So in keystone, glance and some others I have been transitioning services over to using the http_proxy_to_wsgi middleware [1] which handles this in the paste pipeline.
If you deprecate the CONF.use_forwarded_for option in nova (as other services have) then you can insert by default the http_proxy_to_wsgi middleware in front of nova-api but not the metadata service which would mean X-Forwarded-For was ignored in metadata services.
This would obviously cause problems for anyone who is deploying the metadata service behind a load balancer (which i'm told is a real usecase) but that can be solved by adding the middleware to the metadata pipeline manually.
This doesn't help with the current problem but would give you a sensible default and a way forward.
So in keystone, glance and some others I have been transitioning services over to using the http_proxy_to_wsgi middleware [1] which handles this in the paste pipeline.
If you deprecate the CONF.use_ forwarded_ for option in nova (as other services have) then you can insert by default the http_proxy_to_wsgi middleware in front of nova-api but not the metadata service which would mean X-Forwarded-For was ignored in metadata services.
This would obviously cause problems for anyone who is deploying the metadata service behind a load balancer (which i'm told is a real usecase) but that can be solved by adding the middleware to the metadata pipeline manually.
This doesn't help with the current problem but would give you a sensible default and a way forward.
[1] http:// git.openstack. org/cgit/ openstack/ oslo.middleware /tree/oslo_ middleware/ http_proxy_ to_wsgi. py