From b7703395347647307eae289191295f14cd31a1ce Mon Sep 17 00:00:00 2001
From: Dave McCowan <dmccowan@cisco.com>
Date: Wed, 24 Feb 2016 09:00:09 -0500
Subject: [PATCH] Use passed client IP address in various audit logs

HAProxy: change to use option forwardfor to pass origin IP address
to backend via X-Forwarded-For header

Keystone: Apache does the audit logs for keystone.  Change the
LogFormat to display the passed address instead of the connection
address which is that of the load balancer.

Nova, Cinder, Glance: these services can make use of the address
passed in X-Forwarded-For.  With this setting the API logs for
these services include the client IP address.

Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69
Closes-Bug: #1548935
---
 ansible/roles/cinder/templates/cinder.conf.j2          | 1 +
 ansible/roles/common/templates/heka-keystone.toml.j2   | 2 +-
 ansible/roles/glance/templates/glance-api.conf.j2      | 1 +
 ansible/roles/haproxy/templates/haproxy.cfg.j2         | 1 +
 ansible/roles/keystone/templates/wsgi-keystone.conf.j2 | 4 ++--
 ansible/roles/nova/templates/nova.conf.j2              | 1 +
 6 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 91c9b6a308..f93329670e 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -2,6 +2,7 @@
 debug = {{ cinder_logging_debug }}
 
 log_dir = /var/log/kolla/cinder
+use_forwarded_for = true
 
 # Set use_stderr to False or the logs will also be sent to stderr
 # and collected by Docker
diff --git a/ansible/roles/common/templates/heka-keystone.toml.j2 b/ansible/roles/common/templates/heka-keystone.toml.j2
index 1ece4ea025..5747d417ce 100644
--- a/ansible/roles/common/templates/heka-keystone.toml.j2
+++ b/ansible/roles/common/templates/heka-keystone.toml.j2
@@ -3,7 +3,7 @@
 type = "SandboxDecoder"
 filename = "lua_decoders/os_keystone_apache_log.lua"
     [keystone_apache_log_decoder.config]
-    apache_log_pattern = '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
+    apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
 
 [keystone_apache_logstreamer_input]
 type = "LogstreamerInput"
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index a62c18ec5d..ee2f17af55 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -3,6 +3,7 @@ debug = {{ glance_logging_debug }}
 
 # NOTE(elemoine) log_dir alone does not work for Glance
 log_file = /var/log/kolla/glance/api.log
+use_forwarded_for = true
 
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 bind_port = {{ glance_api_port }}
diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2
index f56daa8545..60619a3885 100644
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -9,6 +9,7 @@ defaults
   mode http
   option redispatch
   option httplog
+  option forwardfor
   retries 3
   timeout http-request 10s
   timeout queue 1m
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index d6286f16d9..46c5725f7b 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -13,7 +13,7 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
     ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-error.log"
-    LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
     CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-access.log" logformat
 </VirtualHost>
 
@@ -27,6 +27,6 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
       ErrorLogFormat "%{cu}t %M"
     </IfVersion>
     ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-error.log"
-    LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
     CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-access.log" logformat
 </VirtualHost>
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index e2f89d33a7..352465b5cb 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -3,6 +3,7 @@
 debug = {{ nova_logging_debug }}
 
 log_dir = /var/log/kolla/nova
+use_forwarded_for = true
 
 api_paste_config = /etc/nova/api-paste.ini
 state_path = /var/lib/nova