Hi Willy,
Since you're using HTTP, it's a real waste of simplicity and performance
to try to work in transparent mode. You'd better work in a normal proxy
mode and configure your web server to report the client's IP address in
the logs instead of relying on haproxy and your kernel to spoof the client.
The reason I'm pursuing this transparent route is that I haven't found a
real clean patch for Apache that would report X-Forwarded-For also
reliably to CGI's REMOTE_ADDR env-variable and to .htaccess deny/allow
lines. So you wouldn't have to modify existing scripts / .htaccesses to
know about the reverse proxy.
If there's a good patch for Apache 2.x that supports that I'd be more
than happy to use that instead of this bit kludgy way.
If for any reason you absolutely want to do that anyway, here are two
possibilities :
1) use two different backends, one for local connections, and another one
for external ones. The local one must not do transparent proxying :
I'll try this route.
Thanks Willy for the quick and insightful answer.
Cheers,
Toni Mattila
