Enable X-Forward-For header for better Keystone access logging

It was observed that HAProxy doesn't pass http header "X-Forward-For"
for keystone preventing placing into keystone access log IP addresses
initiating connection, and rather placing there HAPorxy IP address.
This has security implications, as one would like to analyze Keystone
access logs to discover failed login attempts and discover their IP
source address (source of requests) will be unable to get real source
of incoming to Keystone requests.

Change-Id: I4139919e10d50abcb77b0521efa0037345f9582f
Closes-Bug: #1521228

deployment/puppet/openstack/manifests/ha/keystone.pp

@@ -72,7 +72,7 @@ class openstack::ha::keystone (
     internal_ssl           => $internal_ssl,
     internal_ssl_path      => $internal_ssl_path,
     haproxy_config_options => {
-      option         => ['httpchk', 'httplog', 'httpclose'],
+      option         => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
       'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
     },
     balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',

deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb

@@ -21,7 +21,7 @@ require 'spec_helper'
         'public_ssl'             => true,
         'public_ssl_path'        => '/var/lib/fuel/haproxy/public_keystone.pem',
         'haproxy_config_options' => {
-          'option'       => ['httpchk', 'httplog','httpclose'],
+          'option'       => ['httpchk', 'httplog','httpclose', 'forwardfor'],
           'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
         },
         'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
@@ -34,7 +34,7 @@ require 'spec_helper'
         'listen_port'            => 35357,
         'public'                 => false,
         'haproxy_config_options' => {
-          'option'       => ['httpchk', 'httplog','httpclose'],
+          'option'       => ['httpchk', 'httplog','httpclose', 'forwardfor'],
           'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
         },
         'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',

deployment/puppet/osnailyfacter/modular/keystone/keystone.pp

@@ -158,7 +158,7 @@ class { 'keystone::wsgi::apache':
   workers               => min($::processorcount, 6),
   ssl                   => $ssl,
   vhost_custom_fragment => $vhost_limit_request_field_size,
-  access_log_format     => '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
+  access_log_format     => '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
 
   # ports and host should be set for ip_based vhost
   public_port           => $public_port,

tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb

@@ -15,7 +15,7 @@ describe manifest do
           'public'                 => true,
           'public_ssl'             => public_ssl_keystone,
           'haproxy_config_options' => {
-            'option'       => ['httpchk', 'httplog', 'httpclose'],
+            'option'       => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
             'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
           },
         )
@@ -27,7 +27,7 @@ describe manifest do
           'listen_port'            => 35357,
           'public'                 => false,
           'haproxy_config_options' => {
-            'option'       => ['httpchk', 'httplog', 'httpclose'],
+            'option'       => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
             'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
           },
         )