HAProxy: enable forwardfor for all http endpoints
Currently all http endpoints except Horizon doesn't add
X-Forwarded-For header. In this cases each backend service
emits the HAProxy's IP address into its logs. This can make
investigation difficult.
This change enables forwardfor for all http end points and
makes those add X-Forwarded-For header.
Closes-Bug: #1968691
Change-Id: I2682f0cb3f6253b487eed2d40437ef5780e4ae77
(cherry picked from commit d4afc29038
)
This commit is contained in:
parent
87240e8090
commit
f1d263bcf8
|
@ -765,7 +765,7 @@ class tripleo::haproxy (
|
||||||
# but tcpka and other "durability" related options should be set for both
|
# but tcpka and other "durability" related options should be set for both
|
||||||
# sides, based on a service case by case.
|
# sides, based on a service case by case.
|
||||||
$default_frontend_options = {
|
$default_frontend_options = {
|
||||||
'option' => [ 'httplog', ],
|
'option' => [ 'httplog', 'forwardfor'],
|
||||||
'http-request' => [
|
'http-request' => [
|
||||||
'set-header X-Forwarded-Proto https if { ssl_fc }',
|
'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||||
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
|
'set-header X-Forwarded-Proto http if !{ ssl_fc }',
|
||||||
|
@ -813,7 +813,7 @@ class tripleo::haproxy (
|
||||||
}
|
}
|
||||||
|
|
||||||
$keystone_frontend_opts = {
|
$keystone_frontend_opts = {
|
||||||
'option' => [ 'httplog' ]
|
'option' => [ 'httplog', 'forwardfor' ]
|
||||||
}
|
}
|
||||||
$keystone_backend_opts = {
|
$keystone_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ]
|
'option' => [ 'httpchk GET /healthcheck' ]
|
||||||
|
@ -860,7 +860,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $neutron {
|
if $neutron {
|
||||||
$neutron_frontend_opts = {
|
$neutron_frontend_opts = {
|
||||||
'option' => [ 'httplog' ]
|
'option' => [ 'httplog', 'forwardfor' ]
|
||||||
}
|
}
|
||||||
$neutron_backend_opts = {
|
$neutron_backend_opts = {
|
||||||
'balance' => $haproxy_lb_mode_longrunning,
|
'balance' => $haproxy_lb_mode_longrunning,
|
||||||
|
@ -886,7 +886,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $cinder {
|
if $cinder {
|
||||||
$cinder_frontend_opts = {
|
$cinder_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$cinder_backend_opts = {
|
$cinder_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -912,7 +912,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $manila {
|
if $manila {
|
||||||
$manila_frontend_opts = {
|
$manila_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$manila_backend_opts = {
|
$manila_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -937,7 +937,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $glance_api {
|
if $glance_api {
|
||||||
$glance_frontend_opts = {
|
$glance_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$glance_backend_opts = {
|
$glance_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -969,7 +969,7 @@ class tripleo::haproxy (
|
||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_grafana_ssl_port],
|
public_ssl_port => $ports[ceph_grafana_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk HEAD /', 'httplog' ],
|
'option' => [ 'httpchk HEAD /', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
frontend_options => $default_frontend_options,
|
frontend_options => $default_frontend_options,
|
||||||
|
@ -988,7 +988,7 @@ class tripleo::haproxy (
|
||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_prometheus_ssl_port],
|
public_ssl_port => $ports[ceph_prometheus_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk GET /metrics', 'httplog' ],
|
'option' => [ 'httpchk GET /metrics', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
frontend_options => $default_frontend_options,
|
frontend_options => $default_frontend_options,
|
||||||
|
@ -1007,7 +1007,7 @@ class tripleo::haproxy (
|
||||||
mode => 'http',
|
mode => 'http',
|
||||||
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
|
public_ssl_port => $ports[ceph_alertmanager_ssl_port],
|
||||||
listen_options => merge($default_listen_options, {
|
listen_options => merge($default_listen_options, {
|
||||||
'option' => [ 'httpchk GET /', 'httplog' ],
|
'option' => [ 'httpchk GET /', 'httplog', 'forwardfor' ],
|
||||||
'balance' => 'source',
|
'balance' => 'source',
|
||||||
}),
|
}),
|
||||||
frontend_options => $default_frontend_options,
|
frontend_options => $default_frontend_options,
|
||||||
|
@ -1151,7 +1151,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $aodh {
|
if $aodh {
|
||||||
$aodh_frontend_opts = {
|
$aodh_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$aodh_backend_opts = {
|
$aodh_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -1176,7 +1176,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $barbican {
|
if $barbican {
|
||||||
$barbican_frontend_opts = {
|
$barbican_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$barbican_backend_opts = {
|
$barbican_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -1216,7 +1216,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $swift_proxy_server {
|
if $swift_proxy_server {
|
||||||
$swift_proxy_server_frontend_options = {
|
$swift_proxy_server_frontend_options = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
'timeout client' => '2m',
|
'timeout client' => '2m',
|
||||||
}
|
}
|
||||||
$swift_proxy_server_backend_options = {
|
$swift_proxy_server_backend_options = {
|
||||||
|
@ -1245,7 +1245,7 @@ class tripleo::haproxy (
|
||||||
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
|
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
|
||||||
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
|
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
|
||||||
$heat_frontend_options = {
|
$heat_frontend_options = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
'timeout client' => '10m',
|
'timeout client' => '10m',
|
||||||
}
|
}
|
||||||
$heat_durability_options = {
|
$heat_durability_options = {
|
||||||
|
@ -1318,7 +1318,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $ironic {
|
if $ironic {
|
||||||
$ironic_frontend_opts = {
|
$ironic_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$ironic_backend_opts = {
|
$ironic_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -1343,7 +1343,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $ironic_inspector {
|
if $ironic_inspector {
|
||||||
$ironic_inspector_frontend_opts = {
|
$ironic_inspector_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$ironic_inspector_backend_opts = {
|
$ironic_inspector_backend_opts = {
|
||||||
'option' => [ 'httpchk' ],
|
'option' => [ 'httpchk' ],
|
||||||
|
@ -1369,7 +1369,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $designate {
|
if $designate {
|
||||||
$designate_frontend_opts = {
|
$designate_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$designate_backend_opts = {
|
$designate_backend_opts = {
|
||||||
'option' => [ 'httpchk GET /healthcheck' ],
|
'option' => [ 'httpchk GET /healthcheck' ],
|
||||||
|
@ -1690,7 +1690,7 @@ class tripleo::haproxy (
|
||||||
|
|
||||||
if $octavia {
|
if $octavia {
|
||||||
$octavia_frontend_opts = {
|
$octavia_frontend_opts = {
|
||||||
'option' => [ 'httplog' ],
|
'option' => [ 'httplog', 'forwardfor' ],
|
||||||
}
|
}
|
||||||
$octavia_backend_opts = {
|
$octavia_backend_opts = {
|
||||||
'hash-type' => 'consistent',
|
'hash-type' => 'consistent',
|
||||||
|
|
|
@ -192,7 +192,6 @@ define tripleo::haproxy::endpoint (
|
||||||
$tls_listen_options = {
|
$tls_listen_options = {
|
||||||
'http-response' => 'replace-header Location http://(.*) https://\\1',
|
'http-response' => 'replace-header Location http://(.*) https://\\1',
|
||||||
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
|
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
|
||||||
'option' => 'forwardfor',
|
|
||||||
}
|
}
|
||||||
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
|
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
|
||||||
$frontend_options_precookie = merge($tls_listen_options, $frontend_options, $custom_frontend_options)
|
$frontend_options_precookie = merge($tls_listen_options, $frontend_options, $custom_frontend_options)
|
||||||
|
|
Loading…
Reference in New Issue