Ask Your Question
0

How to configure haproxy for https dashboard

asked 2014-12-02 01:26:38 -0500

laocius gravatar image

I tried to use haproxy for the dashboard high availability and encryption. I can visit my dashboard through https://my_ip/dashboard . But when I tried to login, it will redirect the page to http, which is not encrypted.

here's my haproxy configuration:

frontend horizon-https-vip

bind x.x.x.x:443 ssl crt /root/server.pem ca-file /root/server.crt

reqadd X-Forwarded-Proto:\ https

default_backend horizon-https-api

backend horizon-https-api

    redirect scheme https code 301 if !{ ssl_fc }

    balance  source

    cookie  SERVERID insert indirect nocache

    mode  http

    option  forwardfor

    option  httpchk

    option  httpclose

    rspidel  ^Set-cookie:\ IP=

    server controller01 10.0.0.1:80 cookie controller01 check inter 2000 rise 2 fall 5

    server controller02 10.0.0.2:80 cookie controller02 check inter 2000 rise 2 fall 5
edit retag flag offensive close merge delete

Comments

Did you change something on Horizons configs? Ususally, when choosing either http or https, your connection stays that way. Are your LB to force sessions to be https?

mrunge gravatar imagemrunge ( 2014-12-02 01:53:36 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-12-08 03:57:28 -0500

sxc731 gravatar image

updated 2016-02-19 02:38:31 -0500

Looks like you're nearly there. All it took to fix mine in that state was to uncomment the following line in /etc/openstack-dashboard/local_settings.py:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Depending on the version of Django in use, you may need notice that the header looks different (mine as deployed by Mirantis OS 6.1 (Juno) says HTTP_X_FORWARDED_PROTOCOL, although it seems to have changed in Django 1.5). To be "forward-compatible", I have left both versions in haproxy's front-end declaration:

  reqadd X-Forwarded-Proto:\ https
  reqadd X-Forwarded-Protocol:\ https

Then restart the haproxy resource: crm resource restart p_haproxy (you may need to adjust the name of the resource and/or restart method if not using Pacemaker/corosync).

I have penned more comprehensive answer here: https://ask.openstack.org/en/question...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-12-02 01:26:38 -0500

Seen: 2,567 times

Last updated: Feb 19 '16