Enable X-Forward-For header for better Keystone access logging
It was observed that HAProxy doesn't pass http header "X-Forward-For" for keystone preventing placing into keystone access log IP addresses initiating connection, and rather placing there HAPorxy IP address. This has security implications, as one would like to analyze Keystone access logs to discover failed login attempts and discover their IP source address (source of requests) will be unable to get real source of incoming to Keystone requests. Change-Id: I4139919e10d50abcb77b0521efa0037345f9582f Closes-Bug: #1521228
This commit is contained in:
parent
39dcd26bc3
commit
755d845e5d
|
@ -72,7 +72,7 @@ class openstack::ha::keystone (
|
|||
internal_ssl => $internal_ssl,
|
||||
internal_ssl_path => $internal_ssl_path,
|
||||
haproxy_config_options => {
|
||||
option => ['httpchk', 'httplog', 'httpclose'],
|
||||
option => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
|
|
|
@ -21,7 +21,7 @@ require 'spec_helper'
|
|||
'public_ssl' => true,
|
||||
'public_ssl_path' => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk', 'httplog','httpclose'],
|
||||
'option' => ['httpchk', 'httplog','httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
|
@ -34,7 +34,7 @@ require 'spec_helper'
|
|||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk', 'httplog','httpclose'],
|
||||
'option' => ['httpchk', 'httplog','httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
|
|
|
@ -158,7 +158,7 @@ class { 'keystone::wsgi::apache':
|
|||
workers => min($::processorcount, 6),
|
||||
ssl => $ssl,
|
||||
vhost_custom_fragment => $vhost_limit_request_field_size,
|
||||
access_log_format => '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
|
||||
access_log_format => '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
|
||||
|
||||
# ports and host should be set for ip_based vhost
|
||||
public_port => $public_port,
|
||||
|
|
|
@ -15,7 +15,7 @@ describe manifest do
|
|||
'public' => true,
|
||||
'public_ssl' => public_ssl_keystone,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk', 'httplog', 'httpclose'],
|
||||
'option' => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
)
|
||||
|
@ -27,7 +27,7 @@ describe manifest do
|
|||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk', 'httplog', 'httpclose'],
|
||||
'option' => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue