In puppet-tripleo, we attempt to set the 'forwardfor' option when $public_certificate is set and the service is using mode http (e.g., for almost everything) (manifests/haproxy/endpoint.pp):
if $public_certificate {
if $mode == 'http' {
$tls_listen_options = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
Unfortunately, we override the 'option' setting in almost all cases because when we use:
$listen_options_real = merge($tls_listen_options, $listen_options, $custom_options)
Any value for 'option' in $tls_listen_options is replaced if $listen_options or $custom_options contains an 'option' key. Since we set $listen_options by default in haproxy.pp, this affects pretty much everything:
$default_listen_options = {
'option' => [ 'httpchk', 'httplog', ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
}
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
listen_options => $default_listen_options,
manage_firewall => $manage_firewall,
}
This also means that we're failing to set 'httplog' in most cases, since many (most?) of the services provide a custom 'option' setting.