HAProxy: enable forwardfor for all http endpoints
Currently all http endpoints except Horizon doesn't add X-Forwarded-For header. In this cases each backend service emits the HAProxy's IP address into its logs. This can make investigation difficult. This change enables forwardfor for all http end points and makes those add X-Forwarded-For header. (from stable/wallaby to stable/victoria) Conflicts: manifests/haproxy.pp manifests/haproxy/endpoint.pp Closes-Bug: #1968691 Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77 (cherry picked from commitd4afc29038
) (cherry picked from commitf1d263bcf8
)
This commit is contained in:
parent
480250ba7d
commit
06eda64076
@ -804,7 +804,7 @@ class tripleo::haproxy (
|
|||||||
|
|
||||||
|
|
||||||
$default_listen_options = {
|
$default_listen_options = {
|
||||||
'option' => [ 'httpchk', 'httplog', ],
|
'option' => [ 'httpchk', 'httplog', 'forwardfor'],
|
||||||
'http-request' => [
|
'http-request' => [
|
||||||
'set-header X-Forwarded-Proto https if { ssl_fc }',
|
'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||||
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
|
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
|
||||||
@ -845,7 +845,7 @@ class tripleo::haproxy (
|
|||||||
}
|
}
|
||||||
|
|
||||||
$keystone_listen_opts = {
|
$keystone_listen_opts = {
|
||||||
'option' => [ 'httpchk GET /v3', 'httplog' ]
|
'option' => [ 'httpchk GET /v3', 'httplog', 'forwardfor' ]
|
||||||
}
|
}
|
||||||
if $keystone_admin {
|
if $keystone_admin {
|
||||||
# NOTE(jaosorior): Given that the admin endpoint is in the same vhost
|
# NOTE(jaosorior): Given that the admin endpoint is in the same vhost
|
||||||
@ -952,7 +952,7 @@ class tripleo::haproxy (
|
|||||||
public_ssl_port => $ports[glance_api_ssl_port],
|
public_ssl_port => $ports[glance_api_ssl_port],
|
||||||
mode => 'http',
|
mode => 'http',
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk GET /healthcheck', 'httplog' ]
|
'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor']
|
||||||
}),
|
}),
|
||||||
service_network => $glance_api_network,
|
service_network => $glance_api_network,
|
||||||
member_options => union($haproxy_member_options, $internal_tls_member_options),
|
member_options => union($haproxy_member_options, $internal_tls_member_options),
|
||||||
@ -968,7 +968,7 @@ class tripleo::haproxy (
|
|||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_grafana_ssl_port],
|
public_ssl_port => $ports[ceph_grafana_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk HEAD /', 'httplog' ],
|
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
service_network => $ceph_grafana_network,
|
service_network => $ceph_grafana_network,
|
||||||
@ -982,7 +982,7 @@ class tripleo::haproxy (
|
|||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_prometheus_ssl_port],
|
public_ssl_port => $ports[ceph_prometheus_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk GET /metrics', 'httplog' ],
|
'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
service_network => $ceph_grafana_network,
|
service_network => $ceph_grafana_network,
|
||||||
@ -996,7 +996,7 @@ class tripleo::haproxy (
|
|||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
|
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk GET /', 'httplog' ],
|
'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
service_network => $ceph_grafana_network,
|
service_network => $ceph_grafana_network,
|
||||||
@ -1168,7 +1168,7 @@ class tripleo::haproxy (
|
|||||||
|
|
||||||
if $swift_proxy_server {
|
if $swift_proxy_server {
|
||||||
$swift_proxy_server_listen_options = {
|
$swift_proxy_server_listen_options = {
|
||||||
'option' => [ 'httpchk GET /healthcheck', 'httplog' ],
|
'option' => [ 'httpchk GET /healthcheck', 'httplog', 'forwardfor'],
|
||||||
'balance' => $haproxy_lb_mode_longrunning,
|
'balance' => $haproxy_lb_mode_longrunning,
|
||||||
'timeout client' => '2m',
|
'timeout client' => '2m',
|
||||||
'timeout server' => '2m',
|
'timeout server' => '2m',
|
||||||
@ -1189,7 +1189,8 @@ class tripleo::haproxy (
|
|||||||
|
|
||||||
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
|
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
|
||||||
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
|
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
|
||||||
$heat_timeout_options = {
|
$heat_listen_options = {
|
||||||
|
'option' => [ 'httpchk', 'httplog', 'forwardfor'],
|
||||||
'timeout client' => '10m',
|
'timeout client' => '10m',
|
||||||
'timeout server' => '10m',
|
'timeout server' => '10m',
|
||||||
}
|
}
|
||||||
@ -1201,9 +1202,9 @@ class tripleo::haproxy (
|
|||||||
$heat_ssl_options = {
|
$heat_ssl_options = {
|
||||||
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
|
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
|
||||||
}
|
}
|
||||||
$heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options)
|
$heat_options = merge($default_listen_options, $heat_ssl_options, $heat_listen_options)
|
||||||
} else {
|
} else {
|
||||||
$heat_options = merge($default_listen_options, $heat_timeout_options)
|
$heat_options = merge($default_listen_options, $heat_listen_options)
|
||||||
}
|
}
|
||||||
$heat_options_real = merge($heat_options, $heat_durability_options)
|
$heat_options_real = merge($heat_options, $heat_durability_options)
|
||||||
|
|
||||||
@ -1528,7 +1529,7 @@ class tripleo::haproxy (
|
|||||||
member_options => union($haproxy_member_options, $internal_tls_member_options),
|
member_options => union($haproxy_member_options, $internal_tls_member_options),
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'hash-type' => 'consistent',
|
'hash-type' => 'consistent',
|
||||||
'option' => [ 'httpchk HEAD /', 'httplog' ],
|
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor'],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
}
|
}
|
||||||
|
@ -170,7 +170,6 @@ define tripleo::haproxy::endpoint (
|
|||||||
$tls_listen_options = {
|
$tls_listen_options = {
|
||||||
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
|
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
|
||||||
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
|
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
|
||||||
'option' => 'forwardfor',
|
|
||||||
}
|
}
|
||||||
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
|
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user