From ddecbab150ea87b12819af7b2cc8a23d4ccf1a82 Mon Sep 17 00:00:00 2001
From: Dimitri Savineau <dsavinea@redhat.com>
Date: Wed, 23 Mar 2016 11:49:41 -0400
Subject: Enable client address in Horizon's logs.

Horizon's backends (httpd) see IP address of the haproxy in the logs instead
of the client address.
This patch allows to:
  - Install the remoteip httpd module [1].
  - Use the X-Forwarded-For HTTP header and override the haproxy address.
  - Configure the Horizon's logs with the client address via httpd logformat.

[1] https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
[2] https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat

Change-Id: Ib2f215913065426848b48f6293f33a75aff3d328
Depends-On: I54f0f5549d64768dacca71539c71a28cc99d9d95
---
 puppet/controller.yaml                             | 6 ++++++
 puppet/hieradata/controller.yaml                   | 1 +
 puppet/manifests/overcloud_controller.pp           | 1 +
 puppet/manifests/overcloud_controller_pacemaker.pp | 1 +
 4 files changed, 9 insertions(+)

(limited to 'puppet')

diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 56eb8b96..8ed28ccb 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -1234,6 +1234,11 @@ resources:
         nova_api_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaApiNetwork]}]}
         nova_metadata_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, NovaMetadataNetwork]}]}
         horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
+        horizon_subnet:
+          str_replace:
+            template: "['SUBNET']"
+            params:
+              SUBNET: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
         rabbitmq_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RabbitMqNetwork]}]}
         redis_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RedisNetwork]}]}
         redis_password: {get_param: RedisPassword}
@@ -1582,6 +1587,7 @@ resources:
                 nova_enable_db_purge: {get_input: nova_enable_db_purge}
 
                 # Horizon
+                apache::mod::remoteip::proxy_ips: {get_input: horizon_subnet}
                 apache::ip: {get_input: horizon_network}
                 horizon::allowed_hosts: {get_input: horizon_allowed_hosts}
                 horizon::django_debug: {get_input: debug}
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index 79db9418..9316cf17 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -141,6 +141,7 @@ horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
 horizon::vhost_extra_params:
   add_listen: false
   priority: 10
+  access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
 
 # mysql
 mysql::server::manage_config_file: true
diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index d7bb025a..25dac170 100644
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -619,6 +619,7 @@ if hiera('step') >= 4 {
   include ::sahara::service::engine
 
   # Horizon
+  include ::apache::mod::remoteip
   if 'cisco_n1kv' in hiera('neutron::plugins::ml2::mechanism_drivers') {
     $_profile_support = 'cisco'
   } else {
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 3a6dbc06..16226c6e 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -960,6 +960,7 @@ if hiera('step') >= 4 {
     service_enable => false,
     # service_manage => false, # <-- not supported with horizon&apache mod_wsgi?
   }
+  include ::apache::mod::remoteip
   include ::apache::mod::status
   if 'cisco_n1kv' in hiera('neutron::plugins::ml2::mechanism_drivers') {
     $_profile_support = 'cisco'
-- 
cgit 1.2.3-korg