On 9/2/09 11:17 AM, "Alexander Staubo" <[email protected]> wrote:
On Wed, Sep 2, 2009 at 3:31 PM, Miguel Pilar
Vilagran<[email protected]> wrote:
> I am seeing (with option forwardfor) that HAProxy is replacing
> X-Fowarded-For instead of chaining the proxy chain. I know it's not an RFC
> but the defacto standard is to chain the proxies by appending to the header.
> For my usage it is not necessary but thought I'd point it out (Varnish also
> doesn't handle the header properly but there's a workaround in VCL for it).
>
> Is there a setting for this that I am missing?
The issue is that X-Forwarded-For can be spoofed by clients, and to
prevent this, the proxy would need a list of upstream IPs for which it
will trust the X-Forwarded-For header and chain it.
We would very much like this functionality as well. We are in a
situation where we're using HAProxy simply to bounce requests onwards
to another HAProxy (for legacy issues related to IP address
ownership), and we've had to modify our app since the client IPs are
sometimes no longer available.
A.
The typical way this is managed is an option to have the chaining software wipe
the header to begin with or not. Essentially the default behavior should be
optional (maybe have 'option chained-forwardfor', or something to the effect).
For us haproxy isn't the first hop but we'd still like it to be in the chain,
mostly because if we ever have to switch haproxy to their own server we can
have the functionality.
--
Miguel Pilar
