Hi, >> The X-Forwarded-For header is only added once at the end of all processing. >> Otherwise, having it in the defaults section would result in both your >> frontend and your backend adding it. Then the possibility to add it only to a frontend or a backend in the defaults section would be nice?
>> So in your case, what happens is that you delete it in the frontend (using >> reqidel) then you tag the session for adding a new one after all processing >> is done. >> >> When at the last point we have to establish a connection to the server, we >> check the header and balance based on it. I agree we should always have it >> filled with the same value, so there's a bug. So if I got it right, I cannot balance based on the new header because it was not added yet. That behaviour comes really unexpected because one usually would believe it was already added in the frontend. >> My guess is that you're running a version prior to 1.4.10 which has the >> header deletion bug : the header list can become corrupted when exactly >> two consecutive headers are removed from the request (eg: connection and >> x-forwarded-for). Then the newly added X-Forwarded-For could not be seen >> by the code responsible for hashing it. >> >> If so, please try to upgrade to the last bug fix (1.4.10) and see if the >> problem persists. I am already using 1.4.10 - sorry, it seems I somehow forgot to mention it! :/ >> Also, I'd like to add that what you're doing is simply equivalent (though >> more complex) to hashing the source address. You'd better use "balance src" >> for this :-) That is a good hint, but I also have a frontend for SSL (with stunnel which adds the X-Forward-For header) that I'd want to use the same backend. I did not like defining backends twice as it introduces redundancy and might lead to inconsistency, it is a good workaround though. Note: my testing and the bug happened with the normal frontend. Also, I could leave out the reqidel of the header, but then a malicious party could theoretically choose the server it accesses (by forging x-forwarded-for) and overload one after another; I prefer to take away this possibility (yea I am overdoing it, maybe). ;) Best regards, Craig
