Enable X-Forwarded-For for RadosGW service

Enable insertion of the X-Forwarded-For header to requests
sent to RadosGW servers. Added "httpclose" on server side to ensure
that every request will be rewritten and not only the first one of
each session.

Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
Change-Id: Ieed9d2cc7b06ba2b864b2751b76dce010178be65
Closes-Bug: #1523906
Closes-Bug: #1523895

deployment/puppet/ceph/manifests/params.pp

@@ -21,6 +21,7 @@ class ceph::params {
       $dir_httpd_conf             = '/etc/httpd/conf/'
       $dir_httpd_sites            = '/etc/httpd/conf.d/'
       $dir_httpd_ssl              = '/etc/httpd/ssl/'
+      $dir_httpd_log              = '/var/log/httpd/'
 
       package { ['ceph', 'redhat-lsb-core','ceph-deploy',]:
         ensure => installed,
@@ -46,6 +47,7 @@ class ceph::params {
       $dir_httpd_conf             = '/etc/httpd/conf/'
       $dir_httpd_sites            = '/etc/apache2/sites-available/'
       $dir_httpd_ssl              = '/etc/apache2/ssl/'
+      $dir_httpd_log              = '/var/log/apache2/'
 
       package { ['ceph','ceph-deploy', ]:
         ensure => installed,

deployment/puppet/ceph/manifests/radosgw.pp

@@ -1,10 +1,3 @@
-# enable an Apache module
-define apache::loadmodule () {
-  exec { "/usr/sbin/a2enmod ${name}" :
-    unless => "/bin/readlink -e /etc/apache2/mods-enabled/${name}.load",
-    notify => Service['httpd']
-  }
-}
 
 # deploys Ceph radosgw as an Apache FastCGI application
 class ceph::radosgw (
@@ -49,6 +42,7 @@ class ceph::radosgw (
   $keyring_path     = "/etc/ceph/keyring.${rgw_id}"
   $radosgw_auth_key = "client.${rgw_id}"
   $dir_httpd_root   = '/var/www/radosgw'
+  $dir_httpd_log    = $::ceph::params::dir_httpd_log
 
   package { [$::ceph::params::package_radosgw,
              $::ceph::params::package_fastcgi,

deployment/puppet/ceph/templates/rgw.conf.erb

@@ -19,6 +19,10 @@ FastCgiExternalServer <%= @dir_httpd_root %>/s3gw.fcgi -socket /tmp/radosgw.sock
     </Directory>
   </IfModule>
 
+  ## Logging
+  ErrorLog "<%= @dir_httpd_log %>radosgw_error.log"
+  CustomLog "<%= @dir_httpd_log %>radosgw_access.log" forwarded
+
   AllowEncodedSlashes On
   ServerSignature Off
 </VirtualHost>

deployment/puppet/openstack/manifests/ha/radosgw.pp

@@ -47,7 +47,7 @@ class openstack::ha::radosgw (
     public_virtual_ip      => $public_virtual_ip,
     server_names           => $server_names,
     haproxy_config_options => {
-      'option'       => ['httplog', 'httpchk GET /'],
+      'option'       => ['httplog', 'httpchk HEAD /', 'http-server-close', 'forwardfor'],
       'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
     },
   }

deployment/puppet/openstack/spec/classes/openstack_ha_radosgw_spec.rb

@@ -1,18 +1,32 @@
 require 'spec_helper'
 
   describe 'openstack::ha::radosgw' do
-    let(:params) { {:internal_virtual_ip  => '127.0.0.1',
-                    :ipaddresses          => ['127.0.0.2', '127.0.0.3'],
-                    :public_virtual_ip    => '192.168.0.1',
-                    :baremetal_virtual_ip => '192.168.0.2',
-                    :server_names         => ['node-1', 'node-2'],
-                    :public_ssl           => true,
-                    :public_ssl_path      => '/var/lib/fuel/haproxy/public_radosgw.pem',
-                 } }
-    let(:facts) { {:kernel => 'Linux',
-                   :concat_basedir => '/var/lib/puppet/concat',
-                   :fqdn           => 'some.host.tld'
-                } }
+    let :params do
+      {
+        :internal_virtual_ip  => '127.0.0.1',
+        :ipaddresses          => ['127.0.0.2', '127.0.0.3'],
+        :public_virtual_ip    => '192.168.0.1',
+        :baremetal_virtual_ip => '192.168.0.2',
+        :server_names         => ['node-1', 'node-2'],
+        :public_ssl           => true,
+        :public_ssl_path      => '/var/lib/fuel/haproxy/public_radosgw.pem',
+      }
+    end
+
+    let :facts do
+      {
+        :kernel         => 'Linux',
+        :concat_basedir => '/var/lib/puppet/concat',
+        :fqdn           => 'some.host.tld'
+      }
+    end
+
+    let :haproxy_config_opts do
+      {
+        'option'       => ['httplog', 'httpchk HEAD /', 'http-server-close', 'forwardfor'],
+        'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
+      }
+    end
 
     it "should properly configure radosgw haproxy based on ssl" do
       should contain_openstack__ha__haproxy_service('radosgw').with(
@@ -22,10 +36,7 @@ require 'spec_helper'
         'public'                 => true,
         'public_ssl'             => true,
         'public_ssl_path'        => '/var/lib/fuel/haproxy/public_radosgw.pem',
-        'haproxy_config_options' => {
-          'option'       => ['httplog', 'httpchk GET /'],
-          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
-        },
+        'haproxy_config_options' => haproxy_config_opts,
       )
     end
 
@@ -36,10 +47,7 @@ require 'spec_helper'
         'balancermember_port'    => 6780,
         'public_virtual_ip'      => false,
         'internal_virtual_ip'    => '192.168.0.2',
-        'haproxy_config_options' => {
-          'option'       => ['httplog', 'httpchk GET /'],
-          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
-        },
+        'haproxy_config_options' => haproxy_config_opts,
       )
     end
   end

deployment/puppet/osnailyfacter/.fixtures.yml

@@ -1,6 +1,12 @@
 fixtures:
   repositories:
     'stdlib': 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
+    'apache':
+      repo: 'https://review.fuel-infra.org/p/puppet-modules/puppetlabs-apache.git'
+      branch: '1.6.0'
+    'concat':
+      repo: 'https://review.fuel-infra.org/p/puppet-modules/puppetlabs-concat.git'
+      branch: '1.2.3'
   symlinks:
     'osnailyfacter': "#{source_dir}"
     'l23network': "#{source_dir}/../l23network"

deployment/puppet/osnailyfacter/manifests/apache.pp

@@ -18,12 +18,24 @@
 #  (optional) The number of times to be rotated before being removed.
 #  Defaults to '52'
 #
+# [*log_formats*]
+#  (optional) Hash w/ additional `LogFormat` directives.
+#  Defaults to {}
+#
 class osnailyfacter::apache (
   $purge_configs    = false,
   $listen_ports     = '80',
   $logrotate_rotate = '52',
+  $log_formats      = {},
 ) {
 
+  # define forwarded log format
+  $log_format_forwarded = {
+    'forwarded' => '%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"'
+  }
+
+  $log_formats_mixed = merge($log_format_forwarded, $log_formats)
+
   class { '::apache':
     mpm_module       => false,
     default_vhost    => false,
@@ -32,17 +44,21 @@ class osnailyfacter::apache (
     server_tokens    => 'Prod',
     server_signature => 'Off',
     trace_enable     => 'Off',
+    log_formats      => $log_formats_mixed,
   }
 
   apache::listen { $listen_ports: }
 
+  File {
+    ensure  => 'file',
+    owner   => 'root',
+    group   => 'root',
+  }
+
   # we need to override the logrotate file provided by apache to work around
   # wsgi issues on the restart caused by logrotate.
   # LP#1491576 and https://github.com/GrahamDumpleton/mod_wsgi/issues/81
   file { '/etc/logrotate.d/apache2':
-    ensure  => 'file',
-    owner   => 'root',
-    group   => 'root',
     mode    => '0644',
     content => template('osnailyfacter/apache2.logrotate.erb'),
     require => Package['httpd']
@@ -58,15 +74,10 @@ class osnailyfacter::apache (
 
   file { '/etc/logrotate.d/httpd-prerotate':
     ensure => 'directory',
-    owner  => 'root',
-    group  => 'root',
     mode   => '0755',
   }
 
   file { '/etc/logrotate.d/httpd-prerotate/apache2':
-    ensure  => 'file',
-    owner   => 'root',
-    group   => 'root',
     mode    => '0755',
     content => template('osnailyfacter/apache2.prerotate.erb'),
   }

deployment/puppet/osnailyfacter/spec/classes/osnailyfacter_apache_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+describe 'osnailyfacter::apache' do
+  let :facts do
+    {
+      :osfamily               => 'Debian',
+      :operatingsystem        => 'Ubuntu',
+      :operatingsystemrelease => '14.04',
+      :concat_basedir         => '/var/lib/puppet/concat'
+    }
+  end
+
+  let :params do
+    {
+      :log_formats => {
+        'forwarded' => '%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"'
+      }
+    }
+  end
+
+  let :file_default_opts do
+    {
+      :ensure  => 'file',
+      :owner   => 'root',
+      :group   => 'root',
+      :mode    => '0755',
+    }
+  end
+
+  it 'should configure apache to listen default 80 port' do
+     is_expected.to contain_apache__listen('80')
+  end
+
+  it 'should have apache class' do
+    is_expected.to contain_class('apache').with(
+      :server_tokens    => 'Prod',
+      :server_signature => 'Off',
+      :trace_enable     => 'Off',
+      :log_formats      => params[:log_formats],
+    )
+  end
+
+  it 'should have logrotate apache config' do
+    is_expected.to contain_file('/etc/logrotate.d/apache2').with(
+      file_default_opts.merge(
+        :mode    => '0644',
+        :require => 'Package[httpd]',
+      )
+    )
+  end
+
+  it 'should have a httpd prerotate folder' do
+    is_expected.to contain_file('/etc/logrotate.d/httpd-prerotate').with(
+      file_default_opts.merge(
+        :ensure => 'directory',
+      )
+    )
+  end
+
+  it 'should have a httpd prerotate config' do
+    is_expected.to contain_file('/etc/logrotate.d/httpd-prerotate/apache2').with(
+      file_default_opts
+    )
+  end
+end
+

tests/noop/spec/hosts/apache/apache_spec.rb

@@ -4,6 +4,13 @@ manifest = 'apache/apache.pp'
 
 describe manifest do
   shared_examples 'catalog' do
+    it 'should have osnailyfacter::apache class' do
+      should contain_class('osnailyfacter::apache').with(
+        :purge_configs => false,
+        :listen_ports  => Noop.hiera_array('apache_ports', ['0.0.0.0:80']),
+      )
+    end
+
     it 'should execute apache class with given parameters' do
       should contain_class('apache').with(
         'mpm_module'       => 'false',