From 755d845e5d56569312eb838fa0397328913bcf3b Mon Sep 17 00:00:00 2001
From: Alexey Deryugin <aderyugin@mirantis.com>
Date: Mon, 14 Dec 2015 21:08:52 +0300
Subject: [PATCH] Enable X-Forward-For header for better Keystone access
 logging

It was observed that HAProxy doesn't pass http header "X-Forward-For"
for keystone preventing placing into keystone access log IP addresses
initiating connection, and rather placing there HAPorxy IP address.
This has security implications, as one would like to analyze Keystone
access logs to discover failed login attempts and discover their IP
source address (source of requests) will be unable to get real source
of incoming to Keystone requests.

Change-Id: I4139919e10d50abcb77b0521efa0037345f9582f
Closes-Bug: #1521228
---
 deployment/puppet/openstack/manifests/ha/keystone.pp          | 2 +-
 .../openstack/spec/classes/openstack_ha_keystone_spec.rb      | 4 ++--
 deployment/puppet/osnailyfacter/modular/keystone/keystone.pp  | 2 +-
 .../openstack-haproxy/openstack-haproxy-keystone_spec.rb      | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/deployment/puppet/openstack/manifests/ha/keystone.pp b/deployment/puppet/openstack/manifests/ha/keystone.pp
index 612c3b2fd1..dbdd8b4804 100644
--- a/deployment/puppet/openstack/manifests/ha/keystone.pp
+++ b/deployment/puppet/openstack/manifests/ha/keystone.pp
@@ -72,7 +72,7 @@ class openstack::ha::keystone (
     internal_ssl           => $internal_ssl,
     internal_ssl_path      => $internal_ssl_path,
     haproxy_config_options => {
-      option         => ['httpchk', 'httplog', 'httpclose'],
+      option         => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
       'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
     },
     balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
diff --git a/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb b/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb
index 4e1e071da9..0343a337fe 100644
--- a/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb
+++ b/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb
@@ -21,7 +21,7 @@ require 'spec_helper'
         'public_ssl'             => true,
         'public_ssl_path'        => '/var/lib/fuel/haproxy/public_keystone.pem',
         'haproxy_config_options' => {
-          'option'       => ['httpchk', 'httplog','httpclose'],
+          'option'       => ['httpchk', 'httplog','httpclose', 'forwardfor'],
           'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
         },
         'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
@@ -34,7 +34,7 @@ require 'spec_helper'
         'listen_port'            => 35357,
         'public'                 => false,
         'haproxy_config_options' => {
-          'option'       => ['httpchk', 'httplog','httpclose'],
+          'option'       => ['httpchk', 'httplog','httpclose', 'forwardfor'],
           'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
         },
         'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
diff --git a/deployment/puppet/osnailyfacter/modular/keystone/keystone.pp b/deployment/puppet/osnailyfacter/modular/keystone/keystone.pp
index df5952ba97..645c368391 100644
--- a/deployment/puppet/osnailyfacter/modular/keystone/keystone.pp
+++ b/deployment/puppet/osnailyfacter/modular/keystone/keystone.pp
@@ -158,7 +158,7 @@ class { 'keystone::wsgi::apache':
   workers               => min($::processorcount, 6),
   ssl                   => $ssl,
   vhost_custom_fragment => $vhost_limit_request_field_size,
-  access_log_format     => '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
+  access_log_format     => '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"',
 
   # ports and host should be set for ip_based vhost
   public_port           => $public_port,
diff --git a/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb b/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb
index 75ee742389..434ac6406b 100644
--- a/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb
+++ b/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb
@@ -15,7 +15,7 @@ describe manifest do
           'public'                 => true,
           'public_ssl'             => public_ssl_keystone,
           'haproxy_config_options' => {
-            'option'       => ['httpchk', 'httplog', 'httpclose'],
+            'option'       => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
             'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
           },
         )
@@ -27,7 +27,7 @@ describe manifest do
           'listen_port'            => 35357,
           'public'                 => false,
           'haproxy_config_options' => {
-            'option'       => ['httpchk', 'httplog', 'httpclose'],
+            'option'       => ['httpchk', 'httplog', 'httpclose', 'forwardfor'],
             'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
           },
         )