erratic X-Forwarded-For patch for stunnel

Damien Hardy Fri, 05 Aug 2011 02:46:04 -0700

Hello,

I patched the debian stunnel4 package for squeeze


# aptitude install devscripts build-essential fakeroot
# apt-get build-dep stunnel4
# apt-get source stunnel4
# wget
http://haproxy.1wt.eu/download/patches/stunnel-4.29-xforwarded-for.diff
# cd stunnel4-4.29/
# patch -p1 -i ../stunnel-4.29-xforwarded-for.diff
# debuild -us -uc
# dpkg -i ../stunnel4_4.29-1_amd64.deb

change my conf /etc/stunnel/stunnel.conf as :
[...]
[https]
accept  = 192.168.134.222:443
connect = 192.168.134.222:4430
TIMEOUTclose = 0
xforwardedfor = yes

change my conf /etc/haproxy/haproxy.conf as :
listen sslsite
    bind 192.168.134.222:4430
    balance roundrobin
    cookie SRV insert indirect nocache
    capture request header X-Forwarded-For len 256
    rspirep ^Location:\ http://(.*)    Location:\ https://\1
    server vexft04  192.168.16.55:80 cookie ahD2Fiel check inter 5000 fall 3
    server vexft05  192.168.16.50:80 cookie ifaop7Ge check inter 5000 fall 3
    server vexft06  192.168.128.52:80 cookie aina1oRo check inter 5000 fall
3
    server vexft07  192.168.128.53:80 cookie ohQuai5g check inter 5000 fall
3

But X-Forwarded-For header is inconstantly set in logs as :

Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.218] sslsite
sslsite/vexft04 0/0/0/250/250 200 3865 -
- --NI 1/1/0/1/0 0/0 {10.147.28.20} "GET /admin/AdmInscriptionPro.shtml
HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.468] sslsite
sslsite/vexft04 31/0/1/1/33 200 471 - -
--VN 1/1/0/1/0 0/0 {} "GET /css/admin/master.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.502] sslsite
sslsite/vexft04 173/0/0/5/178 200 2018 -
- --VN 1/1/0/1/0 0/0 {} "GET /css/lightwindow.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.680] sslsite
sslsite/vexft04 56/0/1/1/58 200 573 - -
--VN 1/1/0/1/0 0/0 {} "GET /css/sIFR-screen.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.739] sslsite
sslsite/vexft04 64/0/1/1/66 200 722 - -
--VN 1/1/0/1/0 0/0 {} "GET /css/niftyCorners.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.805] sslsite
sslsite/vexft04 3/0/1/11/16 200 28961 - -
--VN 1/1/0/1/0 0/0 {} "GET /script/aculous/prototype.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.832] sslsite
sslsite/vexft04 0/0/0/1/1 200 2071 - -
--VN 4/4/3/4/0 0/0 {10.147.28.20} "GET /script/espace-pro.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.831] sslsite
sslsite/vexft04 0/0/0/2/2 200 1811 - -
--VN 4/4/2/3/0 0/0 {10.147.28.20} "GET /script/niftyCorners.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43924[05/Aug/2011:11:23:54.832] sslsite
sslsite/vexft04 0/0/0/2/2 200 739 - -
--VN 6/6/3/4/0 0/0 {10.147.28.20} "GET /script/niftyDeclare.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43928[05/Aug/2011:11:23:54.834] sslsite
sslsite/vexft04 0/0/0/1/1 200 604 - -
--VN 6/6/2/3/0 0/0 {10.147.28.20} "GET /script/admin/menu_admin.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.821] sslsite
sslsite/vexft04 7/0/0/7/14 200 13798 - -
--VN 6/6/2/3/0 0/0 {} "GET /script/aculous/lightwindow.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43926[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 0/0/0/3/3 200 2640 - -
--VN 6/6/1/2/0 0/0 {10.147.28.20} "GET /script/espace-admin.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 2/0/0/1/3 200 945 - -
--VN 6/6/2/3/0 0/0 {} "GET /script/recherche/SearchLightWindow.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43924[05/Aug/2011:11:23:54.835] sslsite
sslsite/vexft04 2/0/1/1/4 200 810 - -
--VN 6/6/2/3/0 0/0 {} "GET /css/admin/typo.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43928[05/Aug/2011:11:23:54.835] sslsite
sslsite/vexft04 2/0/0/1/3 200 1138 - -
--VN 6/6/2/3/0 0/0 {} "GET /css/admin/lists.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.833] sslsite
sslsite/vexft04 3/0/1/1/5 200 1617 - -
--VN 6/6/2/3/0 0/0 {} "GET /css/admin/layout.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43926[05/Aug/2011:11:23:54.837] sslsite
sslsite/vexft04 2/0/0/1/3 200 2914 - -
--VN 6/6/2/3/0 0/0 {} "GET /css/admin/navbar.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.837] sslsite
sslsiteo/vexft04 2/0/0/1/3 200 1726 - -
--VN 6/6/1/2/0 0/0 {} "GET /css/admin/forms.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43924[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/0/1/3 200 669 - -
--VN 6/6/3/4/0 0/0 {} "GET /css/niftyDeclare.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43889[05/Aug/2011:11:23:54.836] sslsite
sslsite/vexft04 4/0/1/1/6 200 1740 - -
--VN 6/6/3/4/0 0/0 {} "GET /css/admin/ventre_general.css HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43928[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/1/1/4 200 1662 - -
--VN 6/6/2/3/0 0/0 {} "GET /script/aculous/scriptaculous.js?load=effects
HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43922[05/Aug/2011:11:23:54.841] sslsite
sslsite/vexft04 1/0/0/1/2 200 767 - -
--VN 6/6/1/2/0 0/0 {} "GET /script/sifr-config.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.839] sslsite
sslsite/vexft04 2/0/0/4/7 200 10291 - -
--VN 6/6/0/1/0 0/0 {} "GET /script/sifr.js HTTP/1.1"
Aug  5 11:23:54 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.847] sslsite
sslsite/vexft04 107/0/1/3/112 200 9179 -
- --VN 6/6/0/1/0 0/0 {} "GET /script/aculous/effects.js HTTP/1.1"
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:54.959] sslsite
sslsite/vexft04 325/0/0/2/328 200 16587 -
- --VN 6/6/0/1/0 0/0 {} "GET /swf/futura.swf HTTP/1.1"
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.286] sslsite
sslsite/vexft04 568/0/0/1/569 200 774 - -
--VN 6/6/0/1/0 0/0 {} "GET /css/sIFR-print.css HTTP/1.1"
Aug  5 11:23:55 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.856] sslsite
sslsite/vexft04 23/0/0/1/24 200 330 - -
--VN 6/6/0/1/0 0/0 {} "GET /css/niftyPrint.css HTTP/1.1"
Aug  5 11:23:56 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:55.881] sslsite
sslsite/vexft04 167/0/1/0/168 200 1392 -
- --VN 6/6/0/1/0 0/0 {} "GET /favicon.ico HTTP/1.1"
Aug  5 11:24:00 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:23:56.049] sslsite
sslsite/vexft04 4550/0/1/1/4552 403 439 -
- --VN 6/6/0/1/0 0/0 {} "GET /admin/ HTTP/1.1"
Aug  5 11:24:02 haproxy[8423]:
192.168.134.222:43920[05/Aug/2011:11:24:00.601] sslsite
sslsite/vexft04 1753/0/1/11/1765 200 3800
- - --VN 6/6/0/1/0 0/0 {} "GET /admin/AdmInscriptionPro.shtml HTTP/1.1"

(the apache log on vexft04 confirmed : some time there is 2 IP in the
X-Forwarded-For, most of the time there is only 192.168.134.222 the IP of
haproxy)

Got no error for patch only some warning in compilation/building :
"dpkg-shlibdeps: warning: dependency on libdl.so.2 could be avoided if
"debian/stunnel4/usr/bin/stunnel4
debian/stunnel4/usr/lib/stunnel/libstunnel.so" were not uselessly linked
against it (they use none of its symbols)."

What is done wrong ?

Thank you.

Best regards,

-- 
Damien

erratic X-Forwarded-For patch for stunnel

Reply via email to