Wrong IP Address for error message in keystone.log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Low
|
Unassigned | ||
oslo.middleware |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When the keystone public endpoint sits behind a reverse proxy, messages written to keystone.log contain the IP address of the proxy, not the IP address of the client.
For example:
2016-02-25 20:48:21.409 60 WARNING keystone.
The client's real IP address is passed with the request in the X-Forwarded-For header.
Other OpenStack services, such as nova, glance, and cinder have a configuration option
use_
When this is set, their corresponding API log files record the client's real IP address as gleaned from X-Forwarded-For.
Changed in keystone: | |
assignee: | nobody → Viswanath Nuggu (nugguviswanathcse) |
Changed in keystone: | |
importance: | Medium → Low |
Changed in keystone: | |
assignee: | Viswanath Nuggu (nugguviswanathcse) → Venkat Rahul Dantuluri (rahuldantuluri) |
Changed in keystone: | |
assignee: | Venkat Rahul Dantuluri (rahuldantuluri) → Steve Martinelli (stevemar) |
status: | Triaged → In Progress |
Changed in keystone: | |
assignee: | Mikhail Nikolaenko (mnikolaenko) → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Guang Yee (guang-yee) |
true, we should have an option for this...
option: http:// git.openstack. org/cgit/ openstack/ nova/tree/ nova/api/ auth.py# n45 git.openstack. org/cgit/ openstack/ nova/tree/ nova/api/ auth.py# n128
usage: http://
we should change up keystone wsgi to use this new option: /github. com/openstack/ keystone/ blob/2bad130bf4 57ab4b23b65f9b4 07a8cc8bde300fe /keystone/ common/ wsgi.py# L213
https:/