Log source ips instead of controller ips in apache access log

Currently apache access logs have controller ips instead of source ips
recorded since apache simply records source ip of http traffic.

This change ensures that client ips are detected by the X-Forwarded-For
header added by haproxy.

Note that the forwarded format does not log client ip if the header is
missing. Because of this, direct http requests(eg. healthcheck requests
from haproxy) results in log lines without client ip.

Depends-on: https://review.opendev.org/837504
Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
This commit is contained in:
Takashi Kajinami 2021-05-31 21:50:07 +09:00
parent cb99d62dc3
commit d8604df61b
15 changed files with 15 additions and 1 deletions

View File

@ -193,6 +193,7 @@ outputs:
- get_attr: [AodhBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- apache::default_vhost: false
aodh::wsgi::apache::access_log_format: 'forwarded'
aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
aodh::wsgi::apache::servername:
str_replace:

View File

@ -283,6 +283,7 @@ outputs:
barbican::api::notification_driver: {get_param: NotificationDriver}
barbican::api::service_name: 'httpd'
barbican::api::enable_proxy_headers_parsing: true
barbican::wsgi::apache::access_log_format: 'forwarded'
barbican::wsgi::apache::bind_host:
str_replace:
template:

View File

@ -218,6 +218,7 @@ outputs:
"%{lookup('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
cinder::wsgi::apache::access_log_format: 'forwarded'
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
cinder::api::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP

View File

@ -147,6 +147,7 @@ outputs:
designate::api::api_base_uri: { get_param: [EndpointMap, DesignatePublic, uri_no_suffix] }
designate::api::service_name: 'httpd'
designate::logging::log_file: '/var/log/designate/designate-api.log'
designate::wsgi::apache::access_log_format: 'forwarded'
designate::wsgi::apache::ssl: {get_param: EnableInternalTLS}
designate::wsgi::apache::bind_host:
str_replace:

View File

@ -238,6 +238,7 @@ outputs:
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
gnocchi::keystone::authtoken::interface: 'internal'
gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
gnocchi::wsgi::apache::access_log_format: 'forwarded'
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
gnocchi::wsgi::apache::servername:
str_replace:

View File

@ -150,6 +150,7 @@ outputs:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
heat::wsgi::apache_api_cfn::access_log_format: 'forwarded'
heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS}
heat::api_cfn::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP

View File

@ -178,6 +178,7 @@ outputs:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
heat::wsgi::apache_api::access_log_format: 'forwarded'
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
heat::policy::policies: {get_param: HeatApiPolicies}

View File

@ -90,7 +90,7 @@ parameters:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
access_log_format: '"%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json

View File

@ -217,6 +217,7 @@ outputs:
if:
- auth_strategy_http_basic
- 'WSGIPassAuthorization On'
ironic::wsgi::apache::access_log_format: 'forwarded'
ironic::wsgi::apache::bind_host:
str_replace:
template:

View File

@ -581,6 +581,7 @@ outputs:
keystone::rabbit_heartbeat_timeout_threshold: 60
keystone::service_name: 'httpd'
keystone::enable_ssl: {get_param: EnableInternalTLS}
keystone::wsgi::apache::access_log_format: 'forwarded'
keystone::wsgi::apache::api_port:
- 5000
- {get_param: [EndpointMap, KeystoneAdmin, port]}

View File

@ -234,6 +234,7 @@ outputs:
"%{lookup('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
manila::wsgi::apache::access_log_format: 'forwarded'
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
manila::api::service_name: 'httpd'
manila::api::enable_proxy_headers_parsing: true

View File

@ -380,6 +380,7 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::service_name: 'httpd'
nova::wsgi::apache_api::access_log_format: 'forwarded'
nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):

View File

@ -184,6 +184,7 @@ outputs:
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
nova::keystone::authtoken::interface: 'internal'
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
nova::wsgi::apache_metadata::access_log_format: 'forwarded'
nova::wsgi::apache_metadata::api_port: '8775'
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

View File

@ -220,6 +220,7 @@ outputs:
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
octavia::wsgi::apache::access_log_format: 'forwarded'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):

View File

@ -193,6 +193,7 @@ outputs:
- true
- {get_param: Debug}
placement::policy::policies: {get_param: PlacementPolicies}
placement::wsgi::apache::access_log_format: 'forwarded'
placement::wsgi::apache::api_port: '8778'
placement::wsgi::apache::path: '/placement'
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}