Re: Client source IP visibility

Tue, 17 Jul 2012 07:34:26 -0700 

Hi,

On 17-07-12 16:23, Fabrice Brazier wrote:

Hi Edison,

I think it would be doable with X-Forwarded-For as workaround in some
cases.

For Apache:
-----------------------------------------------------
<Location "/only_proxy/">
         SetEnvIf X-Forwarded-For ^10\.1\.1\. proxy_env
         Order allow,deny
         Satisfy Any
         Allow from env=proxy_env
</Location>
-----------------------------------------------------

I also found this in the CloudStack Docs:
http://wiki.cloudstack.org/display/COMM/Log+the+IP+of+the+client+in+Apache
+using+the+CloudStack+LoadBalancer

For nginx there is a HttpRealipModule for stuff like that.

But for our customers this would mean they have to adapt their
applications and they would need to test and accept this solution in the
POC.
We would definitively like to see a solution which wouldn’t require on the
application side.


Try mod_rpaf for Apache, that should do the trick.

Wido



Regards,
Fabrice

--
Fabrice Brazier
Apalia™
FR: +33-632-73-53-00
http://www.apalia.net
fabrice.braz...@apalia.net


-----Message d'origine-----
De : Edison Su [mailto:edison...@citrix.com]
Envoyé : lundi 16 juillet 2012 19:54
À : cloudstack; cloudstack-us...@incubator.apache.org
Objet : RE: Client source IP visibility




-----Original Message-----
From: Fabrice Brazier [mailto:fabrice.braz...@apalia.net]
Sent: Monday, July 16, 2012 1:56 AM
To: cloudstack-us...@incubator.apache.org
Cc: cloudstack
Subject: Client source IP visibility

Hi Folks,



we need a way of configuring CloudStack load balancing with the
integrated ha-proxy load balancer without hiding the client (source)
IP.

We see TPPROXY feature as a way of doing this, see
http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-
full-transparent-proxy/
.



Does this functionality is already implemented ? Will be in the future?



It needs special kernel, not sure it works in debian squeeze kernel or
not.




A possible workaround would be to use the "X-Forwarded-For" header for
filtering IP addresses.


"option forwardfor" is already in haproxy configuration file, by default.
Doesn't it work for you? If not, please fire a bug.





Thanks,

Fabrice



--
Fabrice Brazier
*Apalia*(tm)*
*FR: +33-632-73-53-00
*http://www.apalia.net
fabrice.braz...@apalia.net*

Reply via email to