Hello,
On Mon, May 09, 2011 at 05:40:44PM +0200, bartavelle wrote:
> Hello,
>
> This doesn't seem to work with 1.5-dev6 with accept-proxy bindings :
> http://tehlose.wordpress.com/2010/12/15/fun-stuff-with-latest-haproxy-version/
>
> The stick table only contains a single key - 127.0.0.1 :
>
> # table: distribution, type: ip, size:512000, used:1
> 0x125e114: key=127.0.0.1 use=3 exp=299990 conn_cur=3
If you copied the conf from the link above, I'm not surprized, because the
config tracks the IP immediately from the connection :
tcp-request connection track-sc1 src if ! source_is_abuser
When the connection comes in, the real IP is seen. Once data comes on it
and the proxy protocol is parsed, the transported IP is seen and can be
used. From that point, internal IPs are changed. BTW this exception is
explained in the doc for the accept-proxy keyword. If you want to achieve
the same thing at this point, you'll have to use "tcp-request content"
instead of "tcp-request connection", so that the filtering happens at
the content inspection hook instead of the accept hook. And this makes
sense since there's no point filtering on accept() since the connection
initiator is known and trusted.
Regards,
Willy
