Octavia: proxy protocol

openstack loadbalancer listener create --name foo-lb1-tcp-80 --protocol TCP --protocol-port 80 foo-lb1
openstack loadbalancer pool create --name foo-lb1-proxy-pool --lb-algorithm ROUND_ROBIN --listener foo-lb1-tcp-80 --protocol PROXY
openstack loadbalancer member create --subnet-id foo-subnet --address --protocol-port 80 foo-lb1-proxy-pool
# check whather http_realip_module is available
nginx -V 2>&1 | grep -- 'http_realip_module'
# configure nginx
cat /etc/nginx/sites-enabled/default 
server {
    listen 80 default_server proxy_protocol;
    set_real_ip_from; # incomming proxy IP
    real_ip_header proxy_protocol;
cat /etc/nginx/nginx.conf
http {
    proxy_set_header X-Real-IP       $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For $proxy_protocol_addr;


Octavia: Allow SSH login to Amphora VM

Allow SSH access

AMPHORA_ID=$(openstack loadbalancer amphora list --loadbalancer ${LB_ID} --role MASTER -c id -f value)
AMPHORA_COMPUTE_ID=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c compute_id -f value)
LB_NETWORK_IP=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c lb_network_ip -f value)
SECURITY_GROUP_ID=$(openstack port list --server ${AMPHORA_COMPUTE_ID} --fixed-ip "ip-address=${LB_NETWORK_IP}" -c security_group_ids -f value)
# DEBUG: show ingress tcp rules
openstack security group rule list --ingress --protocol tcp ${SECURITY_GROUP_ID}
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip  ${SECURITY_GROUP_ID}
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip -c role -f value
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip --role MASTER -f value
# login to amphora VM from OpenStack control node
ssh local@ctl1-dev.dev.i.example.com
ssh -i ~/.ssh/id_rsa_octavia ubuntu@${AMPHORA_VM_IP}

Manuall SSH access

Docker: HAProxy



  maxconn 4096
  #stats timeout 30s
  log global
  mode http
  option httplog
  option dontlognull
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  log local0
  #option httpchk
frontend frontend1
  bind :80
  mode http
  use_backend backend1
backend backend1
  mode http
  balance roundrobin
  option httpchk GET / HTTP/1.1
  http-check expect status 400
  server www1 check
  server www2 check
  server www3 check
listen stats 
  bind :9000
  mode http
  stats enable
  stats hide-version
  stats realm Haproxy\ Statistics
  stats refresh 60s
  stats show-node
  stats auth haproxy:password
  stats uri /


docker run -d --name haproxy -v /tmp/haproxy:/usr/local/etc/haproxy:ro -p 8080:80 -p 9000:9000 haproxy:latest
docker logs -f  haproxy