On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar Vilagran<[email protected]> wrote: > I am seeing (with option forwardfor) that HAProxy is replacing > X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC > but the defacto standard is to chain the proxies by appending to the header. > For my usage it is not necessary but thought I'd point it out (Varnish also > doesn't handle the header properly but there's a workaround in VCL for it). > > Is there a setting for this that I am missing?
The issue is that X-Forwarded-For can be spoofed by clients, and to prevent this, the proxy would need a list of upstream IPs for which it will trust the X-Forwarded-For header and chain it. We would very much like this functionality as well. We are in a situation where we're using HAProxy simply to bounce requests onwards to another HAProxy (for legacy issues related to IP address ownership), and we've had to modify our app since the client IPs are sometimes no longer available. A.
