On 25 November 2015 at 05:40, Ajay Kalambur (akalambu) <akalambu at cisco.com> wrote: > Hi > Have a deployment where keystone sits behind a ha proxy node. Now > authentication requests are made to a vip. Problem is when there is an > authentication failure we cannot track the remote ip that failed login as > all authentication failures show the VIP ip since ha proxy fwds the request > to a backend keystone server > > How do we use a load balancer like ha proxy and also track the remote > failed ip for authentication failures > We get all authentication failures showing up with remote ip as vip ip > It's probably best to enable the forwardfor option [1] and ensure that your Keystone logs record that information. This is relatively trivial if Keystone is using Apache/wsgi, but I can't recall whether the eventlet server logs the info. [1] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20forwardfor -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151127/5a66a9fd/attachment.html>