to an http URL.

In my opinion, nova would be more load-balancer friendly if it used a relative URI in the redirect but that’s outside of the scope of this question and since I don’t know the context behind choosing the absolute URL, I could be wrong on that.

I had a similar problem with heat-api running behind an Apache reverse proxy, and managed to resolve it by applying the workaround from this bug report:

https://bugs.launchpad.net/python-heatclient/+bug/1420907

Setting

X-Forwarded-Proto: https

before forwarding the request to heat-api fixed the issue for me.

--
Bogdan Katy?ski
freenode: bodgix







_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

+openstack-dev@

On Wed, 4 Jul 2018 14:50:26 +0000, Bogdan Katynski wrote:
>> But, I can not use nova command, endpoint nova have been redirected from https to http. Here:http://prntscr.com/k2e8s6 (command: nova –insecure service list)
> First of all, it seems that the nova client is hitting /v2.1 instead of /v2.1/ URI and this seems to be triggering the redirect.
>
> Since openstack CLI works, I presume it must be using the correct URL and hence it’s not getting redirected.
>
>>
>> And this is error log: Unable to establish connection tohttp://192.168.30.70:8774/v2.1/: ('Connection aborted.', BadStatusLine("''",))
>>
> Looks to me that nova-api does a redirect to an absolute URL. I suspect SSL is terminated on the HAProxy and nova-api itself is configured without SSL so it redirects to an http URL.
>
> In my opinion, nova would be more load-balancer friendly if it used a relative URI in the redirect but that’s outside of the scope of this question and since I don’t know the context behind choosing the absolute URL, I could be wrong on that.

Thanks for mentioning this. We do have a bug open in python-novaclient
around a similar issue [1]. I've added comments based on this thread and
will consult with the API subteam to see if there's something we can do
about this in nova-api.

-melanie

[1] https://bugs.launchpad.net/python-novaclient/+bug/1776928




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

On 07/05/2018 01:55 PM, melanie witt wrote:
> +openstack-dev@
>
> On Wed, 4 Jul 2018 14:50:26 +0000, Bogdan Katynski wrote:
>>> But, I can not use nova command, endpoint nova have been redirected
>>> from https to http. Here:http://prntscr.com/k2e8s6  (command: nova
>>> –insecure service list)
>> First of all, it seems that the nova client is hitting /v2.1 instead
>> of /v2.1/ URI and this seems to be triggering the redirect.
>>
>> Since openstack CLI works, I presume it must be using the correct URL
>> and hence it’s not getting redirected.
>>
>>> And this is error log: Unable to establish connection
>>> tohttp://192.168.30.70:8774/v2.1/: ('Connection aborted.',
>>> BadStatusLine("''",))
>> Looks to me that nova-api does a redirect to an absolute URL. I
>> suspect SSL is terminated on the HAProxy and nova-api itself is
>> configured without SSL so it redirects to an http URL.
>>
>> In my opinion, nova would be more load-balancer friendly if it used a
>> relative URI in the redirect but that’s outside of the scope of this
>> question and since I don’t know the context behind choosing the
>> absolute URL, I could be wrong on that.
>
> Thanks for mentioning this. We do have a bug open in python-novaclient
> around a similar issue [1]. I've added comments based on this thread and
> will consult with the API subteam to see if there's something we can do
> about this in nova-api.

A similar thing came up the other day related to keystone and version
discovery. Version discovery documents tend to return full urls - even
though relative urls would make public/internal API endpoints work
better. (also, sometimes people don't configure things properly and the
version discovery url winds up being incorrect)

In shade/sdk - we actually construct a wholly-new discovery url based on
the url used for the catalog and the url in the discovery document since
we've learned that the version discovery urls are frequently broken.

This is problematic because SOMETIMES people have public urls deployed
as a sub-url and internal urls deployed on a port - so you have:

Catalog:
public: https://example.com/compute
internal: https://compute.example.com:1234

Version discovery:
https://example.com/compute/v2.1

When we go to combine the catalog url and the versioned url, if the user
is hitting internal, we product
https://compute.example.com:1234/compute/v2.1 - because we have no way
of systemically knowing that /compute should also be stripped.

VERY LONG WINDED WAY of saying 2 things:

a) Relative URLs would be *way* friendlier (and incidentally are
supported by keystoneauth, openstacksdk and shade - and are written up
as being a thing people *should* support in the documents about API
consumption)

b) Can we get agreement that changing behavior to return or redirect to
a relative URL would not be considered an api contract break? (it's
possible the answer to this is 'no' - so it's a real question)

Monty

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack