Use passed client IP address in various audit logs

HAProxy: change to use option forwardfor to pass origin IP address
to backend via X-Forwarded-For header

Keystone: Apache does the audit logs for keystone.  Change the
LogFormat to display the passed address instead of the connection
address which is that of the load balancer.

Nova, Cinder, Glance: these services can make use of the address
passed in X-Forwarded-For.  With this setting the API logs for
these services include the client IP address.

Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69
Closes-Bug: #1548935
This commit is contained in:
Dave McCowan 2016-02-24 09:00:09 -05:00
parent 3f8bc07270
commit b770339534
6 changed files with 7 additions and 3 deletions

View File

@ -2,6 +2,7 @@
debug = {{ cinder_logging_debug }} debug = {{ cinder_logging_debug }}
log_dir = /var/log/kolla/cinder log_dir = /var/log/kolla/cinder
use_forwarded_for = true
# Set use_stderr to False or the logs will also be sent to stderr # Set use_stderr to False or the logs will also be sent to stderr
# and collected by Docker # and collected by Docker

View File

@ -3,7 +3,7 @@
type = "SandboxDecoder" type = "SandboxDecoder"
filename = "lua_decoders/os_keystone_apache_log.lua" filename = "lua_decoders/os_keystone_apache_log.lua"
[keystone_apache_log_decoder.config] [keystone_apache_log_decoder.config]
apache_log_pattern = '%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"' apache_log_pattern = '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"'
[keystone_apache_logstreamer_input] [keystone_apache_logstreamer_input]
type = "LogstreamerInput" type = "LogstreamerInput"

View File

@ -3,6 +3,7 @@ debug = {{ glance_logging_debug }}
# NOTE(elemoine) log_dir alone does not work for Glance # NOTE(elemoine) log_dir alone does not work for Glance
log_file = /var/log/kolla/glance/api.log log_file = /var/log/kolla/glance/api.log
use_forwarded_for = true
bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
bind_port = {{ glance_api_port }} bind_port = {{ glance_api_port }}

View File

@ -9,6 +9,7 @@ defaults
mode http mode http
option redispatch option redispatch
option httplog option httplog
option forwardfor
retries 3 retries 3
timeout http-request 10s timeout http-request 10s
timeout queue 1m timeout queue 1m

View File

@ -13,7 +13,7 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
ErrorLogFormat "%{cu}t %M" ErrorLogFormat "%{cu}t %M"
</IfVersion> </IfVersion>
ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-error.log" ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-access.log" logformat CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-public-access.log" logformat
</VirtualHost> </VirtualHost>
@ -27,6 +27,6 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
ErrorLogFormat "%{cu}t %M" ErrorLogFormat "%{cu}t %M"
</IfVersion> </IfVersion>
ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-error.log" ErrorLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-error.log"
LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-access.log" logformat CustomLog "/var/log/kolla/{{ apache_dir }}/keystone-apache-admin-access.log" logformat
</VirtualHost> </VirtualHost>

View File

@ -3,6 +3,7 @@
debug = {{ nova_logging_debug }} debug = {{ nova_logging_debug }}
log_dir = /var/log/kolla/nova log_dir = /var/log/kolla/nova
use_forwarded_for = true
api_paste_config = /etc/nova/api-paste.ini api_paste_config = /etc/nova/api-paste.ini
state_path = /var/lib/nova state_path = /var/lib/nova