Ask Your Question

services using publicurl not internalurl endpoints

asked 2015-12-15 14:22:09 -0500

Openstack Juno release

We want to configure our endpoints to use SSL for the public interfaces and non SSL for the internal/admin url endpoints. Our services insist on using the publicurl endpoints (SSL), and not the internalurl or adminurl. This is of course causing our services to fail. I thought Openstack services by default would use internalurl endpoint.

I cannot find a configuration setting in neutron/nova/glance etc... anywhere, which would tell the services to use a specific endpoint. Could someone shed some light on my knowledge shortcomings?


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-12-17 06:26:17 -0500

Vinoth gravatar image

There are different API endpoints exposed by each service. Each of these service expose different or subset of APIs. APIs available through ADMIN url may not be available through public APIs.

E.g following are different endpoints.


Here publicurl and internalurl are same and adminurl is different. So APIs available in adminurl are not available in public/internal. In some case all public, internal and admin are same. It means to say that there is not different among them.

I'm not quite clear from you question on which component you trying this. Is it keystone or nova or some other component. Also what is the use case you are trying to solve? Is it for understanding these URLs or are you trying to solve some real world use case?


edit flag offensive delete link more


Hi Vinoth, thanks for helping.

I'm new to this forum, I don't and can't answer my own question, so I guess I have to add a comment to reply to you? Or rather, multiple comments to fit it all in?

Your example is for keystone, using the different ports for different API's, understood. See next:

PelletHopper gravatar imagePelletHopper ( 2015-12-17 07:41:31 -0500 )edit

As an example, our nova endpoints are:

public: https://vip-nova:8774/v2 internal: http://vip-nova:8774/v2 admin http://vip-nova:8774/v2

PelletHopper gravatar imagePelletHopper ( 2015-12-17 07:41:54 -0500 )edit

To my understanding, the public endpoint is the public facing API, and we want that to go through the SSL terminated vips on our haproxy systems. The internal and admin endpoints are what I thought the nova-api services would use. But this is not true. As an example, if I ran a:

nova list

PelletHopper gravatar imagePelletHopper ( 2015-12-17 07:42:10 -0500 )edit

The command will fail with SSL certificate errors, as it will use the public facing SSL based endpoint described above. We thought nova, as an example, would use either the internal or admin endpoints. We have configured all the endpoints, ie. neutron, glance, heat etc...

PelletHopper gravatar imagePelletHopper ( 2015-12-17 07:42:26 -0500 )edit

All of them use https for the public facing endpoints. The services are all failing because they seem to default to the public endpoints. So my question is: Is there a way to configure these services to use the admin or internal endpoints and not the public endpoints?

PelletHopper gravatar imagePelletHopper ( 2015-12-17 07:43:31 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-12-15 14:22:09 -0500

Seen: 975 times

Last updated: Dec 17 '15