From 91321ac8ff342ad8276c6874f85b7ad3a823a444 Mon Sep 17 00:00:00 2001 From: Mick Thompson Date: Wed, 29 Mar 2017 12:12:56 +0100 Subject: [PATCH] Update Keystone haproxy config to balance based on source ip Source based routing is necessary for some services where we want the same clients land to the same servers. For exanmple, Keystone uses one of many memcached servers - if a client gets a token from one but then lands on another api server on the next request, that will bind to another cache and we get failed authentication. Other examples are horizon/murano where we upload a package in several steps. If we don't balance client connections to the same host we will end up with the package downloaded to one host but unsuccessfully unpacked/imported on another host. This option is commonly used in the official OpenStack docs [0] [0] https://docs.openstack.org/ha-guide/controller-ha-haproxy.html Co-Authored-By: James McCarthy Change-Id: I56f1e48f6dbe457e776a474222073bbefc48c92a --- ansible/roles/haproxy/templates/haproxy.cfg.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 index 680a2220a2..bec8ce3b80 100644 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -57,6 +57,7 @@ listen mongodb {% if enable_keystone | bool %} listen keystone_internal bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }} + balance source http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5 @@ -65,6 +66,7 @@ listen keystone_internal listen keystone_external bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }} + balance source http-request del-header X-Forwarded-Proto if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } {% for host in groups['keystone'] %} @@ -74,6 +76,7 @@ listen keystone_external listen keystone_admin bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }} + balance source http-request del-header X-Forwarded-Proto if { ssl_fc } {% for host in groups['keystone'] %} server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5