Tuesday, 2018-09-04

*** sri_ has quit IRC00:23
*** sri_ has joined #openstack-lbaas00:23
*** sri_ has quit IRC00:35
*** srini_ has joined #openstack-lbaas00:35
*** srini_ has quit IRC00:48
*** srini_ has joined #openstack-lbaas00:49
*** hongbin has joined #openstack-lbaas00:58
*** srini_ has quit IRC01:04
*** srini__ has joined #openstack-lbaas01:05
*** rcernin has quit IRC01:24
*** rcernin has joined #openstack-lbaas01:24
*** bzhao__ has joined #openstack-lbaas01:26
*** srini__ has quit IRC01:42
*** sri_ has joined #openstack-lbaas01:42
*** sri_ has quit IRC01:45
*** sri_ has joined #openstack-lbaas01:45
*** sri_ has quit IRC01:48
*** sri_ has joined #openstack-lbaas01:49
*** yamamoto has quit IRC01:50
bzhao__johnsom:  Hi micheal, could you please have a quick look about https://storyboard.openstack.org/#!/story/2003609 ? does it clear for you? ;-)01:55
*** sri_ has quit IRC01:56
*** sri_ has joined #openstack-lbaas01:57
openstackgerritLingxian Kong proposed openstack/octavia master: Valide member address for lb graph creation  https://review.openstack.org/59946701:57
*** yamamoto has joined #openstack-lbaas02:11
*** sri_ has quit IRC02:11
*** sri_ has joined #openstack-lbaas02:12
sapd1I can't setup redirect http to https (backend is wordpress). If I follow L7 Loadbalancing Cook book, I saw Haproxy use redirect location instead of redirect prefix so When I access every posts or wp-admin page . It redirect to home page.02:14
*** sri_ has quit IRC02:31
*** sri_ has joined #openstack-lbaas02:31
sapd1I think to redirect from http to https we should use redirect schema in haproxy.02:34
openstackgerritLingxian Kong proposed openstack/octavia master: Valide member address for lb graph creation  https://review.openstack.org/59946702:36
*** sri_ has quit IRC02:54
*** sri_ has joined #openstack-lbaas02:54
bzhao__Does it work for you? But you need to specify the listener protocol with PROTOCOL_TERMINATED_HTTPS https://www.irccloud.com/pastebin/t3sj0mVT/03:02
bzhao__This is the current listener configuration template.03:02
*** sri_ has quit IRC03:04
*** sri_ has joined #openstack-lbaas03:04
*** kiennt26 has joined #openstack-lbaas03:04
sapd1bzhao__:  because if we use "redirect location" It always redirect to a specific URL instead of https or prefix03:06
sapd1So if we have to use TERMINATED_HTTPS protocol in port 80? Because redirect schema is performed in http frontend not https frontend.03:08
bzhao__Yes, you are right. your case is that SSL will be hold by backend servers, not haproxy.03:34
bzhao__ curl -v --cacert www.server2.com.crt https://www.server2.com:80 -L   only success with https:8003:36
*** ramishra has joined #openstack-lbaas03:48
*** reedipb has quit IRC03:58
sapd1bzhao__: In the case redirect http to https, I tried creating two listener TLS Terminated ( on port 80 not include certificate) So It's worked.04:25
sapd1to forward https protocol to backend (backend is running in http protocol) We have to add `reqadd X-Forwarded-Proto:\ https` in tls terminated.04:27
*** kiennt26 has quit IRC04:27
sapd1bzhao__: Have you tried running wordpress bebind Octavia loadbalancer yet?04:27
*** sri_ has quit IRC04:36
*** sri_ has joined #openstack-lbaas04:37
*** sri_ has quit IRC04:42
*** sri_ has joined #openstack-lbaas04:42
*** sri_ has quit IRC04:43
*** hongbin has quit IRC04:58
*** yboaron_ has joined #openstack-lbaas05:11
*** mugsie has quit IRC05:49
*** zigo has quit IRC05:49
*** yboaron_ has quit IRC06:15
*** rcernin has quit IRC06:33
bzhao__Not yet. ;(06:43
*** luksky has joined #openstack-lbaas06:58
*** velizarx has joined #openstack-lbaas07:23
*** yboaron_ has joined #openstack-lbaas07:25
*** velizarx has quit IRC07:31
*** ramishra has quit IRC07:38
*** velizarx has joined #openstack-lbaas07:42
*** ktibi has joined #openstack-lbaas07:53
*** ramishra has joined #openstack-lbaas08:00
*** velizarx has quit IRC08:04
*** Emine has joined #openstack-lbaas08:05
sapd1bzhao__: Do we need a new action in L7 policy (redirect schema) ?08:09
*** velizarx has joined #openstack-lbaas08:11
bzhao__sapd1:  Ha, just from my personal opinion, any cases are not covered by octavia, that's the work we need to do. ;-). But I think we need to cover the common cases as much as possible firstly. ;-)08:28
sapd1bzhao__: That is a common case. a site using https and every request to http listener redirect to https listener with all query parameters.08:29
bzhao__Correct. currently, she(octavia) lacks many support options for more detailed operation.08:32
bzhao__May I ask a question?  In your env, you access the website using http://XXX on browser, it will redirect to https://XXX, right? So you may look the storyboard https://storyboard.openstack.org/#!/story/2003609  ?  HA. ;-)08:36
bzhao__I  just re-read your last message, that may be the same usecase. ;-)08:37
*** ccamposr has joined #openstack-lbaas08:40
sapd1bzhao__: yep. It's very common use case. You can create two listener (both use TLS Terminated) one on port 80 to serve http://test.com, the other on port 443 to serve https://test.com. On listener use port 443, You set certificate for it.08:41
sapd1It worked. Because when We use TLS Terminated protocol octavia generate `redirect schema https` for that listener.08:42
*** yamamoto has quit IRC08:43
bzhao__sapd1:  Yeah. Thanks. That's right..Ah, I realize why you asking the redirect location question. ;-)08:44
bzhao__sapd1: actually, what we want is just a work listener, maybe the https listener, other listeners(maybe serve 80, or some part of url/domain name) can redirect the traffic to the https listener.08:46
bzhao__sapd1:  Because from 80 to 443, we need 2 listeners at least..08:46
sapd1yes. Indeed, to redirect from 80 to 443 we have to create 2 listeners, So Should we create a new action ( redirect schema or redirect https for L7 policy)08:48
*** sri_ has joined #openstack-lbaas08:50
bzhao__sapd1: hmm, I just want to introduce a new field 'redirect_to_listener' for l7 policy now, my previous thought is configure the haproxy silencely(not expose so much info to users), but you mentioned the "prefix"/"schema" case, I'm thinking about it whether we should support them and how..08:55
bzhao__'redirect_to_listener'  for "action"08:55
bzhao__But I'm totally agree that those are very common cases.08:56
sapd1bzhao__: How do you configure haproxy with redirect_to_listener option?08:58
bzhao__This is the https listener, and backend server serve http. Haproxy will hold the SSL. https://www.irccloud.com/pastebin/b7iHAoDD/08:59
bzhao__This is the http listener. This listener will redirect the traffic to https listener. https://www.irccloud.com/pastebin/x2conQNJ/09:01
bzhao__Then we can access like this. https://www.irccloud.com/pastebin/DU882nOF/09:02
sapd1Could you try access sub location such as http://www.server2.com:8001/test/index.html Does it redirect to https://www.server2.com:4447/test/index.html09:12
bzhao__I use nc for simulating the http server. ;(. But I think it will be failure, as it configured "redirect location".09:18
*** yamamoto has joined #openstack-lbaas09:19
sapd1bzhao__: You can try use `python -m SimpleHTTPServer 8080`09:20
bzhao__it can not work if set "location". But work when "prefix"09:26
bzhao__Wow, you show me a new world. ;-). Thank you.09:27
sapd1bzhao__: You should use schema instead of of prefix09:28
openstackgerritMerged openstack/neutron-lbaas master: nlbaas2octavia: Escape 'key' field calls  https://review.openstack.org/59200609:31
bzhao__sapd1:  Add into the http listener? But If we add it there, the http listener will be the https listener. We can not redirect.09:33
sapd1bzhao__: Oh because You are using 4447 for https port. So we have to modify this port :D09:36
bzhao__sapd1:  Yeah. ;-)09:36
bzhao__sapd1:  Because we need to allow users to setup their server with other ports..;-)09:37
sapd1so use schema is not solve this problem in case does not use 80 or 443 port09:37
bzhao__yeah, it just change http:// -> https://09:38
sapd1bzhao__:  But It's not common case. I think09:41
bzhao__sapd1:  =。= , hmm, but how about we provide that ability? we can just to change the port from not 80 to 443 ?09:45
bzhao__is there any potential issues which I don't realize yet?09:47
bzhao__sapd1:  I test with common case, 80, 443. It can work as wish with schema.09:47
*** ataraday has quit IRC09:56
sapd1bzhao__: So we create a new action redirect to listener or other way?10:00
*** yamamoto has quit IRC10:11
*** yamamoto has joined #openstack-lbaas10:11
bzhao__sapd1:  Yeah,  "redirect_listener_id" and "redirect_to_listener" into L7Policy like the RFE proposed. If we support that, users will not care about what the listened listener port .10:18
*** yamamoto has quit IRC10:20
bzhao__if common case, we use schema,  if not 80 / not 443, we use location/prefix.10:20
sapd1:D too complicated. ;D10:37
*** yamamoto has joined #openstack-lbaas10:44
bzhao__sapd1: =.= , HA ;D.10:45
*** mugsie has joined #openstack-lbaas10:46
*** takamatsu has joined #openstack-lbaas11:00
*** luksky has quit IRC11:05
*** luksky has joined #openstack-lbaas11:40
openstackgerritMichal Rostecki proposed openstack/octavia master: devstack: Define packages for (open)SUSE  https://review.openstack.org/59177411:53
*** dims has joined #openstack-lbaas11:56
*** velizarx has quit IRC13:01
*** velizarx has joined #openstack-lbaas13:05
*** sapd1_ has joined #openstack-lbaas14:19
*** sri_ has quit IRC14:33
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Fix tests to honor Octavia API versioning  https://review.openstack.org/59478614:46
*** yamamoto has quit IRC15:05
*** yamamoto has joined #openstack-lbaas15:05
*** openstackgerrit has quit IRC15:20
*** ramishra has quit IRC15:25
*** Emine has quit IRC15:31
*** sri_ has joined #openstack-lbaas15:38
*** velizarx has quit IRC15:39
*** ktibi has quit IRC15:40
*** fnaval has joined #openstack-lbaas15:57
*** yamamoto has quit IRC15:58
*** yamamoto has joined #openstack-lbaas15:58
*** dolly_ has joined #openstack-lbaas16:07
*** dolly_ has quit IRC16:30
*** luksky has quit IRC16:53
*** yboaron_ has quit IRC16:58
*** sri_ has quit IRC17:03
*** sapd1_ has quit IRC17:05
*** ccamposr has quit IRC17:08
*** openstackgerrit has joined #openstack-lbaas18:24
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Fix tests to honor Octavia API versioning  https://review.openstack.org/59478618:24
*** luksky has joined #openstack-lbaas18:28
*** luksky has quit IRC21:28
*** KeithMnemonic has joined #openstack-lbaas21:56
*** ianychoi has quit IRC22:22
*** celebdor has quit IRC22:40
*** spartakos has joined #openstack-lbaas22:48
*** rcernin has joined #openstack-lbaas22:55
*** ianychoi has joined #openstack-lbaas23:16
openstackgerritLingxian Kong proposed openstack/octavia master: Valide member address for lb graph creation  https://review.openstack.org/59946723:20
*** fnaval has quit IRC23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!