OpenStack Object Storage (swift)

staticweb drop SSL when redirecting if behind SSL-offload LB

Bug #1690197 reported by Romain LE DISEZ
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Confirmed
Medium
Unassigned

Bug Description

When redirecting, if behind a load balancer doing SSL offload, staticweb does not maintain the https for the new location.

haproxy listening to 80 and 443 on SAIO:
    frontend swift
        bind 127.0.0.1:80
        use_backend swift

    frontend swift_ssl
        bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/cert.pem
        use_backend swift

    backend swift
        server swift-proxy 127.0.0.1:8080

web is a container with staticweb enabled.

Good:
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/

Bad (Location header is http instead of https):
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://localhost/v1/AUTH_test/web/

Setting url_base does not fix the issue, it just invert it.
With url_base = https:

Good:
$ curl -kI https://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://localhost/v1/AUTH_test/web/

Bad (should be http in Location header):
$ curl -I http://localhost/v1/AUTH_test/web
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: https://localhost/v1/AUTH_test/web/

Staticweb must use by default the protocol of the incoming request. Only if specified by operator, the protocol should be overwritten. To detect the protocol of the incoming request, the standard way is to use the Forwarded header. Support for the "de-facto" standard X-Forwarded-Proto would be nice too.

See:
https://tools.ietf.org/html/rfc7239#section-5.4
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded

See original description
Romain LE DISEZ (rledisez)
description: updated
Revision history for this message
Tim Burke (1-tim-z) wrote :

Yup; despite several patches [1][2][3] related to this general problem, we still haven't gotten it right. Part of the trouble is that we're trying to accommodate both protocol-aware terminators (which would add the Forward/X-Forwarded-Proto headers) as well as protocol-agnostic ones (which can't). And we *certainly* haven't been thinking about this problem from a bi-modal-access perspective.

I wonder whether we should
 - get static web out of scheme/host manipulation entirely,
 - have swob *always* look at Forwarded, and
 - have some middleware (maybe even gatekeeper?) populate Forwarded when it isn't present, based on a config-driven override (if set) and falling back to the current guesswork...

[1] https://github.com/openstack/swift/commit/188f834e0ae305df36438c9a9ad1e2a4b6e98098
[2] https://github.com/openstack/swift/commit/47ee1d7e175471483b9885eafc4514a7281c35e9
[3] https://github.com/openstack/swift/commit/f62df7b80c083862c11cbef678f75cc09bb89e8f

Changed in swift:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Tim Burke (1-tim-z) wrote :

Maybe addressed by https://github.com/openstack/swift/commit/661838d and https://github.com/openstack/swift/commit/7b5c30d ?

Revision history for this message
Tim Burke (1-tim-z) wrote :

So testing with haproxy configured like http://paste.openstack.org/show/786004/, I got http redirecting to http and https redirecting to https... I think that's probably the way to go? Not sure how best to handle it for other terminators like hitch or stunnel though...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.