OP#493 add option for reading client IPs behind loadbalanacer

README.md

@@ -43,6 +43,10 @@ Configuration
 - manage firewall settings (optional)
 - manage nagios monitoring for the service (optional)
 
+Optional
+
+- manage remoteIP logging if running behind a Loadbalancer like HAproxy: if `ae_use_lb` is set to `true`, a configuration file `etc/httpd/conf.d/loadbalancer-remoteip.conf`is created and configures apache/httpd to use the remote header. This allows proper fail2ban protection even behind the Loadbalancer. Make sure to set `ae_trusted_proxy`to the proper IP or range for the loadbalancer!
+
 Maintenance
 
 - manage the service

manifests/params.pp

@@ -5,25 +5,6 @@
 #   inherited by all classes except defines.
 # @param [String] pkg_ensure Specify which
 #   package type to use, i.e. `latest`, `present` or `absent`.
-# @param [Boolean] ae_manage_user  Whether or not to manage details for the
-#   httpd service user. This is generally only required when using httpd on
-#   a number of servers sharing storage resources, i.e. NFS, where UID and GID
-#   settings must be same across all nodes.
-# @param [String] ae_user_name Specify the user name for the httpd user.
-#   only active if ae_manage_user is set to true.
-# @param [String] ae_user_uid Specify the UID for the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_comment Specify the user comment for /etc/passwd.
-#   Shows up in email notifications as sender information.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_u_groups Specify any secondary groups the httpd service
-#   user should be in. Must not contain the primary group.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_home  Specify the home of the httpd service user.
-#   only active if `ae_manage_user` is set to true.
-# @param [String] ae_user_shell Specify the shell for the httpd service user,
-#   which normally should not be allowed to log in .
-#   only active if `ae_manage_user` is set to true.
 # @param [Boolean] ae_manage_cfg Whether or not to manage the httpd
 #   configuration. httpd is very often a sub system used by many other services,
 #   and the required configuration depends on the use case. If using httpd as
@@ -43,6 +24,15 @@
 # @param [String] ae_target_contacts which contacts to notify for nagios alerts
 # @param [Boolean] ae_manage_fw whether to manage firewall settings
 # @param [Array] reqpackages List of packages to install.
+# @param [Boolean] ae_use_lb whether to use load balancer or not. If true, 
+#   a configuration file will be created to allow reading the client ips 
+#   from the X-Forwarded-For header, and the httpd service will be restarted 
+#   to apply the changes. This is required when using httpd behind a 
+#   load balancer like haproxy, otherwise all client ips will be logged 
+#   as the load balancer ip.
+# @param [String] ae_trusted_proxy the IP address of the trusted proxy, 
+#   i.e. the load balancer. This is required when `ae_use_lb` is set to 
+#   true, and defaults to '10.0.1.0/24'.
 ###########################################################################
 class confdroid_apache::params (
 
@@ -66,6 +56,10 @@ class confdroid_apache::params (
   String $ae_http_port        = '80',
   String $ae_https_port       = '443',
 
+# loadbalancer
+  Boolean $ae_use_lb          = false,
+  String $ae_trusted_proxy    = '10.0.1.0/24',
+
 ) {
 # facts
   $fqdn                             = $facts['networking']['fqdn']
@@ -104,6 +98,8 @@ class confdroid_apache::params (
   $ae_userdir_erb     = 'confdroid_apache/userdir_conf.erb'
   $ae_index_file      = '/var/www/html/index.html'
   $ae_index_erb       = 'confdroid_apache/index_html.erb'
+  $ae_remoteip_file   = '/etc/httpd/conf.d/loadbalancer-remoteip.conf'
+  $ae_remoteip_erb    = 'confdroid_apache/loadbalancer_remoteip_conf.erb'
 
 # includes must be last
   include confdroid_apache::main::config

manifests/server/files.pp

@@ -92,6 +92,21 @@ class confdroid_apache::server::files (
     }
   }
 
+  if $ae_use_lb == true {
+    file { $ae_remoteip_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => httpd_conf_t,
+      seluser  => system_u,
+      content  => template($ae_remoteip_erb),
+      notify   => Service['httpd'],
+    }
+  }
+
   # manage index.html
 
   file { $ae_index_file:

templates/loadbalancer/remoteip.conf.erb

@@ -0,0 +1,12 @@
+###############################################################################
+##########    parameterized remoteip config created by Puppet        ##########
+##########      manual changes will be overwritten !!!               ##########
+###############################################################################
+
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy <%= @ae_trusted_proxy %>
+RemoteIPInternalProxy <%= @ae_trusted_proxy %>
+
+# mod_remoteip rewrites client address for %a; use it in common/combined logs.
+LogFormat "%a %l %u %t \"%r\" %>s %b" common
+LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined