@@ -76,10 +76,13 @@ var (

 )

 type AuthConfig struct {

-	MasterAddr     string

-	MasterRoots    *x509.CertPool

-	SessionSecrets []string

-	EtcdHelper     tools.EtcdHelper

+	// URL to call internally during token request

+	MasterAddr string

+	// URL to direct browsers to the master on

+	MasterPublicAddr string

+	MasterRoots      *x509.CertPool

+	SessionSecrets   []string

+	EtcdHelper       tools.EtcdHelper

 }

 // InstallAPI starts an OAuth2 server and registers the supported REST APIs

@@ -122,9 +125,9 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) []string {

 	)

 	server.Install(mux, OpenShiftOAuthAPIPrefix)

-	CreateOrUpdateDefaultOAuthClients(c.MasterAddr, oauthEtcd)

+	CreateOrUpdateDefaultOAuthClients(c.MasterPublicAddr, oauthEtcd)

 	osOAuthClientConfig := c.NewOpenShiftOAuthClientConfig(&OSBrowserClientBase)

-	osOAuthClientConfig.RedirectUrl = c.MasterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint

+	osOAuthClientConfig.RedirectUrl = c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint

 	osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig)

 	if c.MasterRoots != nil {

@@ -157,14 +160,14 @@ func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.Client) *osi

 		ClientSecret:             client.Secret,

 		ErrorsInStatusCode:       true,

 		SendClientSecretInParams: true,

-		AuthorizeUrl:             c.MasterAddr + OpenShiftOAuthAPIPrefix + "/authorize",

+		AuthorizeUrl:             c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + "/authorize",

 		TokenUrl:                 c.MasterAddr + OpenShiftOAuthAPIPrefix + "/token",

 		Scope:                    "",

 	}

 	return config

 }

-func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthclient.Registry) {

+func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, clientRegistry oauthclient.Registry) {

 	clientsToEnsure := []*oauthapi.Client{

 		{

 			ObjectMeta: kapi.ObjectMeta{

@@ -172,7 +175,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl

 			},

 			Secret:                OSBrowserClientBase.Secret,

 			RespondWithChallenges: OSBrowserClientBase.RespondWithChallenges,

-			RedirectURIs:          []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},

+			RedirectURIs:          []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},

 		},

 		{

 			ObjectMeta: kapi.ObjectMeta{

@@ -180,7 +183,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl

 			},

 			Secret:                OSCliClientBase.Secret,

 			RespondWithChallenges: OSCliClientBase.RespondWithChallenges,

-			RedirectURIs:          []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},

+			RedirectURIs:          []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},

 		},

 	}

@@ -256,7 +259,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, sessionStore sess

 		}

 		state := external.DefaultState()

-		oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterAddr+callbackPath, successHandler, errorHandler, identityMapper)

+		oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterPublicAddr+callbackPath, successHandler, errorHandler, identityMapper)

 		if err != nil {

 			glog.Fatalf("unexpected error: %v", err)

 		}

@@ -80,13 +80,18 @@ const (

 // MasterConfig defines the required parameters for starting the OpenShift master

 type MasterConfig struct {

-	BindAddr       string

-	MasterAddr     string

-	AssetAddr      string

+	// host:port to bind master to

+	MasterBindAddr string

+	// host:port to bind asset server to

+	AssetBindAddr string

+	// url to access the master API on within the cluster

+	MasterAddr string

+	// url to access kubernetes API on within the cluster

 	KubernetesAddr string

 	// external clients may need to access APIs at different addresses than internal components do

 	MasterPublicAddr     string

 	KubernetesPublicAddr string

+	AssetPublicAddr      string

 	TLS bool

@@ -299,7 +304,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {

 	}

 	server := &http.Server{

-		Addr:           c.BindAddr,

+		Addr:           c.MasterBindAddr,

 		Handler:        handler,

 		ReadTimeout:    5 * time.Minute,

 		WriteTimeout:   5 * time.Minute,

@@ -325,7 +330,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {

 	}, 0)

 	// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)

-	cmdutil.WaitForSuccessfulDial("tcp", c.BindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)

+	cmdutil.WaitForSuccessfulDial("tcp", c.MasterBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)

 }

 // wireAuthenticationHandling creates and binds all the objects that we only care about if authentication is turned on.  It's pulled out

@@ -421,7 +426,7 @@ func (c *MasterConfig) RunAssetServer() {

 	)

 	server := &http.Server{

-		Addr:           c.AssetAddr,

+		Addr:           c.AssetBindAddr,

 		Handler:        mux,

 		ReadTimeout:    5 * time.Minute,

 		WriteTimeout:   5 * time.Minute,

@@ -437,16 +442,18 @@ func (c *MasterConfig) RunAssetServer() {

 				// This allows certificates to be validated by authenticators, while still allowing other auth types

 				ClientAuth: tls.RequestClientCert,

 			}

-			glog.Infof("Started OpenShift static asset server at https://%s", c.AssetAddr)

+			glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)

 			glog.Fatal(server.ListenAndServeTLS(c.AssetCertFile, c.AssetKeyFile))

 		} else {

-			glog.Infof("Started OpenShift static asset server at http://%s", c.AssetAddr)

+			glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)

 			glog.Fatal(server.ListenAndServe())

 		}

 	}, 0)

 	// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)

-	cmdutil.WaitForSuccessfulDial("tcp", c.AssetAddr, 100*time.Millisecond, 100*time.Millisecond, 100)

+	cmdutil.WaitForSuccessfulDial("tcp", c.AssetBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)

+

+	glog.Infof("OpenShift UI available at %s", c.AssetPublicAddr)

 }

 // RunBuildController starts the build sync loop for builds and buildConfig processing.

@@ -110,8 +110,8 @@ func NewCommandStartServer(name string) *cobra.Command {

 		EtcdAddr:             flagtypes.Addr{Value: "0.0.0.0:4001", DefaultScheme: "http", DefaultPort: 4001}.Default(),

 		KubernetesAddr:       flagtypes.Addr{DefaultScheme: "https", DefaultPort: 8443}.Default(),

 		PortalNet:            flagtypes.DefaultIPNet("172.30.17.0/24"),

-		MasterPublicAddr:     flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443, AllowPrefix: true}.Default(),

-		KubernetesPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443}.Default(),

+		MasterPublicAddr:     flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),

+		KubernetesPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),

 		Hostname: hostname,

 		NodeList: flagtypes.StringList{"127.0.0.1"},

@@ -246,20 +246,27 @@ func start(cfg *config, args []string) error {

 			k8sPublicAddr = cfg.KubernetesAddr

 		}

-		assetAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))

+		// Derive the asset bind address by incrementing the master bind address port by 1

+		assetBindAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))

+		// Derive the asset public address by incrementing the master public address port by 1

+		assetPublicAddr := *masterPublicAddr.URL

+		assetPublicAddr.Host = net.JoinHostPort(masterPublicAddr.Host, strconv.Itoa(masterPublicAddr.Port+1))

 		// always include the all-in-one server's web console as an allowed CORS origin

 		// always include localhost as an allowed CORS origin

 		// always include master and kubernetes public addresses as an allowed CORS origin

-		cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, assetAddr, "localhost", "127.0.0.1",

-			cfg.MasterPublicAddr.URL.Host, cfg.KubernetesPublicAddr.URL.Host)

+		for _, origin := range []string{assetPublicAddr.Host, masterPublicAddr.URL.Host, k8sPublicAddr.URL.Host, "localhost", "127.0.0.1"} {

+			// TODO: check if origin is already allowed

+			cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, origin)

+		}

 		osmaster := &origin.MasterConfig{

-			TLS:                   cfg.MasterAddr.URL.Scheme == "https",

-			BindAddr:              cfg.BindAddr.URL.Host,

+			TLS:                   cfg.BindAddr.URL.Scheme == "https",

+			MasterBindAddr:        cfg.BindAddr.URL.Host,

 			MasterAddr:            cfg.MasterAddr.URL.String(),

 			MasterPublicAddr:      masterPublicAddr.URL.String(),

-			AssetAddr:             assetAddr,

+			AssetBindAddr:         assetBindAddr,

+			AssetPublicAddr:       assetPublicAddr.String(),

 			KubernetesAddr:        cfg.KubernetesAddr.URL.String(),

 			KubernetesPublicAddr:  k8sPublicAddr.URL.String(),

 			EtcdHelper:            etcdHelper,

@@ -344,10 +351,11 @@ func start(cfg *config, args []string) error {

 		osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins)

 		auth := &origin.AuthConfig{

-			MasterAddr:     cfg.MasterAddr.URL.String(),

-			MasterRoots:    roots,

-			SessionSecrets: []string{"secret"},

-			EtcdHelper:     etcdHelper,

+			MasterAddr:       cfg.MasterAddr.URL.String(),

+			MasterPublicAddr: masterPublicAddr.URL.String(),

+			MasterRoots:      roots,

+			SessionSecrets:   []string{"secret"},

+			EtcdHelper:       etcdHelper,

 		}

 		if startKube {