Merge "Log source ips instead of controller ips in apache access log"

deployment/aodh/aodh-api-container-puppet.yaml

@@ -193,6 +193,7 @@ outputs:
           - get_attr: [AodhBase, role_data, config_settings]
           - get_attr: [ApacheServiceBase, role_data, config_settings]
           - apache::default_vhost: false
+            aodh::wsgi::apache::access_log_format: 'forwarded'
             aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             aodh::wsgi::apache::servername:
               str_replace:

deployment/barbican/barbican-api-container-puppet.yaml

@@ -283,6 +283,7 @@ outputs:
             barbican::api::notification_driver: {get_param: NotificationDriver}
             barbican::api::service_name: 'httpd'
             barbican::api::enable_proxy_headers_parsing: true
+            barbican::wsgi::apache::access_log_format: 'forwarded'
             barbican::wsgi::apache::bind_host:
               str_replace:
                  template:

deployment/cinder/cinder-api-container-puppet.yaml

@@ -218,6 +218,7 @@ outputs:
                   "%{lookup('fqdn_$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
+            cinder::wsgi::apache::access_log_format: 'forwarded'
             cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             cinder::api::service_name: 'httpd'
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP

deployment/designate/designate-api-container-puppet.yaml

@@ -147,6 +147,7 @@ outputs:
             designate::api::api_base_uri: { get_param: [EndpointMap, DesignatePublic, uri_no_suffix] }
             designate::api::service_name: 'httpd'
             designate::logging::log_file: '/var/log/designate/designate-api.log'
+            designate::wsgi::apache::access_log_format: 'forwarded'
             designate::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             designate::wsgi::apache::bind_host:
               str_replace:

deployment/gnocchi/gnocchi-api-container-puppet.yaml

@@ -238,6 +238,7 @@ outputs:
             gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             gnocchi::keystone::authtoken::interface: 'internal'
             gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
+            gnocchi::wsgi::apache::access_log_format: 'forwarded'
             gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             gnocchi::wsgi::apache::servername:
               str_replace:

deployment/heat/heat-api-cfn-container-puppet.yaml

@@ -150,6 +150,7 @@ outputs:
                   "%{lookup('$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
+            heat::wsgi::apache_api_cfn::access_log_format: 'forwarded'
             heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS}
             heat::api_cfn::service_name: 'httpd'
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP

deployment/heat/heat-api-container-puppet.yaml

@@ -178,6 +178,7 @@ outputs:
                   "%{lookup('$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
+            heat::wsgi::apache_api::access_log_format: 'forwarded'
             heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
             heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
             heat::policy::policies: {get_param: HeatApiPolicies}

deployment/horizon/horizon-container-puppet.yaml

@@ -90,7 +90,7 @@ parameters:
     default:
       add_listen: true
       priority: 10
-      access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
+      access_log_format: '"%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
       options: ['FollowSymLinks','MultiViews']
     description: Extra parameters for Horizon vhost configuration
     type: json

deployment/ironic/ironic-api-container-puppet.yaml

@@ -217,6 +217,7 @@ outputs:
               if:
                 - auth_strategy_http_basic
                 - 'WSGIPassAuthorization On'
+            ironic::wsgi::apache::access_log_format: 'forwarded'
             ironic::wsgi::apache::bind_host:
               str_replace:
                 template:

deployment/keystone/keystone-container-puppet.yaml

@@ -581,6 +581,7 @@ outputs:
             keystone::rabbit_heartbeat_timeout_threshold: 60
             keystone::service_name: 'httpd'
             keystone::enable_ssl: {get_param: EnableInternalTLS}
+            keystone::wsgi::apache::access_log_format: 'forwarded'
             keystone::wsgi::apache::api_port:
               - 5000
               - {get_param: [EndpointMap, KeystoneAdmin, port]}

deployment/manila/manila-api-container-puppet.yaml

@@ -234,6 +234,7 @@ outputs:
                   "%{lookup('$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
+            manila::wsgi::apache::access_log_format: 'forwarded'
             manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             manila::api::service_name: 'httpd'
             manila::api::enable_proxy_headers_parsing: true

deployment/nova/nova-api-container-puppet.yaml

@@ -380,6 +380,7 @@ outputs:
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
             nova::api::service_name: 'httpd'
+            nova::wsgi::apache_api::access_log_format: 'forwarded'
             nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP
             # for the given network; replacement examples (eg. for internal_api):

deployment/nova/nova-metadata-container-puppet.yaml

@@ -184,6 +184,7 @@ outputs:
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             nova::keystone::authtoken::interface: 'internal'
             nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
+            nova::wsgi::apache_metadata::access_log_format: 'forwarded'
             nova::wsgi::apache_metadata::api_port: '8775'
             nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
             nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

deployment/octavia/octavia-api-container-puppet.yaml

@@ -222,6 +222,7 @@ outputs:
             octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
             octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
             octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
+            octavia::wsgi::apache::access_log_format: 'forwarded'
             octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP
             # for the given network; replacement examples (eg. for internal_api):

deployment/placement/placement-api-container-puppet.yaml

@@ -193,6 +193,7 @@ outputs:
               - true
               - {get_param: Debug}
             placement::policy::policies: {get_param: PlacementPolicies}
+            placement::wsgi::apache::access_log_format: 'forwarded'
             placement::wsgi::apache::api_port: '8778'
             placement::wsgi::apache::path: '/placement'
             placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}