Use passed client IP address in various audit logs

HAProxy: change to use option forwardfor to pass origin IP address to backend via X-Forwarded-For header Keystone: Apache does the audit logs for keystone. Change the LogFormat to display the passed address instead of the connection address which is that of the load balancer. Nova, Cinder, Glance: these services can make use of the address passed in X-Forwarded-For. With this setting the API logs for these services include the client IP address. Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69 Closes-Bug: #1548935
2016-02-24 09:00:09 -05:00 · 2016-02-24 09:00:09 -05:00 · b770339534
commit b770339534
parent 3f8bc07270
6 changed files with 7 additions and 3 deletions
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@ -2,6 +2,7 @@
 debug = {{ cinder_logging_debug }}

 log_dir = /var/log/kolla/cinder
+use_forwarded_for = true

 # Set use_stderr to False or the logs will also be sent to stderr
 # and collected by Docker
--- a/ansible/roles/common/templates/heka-keystone.toml.j2
+++ b/ansible/roles/common/templates/heka-keystone.toml.j2
@ -3,7 +3,7 @@
 type = "SandboxDecoder"
 filename = "lua_decoders/os_keystone_apache_log.lua"
    [keystone_apache_log_decoder.config]
-    apache_log_pattern = '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
+    apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'

 [keystone_apache_logstreamer_input]
 type = "LogstreamerInput"
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@ -3,6 +3,7 @@ debug = {{ glance_logging_debug }}

 # NOTE(elemoine) log_dir alone does not work for Glance
 log_file = /var/log/kolla/glance/api.log
+use_forwarded_for = true

 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 bind_port = {{ glance_api_port }}
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -9,6 +9,7 @@ defaults
  mode http
  option redispatch
  option httplog
+  option forwardfor
  retries 3
  timeout http-request 10s
  timeout queue 1m
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@ -13,7 +13,7 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-error.log"
-    LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
    CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-access.log" logformat
 </VirtualHost>

@ -27,6 +27,6 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-error.log"
-    LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
    CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-access.log" logformat
 </VirtualHost>
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@ -3,6 +3,7 @@
 debug = {{ nova_logging_debug }}

 log_dir = /var/log/kolla/nova
+use_forwarded_for = true

 api_paste_config = /etc/nova/api-paste.ini
 state_path = /var/lib/nova