HAProxy: enable forwardfor for all http endpoints

Currently all http endpoints except Horizon doesn't add
X-Forwarded-For header. In this cases each backend service
emits the HAProxy's IP address into its logs. This can make
investigation difficult.
This change enables forwardfor for all http end points and
makes those add X-Forwarded-For header.

(from stable/wallaby to stable/victoria)
Conflicts:
	manifests/haproxy.pp
	manifests/haproxy/endpoint.pp

Closes-Bug: #1968691
Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77
(cherry picked from commit d4afc29038)
(cherry picked from commit f1d263bcf8)
This commit is contained in:
Yamato Tanaka 2022-04-12 17:53:24 +09:00
parent 480250ba7d
commit 06eda64076
2 changed files with 12 additions and 12 deletions

View File

@ -804,7 +804,7 @@ class tripleo::haproxy (
$default_listen_options = {
'option' => [ 'httpchk', 'httplog', ],
'option' => [ 'httpchk', 'httplog', 'forwardfor'],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
@ -845,7 +845,7 @@ class tripleo::haproxy (
}
$keystone_listen_opts = {
'option' => [ 'httpchk GET /v3', 'httplog' ]
'option' => [ 'httpchk GET /v3', 'httplog', 'forwardfor' ]
}
if $keystone_admin {
# NOTE(jaosorior): Given that the admin endpoint is in the same vhost
@ -952,7 +952,7 @@ class tripleo::haproxy (
public_ssl_port => $ports[glance_api_ssl_port],
mode => 'http',
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /healthcheck', 'httplog' ]
'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor']
}),
service_network => $glance_api_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@ -968,7 +968,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_grafana_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk HEAD /', 'httplog' ],
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
service_network => $ceph_grafana_network,
@ -982,7 +982,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_prometheus_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /metrics', 'httplog' ],
'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
service_network => $ceph_grafana_network,
@ -996,7 +996,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /', 'httplog' ],
'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
service_network => $ceph_grafana_network,
@ -1168,7 +1168,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_listen_options = {
'option' => [ 'httpchk GET /healthcheck', 'httplog' ],
'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor'],
'balance' => $haproxy_lb_mode_longrunning,
'timeout client' => '2m',
'timeout server' => '2m',
@ -1189,7 +1189,8 @@ class tripleo::haproxy (
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
$heat_timeout_options = {
$heat_listen_options = {
'option' => [ 'httpchk', 'httplog', 'forwardfor'],
'timeout client' => '10m',
'timeout server' => '10m',
}
@ -1201,9 +1202,9 @@ class tripleo::haproxy (
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
$heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options)
$heat_options = merge($default_listen_options, $heat_ssl_options, $heat_listen_options)
} else {
$heat_options = merge($default_listen_options, $heat_timeout_options)
$heat_options = merge($default_listen_options, $heat_listen_options)
}
$heat_options_real = merge($heat_options, $heat_durability_options)
@ -1528,7 +1529,7 @@ class tripleo::haproxy (
member_options => union($haproxy_member_options, $internal_tls_member_options),
listen_options => merge($default_listen_options, {
'hash-type' => 'consistent',
'option' => [ 'httpchk HEAD /', 'httplog' ],
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor'],
'balance' => 'source',
}),
}

View File

@ -170,7 +170,6 @@ define tripleo::haproxy::endpoint (
$tls_listen_options = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
} else {