Log source ips instead of controller ips in apache access log
Currently apache access logs have controller ips instead of source ips recorded since apache simply records source ip of http traffic. This change ensures that client ips are detected by the X-Forwarded-For header added by haproxy. Note that the forwarded format does not log client ip if the header is missing. Because of this, direct http requests(eg. healthcheck requests from haproxy) results in log lines without client ip. Depends-on: https://review.opendev.org/837504 Change-Id: I470c4c26f6d9977ba68a5d6eb9cd2c35af9e4b9a
This commit is contained in:
parent
cb99d62dc3
commit
d8604df61b
@ -193,6 +193,7 @@ outputs:
|
|||||||
- get_attr: [AodhBase, role_data, config_settings]
|
- get_attr: [AodhBase, role_data, config_settings]
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
|
aodh::wsgi::apache::access_log_format: 'forwarded'
|
||||||
aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
aodh::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
aodh::wsgi::apache::servername:
|
aodh::wsgi::apache::servername:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
@ -283,6 +283,7 @@ outputs:
|
|||||||
barbican::api::notification_driver: {get_param: NotificationDriver}
|
barbican::api::notification_driver: {get_param: NotificationDriver}
|
||||||
barbican::api::service_name: 'httpd'
|
barbican::api::service_name: 'httpd'
|
||||||
barbican::api::enable_proxy_headers_parsing: true
|
barbican::api::enable_proxy_headers_parsing: true
|
||||||
|
barbican::wsgi::apache::access_log_format: 'forwarded'
|
||||||
barbican::wsgi::apache::bind_host:
|
barbican::wsgi::apache::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
@ -218,6 +218,7 @@ outputs:
|
|||||||
"%{lookup('fqdn_$NETWORK')}"
|
"%{lookup('fqdn_$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, CinderApiNetwork]}
|
||||||
|
cinder::wsgi::apache::access_log_format: 'forwarded'
|
||||||
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
cinder::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
cinder::api::service_name: 'httpd'
|
cinder::api::service_name: 'httpd'
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
|
@ -147,6 +147,7 @@ outputs:
|
|||||||
designate::api::api_base_uri: { get_param: [EndpointMap, DesignatePublic, uri_no_suffix] }
|
designate::api::api_base_uri: { get_param: [EndpointMap, DesignatePublic, uri_no_suffix] }
|
||||||
designate::api::service_name: 'httpd'
|
designate::api::service_name: 'httpd'
|
||||||
designate::logging::log_file: '/var/log/designate/designate-api.log'
|
designate::logging::log_file: '/var/log/designate/designate-api.log'
|
||||||
|
designate::wsgi::apache::access_log_format: 'forwarded'
|
||||||
designate::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
designate::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
designate::wsgi::apache::bind_host:
|
designate::wsgi::apache::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
@ -238,6 +238,7 @@ outputs:
|
|||||||
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||||
gnocchi::keystone::authtoken::interface: 'internal'
|
gnocchi::keystone::authtoken::interface: 'internal'
|
||||||
gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
||||||
|
gnocchi::wsgi::apache::access_log_format: 'forwarded'
|
||||||
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
gnocchi::wsgi::apache::servername:
|
gnocchi::wsgi::apache::servername:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
@ -150,6 +150,7 @@ outputs:
|
|||||||
"%{lookup('$NETWORK')}"
|
"%{lookup('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
|
||||||
|
heat::wsgi::apache_api_cfn::access_log_format: 'forwarded'
|
||||||
heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS}
|
heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS}
|
||||||
heat::api_cfn::service_name: 'httpd'
|
heat::api_cfn::service_name: 'httpd'
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
|
@ -178,6 +178,7 @@ outputs:
|
|||||||
"%{lookup('$NETWORK')}"
|
"%{lookup('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, HeatApiNetwork]}
|
||||||
|
heat::wsgi::apache_api::access_log_format: 'forwarded'
|
||||||
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
heat::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
||||||
heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
|
heat::wsgi::apache_api::vhost_custom_fragment: 'Timeout 600'
|
||||||
heat::policy::policies: {get_param: HeatApiPolicies}
|
heat::policy::policies: {get_param: HeatApiPolicies}
|
||||||
|
@ -90,7 +90,7 @@ parameters:
|
|||||||
default:
|
default:
|
||||||
add_listen: true
|
add_listen: true
|
||||||
priority: 10
|
priority: 10
|
||||||
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
access_log_format: '"%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
||||||
options: ['FollowSymLinks','MultiViews']
|
options: ['FollowSymLinks','MultiViews']
|
||||||
description: Extra parameters for Horizon vhost configuration
|
description: Extra parameters for Horizon vhost configuration
|
||||||
type: json
|
type: json
|
||||||
|
@ -217,6 +217,7 @@ outputs:
|
|||||||
if:
|
if:
|
||||||
- auth_strategy_http_basic
|
- auth_strategy_http_basic
|
||||||
- 'WSGIPassAuthorization On'
|
- 'WSGIPassAuthorization On'
|
||||||
|
ironic::wsgi::apache::access_log_format: 'forwarded'
|
||||||
ironic::wsgi::apache::bind_host:
|
ironic::wsgi::apache::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
@ -581,6 +581,7 @@ outputs:
|
|||||||
keystone::rabbit_heartbeat_timeout_threshold: 60
|
keystone::rabbit_heartbeat_timeout_threshold: 60
|
||||||
keystone::service_name: 'httpd'
|
keystone::service_name: 'httpd'
|
||||||
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
keystone::enable_ssl: {get_param: EnableInternalTLS}
|
||||||
|
keystone::wsgi::apache::access_log_format: 'forwarded'
|
||||||
keystone::wsgi::apache::api_port:
|
keystone::wsgi::apache::api_port:
|
||||||
- 5000
|
- 5000
|
||||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||||
|
@ -234,6 +234,7 @@ outputs:
|
|||||||
"%{lookup('$NETWORK')}"
|
"%{lookup('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||||
|
manila::wsgi::apache::access_log_format: 'forwarded'
|
||||||
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
manila::api::service_name: 'httpd'
|
manila::api::service_name: 'httpd'
|
||||||
manila::api::enable_proxy_headers_parsing: true
|
manila::api::enable_proxy_headers_parsing: true
|
||||||
|
@ -380,6 +380,7 @@ outputs:
|
|||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||||
nova::api::service_name: 'httpd'
|
nova::api::service_name: 'httpd'
|
||||||
|
nova::wsgi::apache_api::access_log_format: 'forwarded'
|
||||||
nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS}
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
|
@ -184,6 +184,7 @@ outputs:
|
|||||||
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
|
||||||
nova::keystone::authtoken::interface: 'internal'
|
nova::keystone::authtoken::interface: 'internal'
|
||||||
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
|
||||||
|
nova::wsgi::apache_metadata::access_log_format: 'forwarded'
|
||||||
nova::wsgi::apache_metadata::api_port: '8775'
|
nova::wsgi::apache_metadata::api_port: '8775'
|
||||||
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
|
||||||
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
|
nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}
|
||||||
|
@ -220,6 +220,7 @@ outputs:
|
|||||||
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
|
octavia::api::tls_cipher_prohibit_list: {get_param: OctaviaTlsCiphersProhibitList}
|
||||||
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
|
octavia::api::default_listener_tls_versions: {get_param: OctaviaListenerTlsVersions}
|
||||||
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
|
octavia::api::default_pool_tls_versions: {get_param: OctaviaPoolTlsVersions}
|
||||||
|
octavia::wsgi::apache::access_log_format: 'forwarded'
|
||||||
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
|
@ -193,6 +193,7 @@ outputs:
|
|||||||
- true
|
- true
|
||||||
- {get_param: Debug}
|
- {get_param: Debug}
|
||||||
placement::policy::policies: {get_param: PlacementPolicies}
|
placement::policy::policies: {get_param: PlacementPolicies}
|
||||||
|
placement::wsgi::apache::access_log_format: 'forwarded'
|
||||||
placement::wsgi::apache::api_port: '8778'
|
placement::wsgi::apache::api_port: '8778'
|
||||||
placement::wsgi::apache::path: '/placement'
|
placement::wsgi::apache::path: '/placement'
|
||||||
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
|
Loading…
Reference in New Issue
Block a user