Friday is for Yak Shaving

My mate Derek was giving me grief about not testing his OpenStack deployment in our lab at Red Hat. Friday seemed like a good day to give it a shot for a few minutes.

First problem - I'm one of the weird people at Red Hat who eschews the VPN in favour of SSH tunnels. At first, I figured I'd tunnel directly to the various OpenStack API services but that didn't work because the endpoint URLs returned by keystone obviously wouldn't point to my tunnelled connections.

Ok, let's just use a HTTP proxy, that should be fine. But no, not on yak shaving day. For some reason, I was getting 403 Forbidden errors.

To cut a long story short, it turns out:

  • httplib2 always uses HTTP CONNECT tunneling rather than just sending the requests directly to the proxy
  • squid by default and, indeed, our corporate proxy defaults to rejecting CONNECT for ports other than 443
  • The recently released httplib2 0.7.5 has a PROXY_TYPE_HTTP_NO_TUNNEL which only uses CONNECT tunnelling for port 443, but it doesn't use this type when you configure your proxy via http_proxy in the environment

Not content with shaving the yak once, I shaved her thrice:

One other troubling conclusion is that if you're exposing the services over HTTPS, you really should use port 443 for everything or clients won't be able to connect over many proxies.

Tagged