Observed on Fuel master node:
release: "8.0"
openstack_version: "2015.1.0-8.0"
api: "1.0"
build_number: "217"
build_id: "217"
Problem description:
It was observed that HAProxy doesn't pass http header "X-Forward-For" for keystone preventing placing into keystone access log IP addresses initiating connection, and rather placing there HAPorxy IP address .
This has security implications, as one would like to analyze Keystone access logs to discover failed login attempts and discover their IP source address (source of requests) will be unable to get real source of incoming to Keystone requests.
Solution proposal:
- add to Keystone haproxy config file option 'option forwardfor'
- add to Keystone apache2 config file option to appropriate log 'X-Forward-for' (substitute %h with %X-Forward-For IP header), like for example:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
CustomLog "logs/access.log_with_X-Forward-For" #added here for example purposes only
Fix proposed to branch: master /review. openstack. org/257517
Review: https:/