| opendevreview | Gregory Thiemonge proposed openstack/octavia master: Add spec for custom SGs on VIP ports https://review.opendev.org/c/openstack/octavia/+/915114 | 07:49 |
|---|---|---|
| feld1 | How do you express the haproxy configuration "http-request redirect scheme https" with Octavia? | 17:39 |
| *** feld1 is now known as feld | 17:40 | |
| johnsom | For TERMINATED_HTTPS load balancers, that is added automatically | 17:42 |
| feld | TERMINATED_HTTPS is the protocol of the listener, not the load balancer. It doesn't automatically listen on port 80 from what I'm seeing | 17:44 |
| johnsom | Correct, you have to add a listener to define a port to listen on | 17:44 |
| feld | I've been googling for hours trying to find some example of this being implemented or how this works and it's impossible to find :( | 17:45 |
| johnsom | https://docs.openstack.org/octavia/latest/user/guides/l7-cookbook.html#redirect-http-www-example-com-to-https-www-example-com | 17:46 |
| feld | that documentation is wrong lol i was about to report that too | 17:46 |
| johnsom | Our cookbooks in the user guide have a bunch of examples for different scenarios | 17:46 |
| feld | the cli commands do not at all reflect the solution above | 17:46 |
| feld | > Set up an L7 Policy policy1 on http_listener with action REDIRECT_TO_URL pointed at the URL https://www.example.com/ | 17:47 |
| feld | openstack loadbalancer l7policy create --action REDIRECT_PREFIX --redirect-prefix https://www.example.com/ --name policy1 http_listener | 17:47 |
| feld | Why is it giving an REDIRECT_PREFIX action when that's not what was discussed in the solution? | 17:47 |
| johnsom | Yeah, I see that typo. We have both URL and PREFIX as options. URL is full path, PREFIX is just the start | 17:48 |
| feld | and this is L7 policy/rule solution which doesn't match the initial answer you provided here about it being automatic | 17:48 |
| feld | these L7 rules won't work at all because it requires hardcoding domains in there so if you have a wildcard certificate or multiple domains on a cert... nowhere do the docs demonstrate you can use variables in the REDIRECT_URL | 17:49 |
| feld | I appreciate that there's an IRC channel here and people around to answer silly questions like this, so thank you sooooo much, really! | 17:50 |
| johnsom | You cannot use variables in REDIRECT URL. If you are using SNI, redirect to the IP address | 17:50 |
| johnsom | But, actually, I see what you are saying. | 17:55 |
| johnsom | Funny that scenario hasn't come up in all of these years, people have used the redirect_prefix | 17:57 |
| johnsom | Ok, I think we should have a simpler solution for this. If you want to open an RFE that would be cool. | 17:57 |
| johnsom | In the mean time, it can be done with building L7rules that matches your domain(s) such that it maps to the right redirect_prefix | 17:58 |
| johnsom | That won't help with wildcard certs though. | 17:58 |
| feld | yeah I have to make this work with a wildcard cert | 17:59 |
| feld | RFE -- do you mean opening a bug report at the bug tracking in the /topic? O | 18:00 |
| feld | *bug tracking URL | 18:00 |
| johnsom | Yes | 18:00 |
| johnsom | A request for enhancement | 18:00 |
| feld | and to confirm: I did add a listener for port 80 with the other listener doing TERMINATED_HTTPS on port 443, pool member(s) configured for port 80, and it does not automatically do the HTTPS redirect | 18:03 |
| johnsom | Yeah, the redirect is automatic on port 443 in that case, the TERMINATED_HTTPS. So if you connect to 443 using HTTP it redirects. | 18:05 |
| johnsom | That is the only place I found in the code that uses that scheme | 18:05 |
| feld | sure, but nobody is going to connect to 443 with HTTP from their browsers :) | 18:07 |
| feld | does this mean it's possible to configure the port 80 as TERMINATED_HTTPS? | 18:08 |
| feld | I guess I didn't try that as it didn't seem logical | 18:08 |
| johnsom | Yeah, actually, that would work | 18:08 |
| johnsom | I still think we should have an RFE to add a listener protocol to make this much more straight forward. | 18:10 |
| feld | Nope, that won't work. TERMINATED_HTTPS errors because I'm not providing the certificate container | 18:10 |
| feld | so we really do need an RFE to solve this | 18:10 |
| johnsom | Yeah, just give it the same container ID as your 443 listener | 18:11 |
| feld | oooh? i figured it would try speaking HTTPS on that port then | 18:11 |
| johnsom | No, it will do what you want | 18:11 |
| feld | It's giving me an empty reply and closing the connection when I test it with curl | 18:13 |
| johnsom | curl with --head | 18:13 |
| feld | correct, i've tried with and without and capturing the debug output too | 18:13 |
| johnsom | what is the output? | 18:13 |
| feld | let me put this on a pastebin for you | 18:14 |
| johnsom | https://paste.opendev.org/ | 18:14 |
| johnsom | It should be sending back a 302 found redirect | 18:14 |
| feld | https://dpaste.com/8E8T5DYNZ | 18:15 |
| johnsom | Ok, that is super odd, it should always return something. | 18:18 |
| johnsom | I will need to setup this scenario to test/debug. That is not the behavior I would expect given the config code. | 18:18 |
| johnsom | Give me 30 to set up a test environment | 18:19 |
| feld | yeah I was expecting the 302 as well | 18:19 |
| feld | https://dpaste.com/GH7ECX9WD | 18:19 |
| feld | if Terraform is something you can work with i can paste you a minimal config | 18:20 |
| johnsom | No thanks, I have my own tools | 18:20 |
| johnsom | I see there is a TCP 80 listener, is that bound to an L7 policy still? | 18:21 |
| johnsom | If it's hitting that listener, I could see it getting an empty response | 18:22 |
| feld | I do not have any L7 policies deployed at this time | 18:23 |
| feld | "openstack loadbalancer l7policy list" returns empty as I expected | 18:24 |
| johnsom | Yeah, ok, I can reproduce that. | 18:52 |
| johnsom | SSL handshake failure | 18:52 |
| johnsom | And I see why | 18:54 |
| johnsom | Sorry, that work around isn't going to work. | 18:54 |
| feld | ok, do you want me to proceed with filing an RFE or do you have enough information to open one internally? | 19:01 |
| feld | if you open one I'd like to subscribe to the issue anyway | 19:01 |
| johnsom | It would be great if you could open one. It helps with prioritization if it's from a user instead of the core team. https://bugs.launchpad.net/octavia | 19:02 |
| johnsom | Also, if we add this feature in Dalmatian, would you pull it down and use it, or do you need to wait for a release? | 19:02 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!