From 06eda6407606a06e5338a07f82eb44456f6c3052 Mon Sep 17 00:00:00 2001 From: Yamato Tanaka Date: Tue, 12 Apr 2022 17:53:24 +0900 Subject: [PATCH] HAProxy: enable forwardfor for all http endpoints Currently all http endpoints except Horizon doesn't add X-Forwarded-For header. In this cases each backend service emits the HAProxy's IP address into its logs. This can make investigation difficult. This change enables forwardfor for all http end points and makes those add X-Forwarded-For header. (from stable/wallaby to stable/victoria) Conflicts: manifests/haproxy.pp manifests/haproxy/endpoint.pp Closes-Bug: #1968691 Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77 (cherry picked from commit d4afc29038916ef88c5cfdb67028b3ff6d7133fb) (cherry picked from commit f1d263bcf886354b111cdf782daa22f78bcbecc7) --- manifests/haproxy.pp | 23 ++++++++++++----------- manifests/haproxy/endpoint.pp | 1 - 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index ca7088380..619974f2a 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -804,7 +804,7 @@ class tripleo::haproxy ( $default_listen_options = { - 'option' => [ 'httpchk', 'httplog', ], + 'option' => [ 'httpchk', 'httplog', 'forwardfor'], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }', @@ -845,7 +845,7 @@ class tripleo::haproxy ( } $keystone_listen_opts = { - 'option' => [ 'httpchk GET /v3', 'httplog' ] + 'option' => [ 'httpchk GET /v3', 'httplog', 'forwardfor' ] } if $keystone_admin { # NOTE(jaosorior): Given that the admin endpoint is in the same vhost @@ -952,7 +952,7 @@ class tripleo::haproxy ( public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', listen_options => merge($default_listen_options, { - 'option' => [ 'httpchk GET /healthcheck', 'httplog' ] + 'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor'] }), service_network => $glance_api_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -968,7 +968,7 @@ class tripleo::haproxy ( mode => 'http', public_ssl_port => $ports[ceph_grafana_ssl_port], listen_options => merge($default_listen_options, { - 'option' => [ 'httpchk HEAD /', 'httplog' ], + 'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ], 'balance' => 'source', }), service_network => $ceph_grafana_network, @@ -982,7 +982,7 @@ class tripleo::haproxy ( mode => 'http', public_ssl_port => $ports[ceph_prometheus_ssl_port], listen_options => merge($default_listen_options, { - 'option' => [ 'httpchk GET /metrics', 'httplog' ], + 'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ], 'balance' => 'source', }), service_network => $ceph_grafana_network, @@ -996,7 +996,7 @@ class tripleo::haproxy ( mode => 'http', public_ssl_port => $ports[ceph_alertmanager_ssl_port], listen_options => merge($default_listen_options, { - 'option' => [ 'httpchk GET /', 'httplog' ], + 'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ], 'balance' => 'source', }), service_network => $ceph_grafana_network, @@ -1168,7 +1168,7 @@ class tripleo::haproxy ( if $swift_proxy_server { $swift_proxy_server_listen_options = { - 'option' => [ 'httpchk GET /healthcheck', 'httplog' ], + 'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor'], 'balance' => $haproxy_lb_mode_longrunning, 'timeout client' => '2m', 'timeout server' => '2m', @@ -1189,7 +1189,8 @@ class tripleo::haproxy ( $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_timeout_options = { + $heat_listen_options = { + 'option' => [ 'httpchk', 'httplog', 'forwardfor'], 'timeout client' => '10m', 'timeout server' => '10m', } @@ -1201,9 +1202,9 @@ class tripleo::haproxy ( $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options) + $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_listen_options) } else { - $heat_options = merge($default_listen_options, $heat_timeout_options) + $heat_options = merge($default_listen_options, $heat_listen_options) } $heat_options_real = merge($heat_options, $heat_durability_options) @@ -1528,7 +1529,7 @@ class tripleo::haproxy ( member_options => union($haproxy_member_options, $internal_tls_member_options), listen_options => merge($default_listen_options, { 'hash-type' => 'consistent', - 'option' => [ 'httpchk HEAD /', 'httplog' ], + 'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor'], 'balance' => 'source', }), } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 46682fd13..a4e5d1434 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -170,7 +170,6 @@ define tripleo::haproxy::endpoint ( $tls_listen_options = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', } $listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options) } else {