openstack
/
puppet-tripleo
Code Issues Proposed changes

HAProxy: enable forwardfor for all http endpoints 

Currently all http endpoints except Horizon doesn't add
X-Forwarded-For header. In this cases each backend service
emits the HAProxy's IP address into its logs. This can make
investigation difficult.
This change enables forwardfor for all http end points and
makes those add X-Forwarded-For header.

Closes-Bug: #1968691
Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77
(cherry picked from commit d4afc29038)
This commit is contained in:
Yamato Tanaka 2022-04-12 17:53:24 +09:00
parent 87240e8090
commit f1d263bcf8
2 changed files with 17 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
manifests/haproxy.pp
View File

@ -765,7 +765,7 @@ class tripleo::haproxy (
# but tcpka and other "durability" related options should be set for both
# sides, based on a service case by case.
$default_frontend_options = {
'option' => [ 'httplog', ],
'option' => [ 'httplog', 'forwardfor'],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
@ -813,7 +813,7 @@ class tripleo::haproxy (
}
$keystone_frontend_opts = {
'option' => [ 'httplog' ]
'option' => [ 'httplog', 'forwardfor' ]
}
$keystone_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ]
@ -860,7 +860,7 @@ class tripleo::haproxy (
if $neutron {
$neutron_frontend_opts = {
'option' => [ 'httplog' ]
'option' => [ 'httplog', 'forwardfor' ]
}
$neutron_backend_opts = {
'balance' => $haproxy_lb_mode_longrunning,
@ -886,7 +886,7 @@ class tripleo::haproxy (
if $cinder {
$cinder_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$cinder_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -912,7 +912,7 @@ class tripleo::haproxy (
if $manila {
$manila_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$manila_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -937,7 +937,7 @@ class tripleo::haproxy (
if $glance_api {
$glance_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$glance_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -969,7 +969,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_grafana_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk HEAD /', 'httplog' ],
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -988,7 +988,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_prometheus_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /metrics', 'httplog' ],
'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -1007,7 +1007,7 @@ class tripleo::haproxy (
mode => 'http',
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk GET /', 'httplog' ],
'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ],
'balance' => 'source',
}),
frontend_options => $default_frontend_options,
@ -1151,7 +1151,7 @@ class tripleo::haproxy (
if $aodh {
$aodh_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$aodh_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1176,7 +1176,7 @@ class tripleo::haproxy (
if $barbican {
$barbican_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$barbican_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1216,7 +1216,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_frontend_options = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
'timeout client' => '2m',
}
$swift_proxy_server_backend_options = {
@ -1245,7 +1245,7 @@ class tripleo::haproxy (
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
$heat_frontend_options = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
'timeout client' => '10m',
}
$heat_durability_options = {
@ -1318,7 +1318,7 @@ class tripleo::haproxy (
if $ironic {
$ironic_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$ironic_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1343,7 +1343,7 @@ class tripleo::haproxy (
if $ironic_inspector {
$ironic_inspector_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$ironic_inspector_backend_opts = {
'option' => [ 'httpchk' ],
@ -1369,7 +1369,7 @@ class tripleo::haproxy (
if $designate {
$designate_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$designate_backend_opts = {
'option' => [ 'httpchk GET /healthcheck' ],
@ -1690,7 +1690,7 @@ class tripleo::haproxy (
if $octavia {
$octavia_frontend_opts = {
'option' => [ 'httplog' ],
'option' => [ 'httplog', 'forwardfor' ],
}
$octavia_backend_opts = {
'hash-type' => 'consistent',

1
manifests/haproxy/endpoint.pp
View File

@ -192,7 +192,6 @@ define tripleo::haproxy::endpoint (
$tls_listen_options = {
'http-response' => 'replace-header Location http://(.*) https://\\1',
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
$frontend_options_precookie = merge($tls_listen_options, $frontend_options, $custom_frontend_options)