Enable client address in Horizon's logs.

Horizon's backends (httpd) see IP address of the haproxy in the logs instead
of the client address.
This patch allows to:
  - Install the remoteip httpd module [1].
  - Use the X-Forwarded-For HTTP header and override the haproxy address.
  - Configure the Horizon's logs with the client address via httpd logformat.

[1] https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
[2] https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat

Change-Id: Ib2f215913065426848b48f6293f33a75aff3d328
Depends-On: I54f0f5549d64768dacca71539c71a28cc99d9d95

diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 56eb8b9..8ed28cc 100644 (file)
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -1234,6 +1234,11 @@ resources:
         nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]}
         nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]}
         horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
+        horizon_subnet:
+          str_replace:
+            template: "['SUBNET']"
+            params:
+              SUBNET: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
         rabbitmq_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RabbitMqNetwork]}]}
         redis_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RedisNetwork]}]}
         redis_password: {get_param: RedisPassword}
@@ -1582,6 +1587,7 @@ resources:
                 nova_enable_db_purge: {get_input: nova_enable_db_purge}
 
                 # Horizon
+                apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet}
                 apache::ip: {get_input: horizon_network}
                 horizon::allowed_hosts: {get_input: horizon_allowed_hosts}
                 horizon::django_debug: {get_input: debug}

diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index 79db941..9316cf1 100644 (file)
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -141,6 +141,7 @@ horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
 horizon::vhost_extra_params:
   add_listen: false
   priority: 10
+  access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
 
 # mysql
 mysql::server::manage_config_file: true

diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index d7bb025..25dac17 100644 (file)
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -619,6 +619,7 @@ if hiera('step') >= 4 {
   include ::sahara::service::engine
 
   # Horizon
+  include ::apache::mod::remoteip
   if 'cisco_n1kv' in hiera('neutron::plugins::ml2::mechanism_drivers') {
     $_profile_support = 'cisco'
   } else {

diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 3a6dbc0..16226c6 100644 (file)
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -960,6 +960,7 @@ if hiera('step') >= 4 {
     service_enable => false,
     # service_manage => false, # <-- not supported with horizon&apache mod_wsgi?
   }
+  include ::apache::mod::remoteip
   include ::apache::mod::status
   if 'cisco_n1kv' in hiera('neutron::plugins::ml2::mechanism_drivers') {
     $_profile_support = 'cisco'