HAProxy: enable forwardfor for all http endpoints

Currently all http endpoints except Horizon doesn't add
X-Forwarded-For header. In this cases each backend service
emits the HAProxy's IP address into its logs. This can make
investigation difficult.
This change enables forwardfor for all http end points and
makes those add X-Forwarded-For header.

Closes-Bug: #1968691
Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77
This commit is contained in:
Yamato Tanaka 2022-04-12 17:53:24 +09:00
parent 3bb624ab3d
commit d4afc29038
2 changed files with 17 additions and 18 deletions

View File

@ -765,7 +765,7 @@ class tripleo::haproxy (
# but tcpka and other "durability" related options should be set for both
# sides, based on a service case by case.
$default_frontend_options = {
'option' => [ 'httplog', ],
'option' => [ 'httplog', 'forwardfor'],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
@ -813,7 +813,7 @@ class tripleo::haproxy (
}
$keystone_frontend_opts = {
'option' => [ 'httplog' ]
'option' => [ 'httplog', 'forwardfor' ]
}
$keystone_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ]
@ -860,7 +860,7 @@ class tripleo::haproxy (
if $neutron {
$neutron_frontend_opts = {
'option' => [ 'httplog' ]
'option' => [ 'httplog', 'forwardfor' ]
}
$neutron_backend_opts = {
'balance' => $haproxy_lb_mode_longrunning,
@ -886,7 +886,7 @@ class tripleo::haproxy (
if $cinder {
$cinder_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$cinder_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -912,7 +912,7 @@ class tripleo::haproxy (
if $manila {
$manila_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$manila_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -937,7 +937,7 @@ class tripleo::haproxy (
if $glance_api {
$glance_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$glance_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -969,7 +969,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_grafana_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk HEAD /', 'httplog' ],
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -988,7 +988,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_prometheus_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /metrics', 'httplog' ],
'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -1007,7 +1007,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /', 'httplog' ],
'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -1151,7 +1151,7 @@ class tripleo::haproxy (
if $aodh {
$aodh_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$aodh_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1176,7 +1176,7 @@ class tripleo::haproxy (
if $barbican {
$barbican_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$barbican_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1216,7 +1216,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_frontend_options = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
'timeout client' => '2m',
}
$swift_proxy_server_backend_options = {
@ -1245,7 +1245,7 @@ class tripleo::haproxy (
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
$heat_frontend_options = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
'timeout client' => '10m',
}
$heat_durability_options = {
@ -1318,7 +1318,7 @@ class tripleo::haproxy (
if $ironic {
$ironic_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$ironic_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1343,7 +1343,7 @@ class tripleo::haproxy (
if $ironic_inspector {
$ironic_inspector_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$ironic_inspector_backend_opts = {
'option' => [ 'httpchk' ],
@ -1369,7 +1369,7 @@ class tripleo::haproxy (
if $designate {
$designate_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$designate_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1690,7 +1690,7 @@ class tripleo::haproxy (
if $octavia {
$octavia_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$octavia_backend_opts = {
'hash-type' => 'consistent',

View File

@ -192,7 +192,6 @@ define tripleo::haproxy::endpoint (
$tls_listen_options = {
'http-response' => 'replace-header Location http://(.*) https://\\1',
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
$frontend_options_precookie = merge($tls_listen_options, $frontend_options, $custom_frontend_options)