Fuel for OpenStack

Enable X-Forward-For header for better Keystone access logging

Bug #1521228 reported by Adam Heczko on 2015-11-30

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	High	Alexey Deryugin	Fuel for OpenStack 8.0

Bug Description

Observed on Fuel master node:
release: "8.0"
  openstack_version: "2015.1.0-8.0"
  api: "1.0"
  build_number: "217"
  build_id: "217"

Problem description:
It was observed that HAProxy doesn't pass http header "X-Forward-For" for keystone preventing placing into keystone access log IP addresses initiating connection, and rather placing there HAPorxy IP address .
This has security implications, as one would like to analyze Keystone access logs to discover failed login attempts and discover their IP source address (source of requests) will be unable to get real source of incoming to Keystone requests.

Solution proposal:
- add to Keystone haproxy config file option 'option forwardfor'
- add to Keystone apache2 config file option to appropriate log 'X-Forward-for' (substitute %h with %X-Forward-For IP header), like for example:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
CustomLog "logs/access.log_with_X-Forward-For" #added here for example purposes only

Tags:

Adam Heczko (aheczko-mirantis) on 2015-11-30

Changed in fuel:
importance:	Undecided → Medium
milestone:	none → 8.0

Dmitry Klenov (dklenov) on 2015-11-30

Changed in fuel:
assignee:	nobody → MOS Keystone (mos-keystone)

Boris Bobrov (bbobrov) on 2015-11-30

Changed in fuel:
assignee:	MOS Keystone (mos-keystone) → MOS Deployment Automation Team (mos-da)

Boris Bobrov (bbobrov) on 2015-11-30

Changed in fuel:
assignee:	MOS Deployment Automation Team (mos-da) → MOS Puppet Team (mos-puppet)

Ivan Berezovskiy (iberezovskiy) on 2015-12-01

Changed in fuel:
assignee:	MOS Puppet Team (mos-puppet) → Ivan Berezovskiy (iberezovskiy)

Roman Podoliaka (rpodolyaka) on 2015-12-01

Changed in fuel:
status:	New → Confirmed
importance:	Medium → Wishlist

Dmitry Pyzhov (dpyzhov) on 2015-12-01

tags:

added: area-mos

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-14: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/257517

Changed in fuel:
assignee:	Ivan Berezovskiy (iberezovskiy) → Alexey Deryugin (velovec)
status:	Confirmed → In Progress

Revision history for this message

Bogdan Dobrelya (bogdando) wrote on 2015-12-21:

Raised to high as it has security impact, which is tracing sources of keystone requests

Changed in fuel:
importance:	Wishlist → Medium
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-21: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/257517
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=755d845e5d56569312eb838fa0397328913bcf3b
Submitter: Jenkins
Branch: master

commit 755d845e5d56569312eb838fa0397328913bcf3b
Author: Alexey Deryugin <email address hidden>
Date: Mon Dec 14 21:08:52 2015 +0300

Enable X-Forward-For header for better Keystone access logging

    It was observed that HAProxy doesn't pass http header "X-Forward-For"
    for keystone preventing placing into keystone access log IP addresses
    initiating connection, and rather placing there HAPorxy IP address.
    This has security implications, as one would like to analyze Keystone
    access logs to discover failed login attempts and discover their IP
    source address (source of requests) will be unable to get real source
    of incoming to Keystone requests.

Change-Id: I4139919e10d50abcb77b0521efa0037345f9582f
Closes-Bug: #1521228

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-02-10:

I can see new option in haproxy configuration file but can't see any errors about incorrect login attepts on my environment with MOS 8.0 RC1. Steps to verify are not clear, fix is applied, status changed to Fix Released.

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.