(this ML need a reply-to header :) For the conclusion :
---------- Forwarded message ---------- From: Damien Hardy <[email protected]> Date: 2011/8/5 Subject: Re: erratic X-Forwarded-For patch for stunnel To: Guillaume Bourque <[email protected]> Good point for you. I was running with option http-server-close as global configuration. Now with option httpclose it get the X-Forwarded-For for every request. Thank you a lot. -- Damien 2011/8/5 Guillaume Bourque <[email protected]> > ** > Hi, > > are you using httpclose in haproxy in the frontend for the ssl portion of > haproxy ? Willy has talk about other ways to solve this yesterday but just > to do a test you could put option httpclose in this frontend. > > "most of the time there is only 192.168.134.222 the IP of haproxy)" It's > the ip of stunnel to I imagine ? > > You can see more then 1 X-Forwarded-For in the log it's cumulative... But > you can tell haproxy to not include X-Forwarded-For when stunnel already put > the client ip with a option like this: > > option forwardfor except 10.222.0.0/27 > > for me this is the subnet of the ssl offloader 10.222.0.0/27. > > SO the way I understand it > > > Client ------------- stunnel (add the client ip to X-For) ----------- > haproxy (will not add X-For) --------- apache1 > > --------- apache2 > > > Client -------------------------------------------------- ----------- > haproxy (will add X-For) --------- apache1 > > --------- apache2 > > Then you need to decide if you will be using option httpclose or what was > discuss yesterday > > From Willy; > > So if you need stunnel to provide the IP to haproxy, you have two > solutions : > - either disable keep-alive using "option httpclose" on haproxy so that > it forces stunnel to reopen a new connection for each request and to > add the header to each of them ; > > - or make use of the "send-proxy" patch for stunnel, which is compatible > with the "accept-proxy" feature of haproxy. This is the preferred solution > because instead of mangling the beginning of the HTTP request, stunnel > then informs haproxy about the source address in an out-of-band fashion, > which makes it compatible with keep-alive. > > > Bye. > > e 2011-08-05 05:45, Damien Hardy a écrit : > > Hello, > > I patched the debian stunnel4 package for squeeze > > # aptitude install devscripts build-essential fakeroot > # apt-get build-dep stunnel4 > # apt-get source stunnel4 > # wget > http://haproxy.1wt.eu/download/patches/stunnel-4.29-xforwarded-for.diff > # cd stunnel4-4.29/ > # patch -p1 -i ../stunnel-4.29-xforwarded-for.diff > # debuild -us -uc > # dpkg -i ../stunnel4_4.29-1_amd64.deb > > change my conf /etc/stunnel/stunnel.conf as : > [...] > [https] > accept = 192.168.134.222:443 > connect = 192.168.134.222:4430 > TIMEOUTclose = 0 > xforwardedfor = yes > > change my conf /etc/haproxy/haproxy.conf as : > listen sslsite > bind 192.168.134.222:4430 > balance roundrobin > cookie SRV insert indirect nocache > capture request header X-Forwarded-For len 256 > rspirep ^Location:\ http://(.*) Location:\ https://\1 > server vexft04 192.168.16.55:80 cookie ahD2Fiel check inter 5000 fall > 3 > server vexft05 192.168.16.50:80 cookie ifaop7Ge check inter 5000 fall > 3 > server vexft06 192.168.128.52:80 cookie aina1oRo check inter 5000 > fall 3 > server vexft07 192.168.128.53:80 cookie ohQuai5g check inter 5000 > fall 3 > > But X-Forwarded-For header is inconstantly set in logs as : > > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.218] sslsite sslsite/vexft04 > 0/0/0/250/250 200 3865 - > - --NI 1/1/0/1/0 0/0 {10.147.28.20} "GET /admin/AdmInscriptionPro.shtml > HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.468] sslsite sslsite/vexft04 > 31/0/1/1/33 200 471 - - > --VN 1/1/0/1/0 0/0 {} "GET /css/admin/master.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.502] sslsite sslsite/vexft04 > 173/0/0/5/178 200 2018 - > - --VN 1/1/0/1/0 0/0 {} "GET /css/lightwindow.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.680] sslsite sslsite/vexft04 > 56/0/1/1/58 200 573 - - > --VN 1/1/0/1/0 0/0 {} "GET /css/sIFR-screen.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.739] sslsite sslsite/vexft04 > 64/0/1/1/66 200 722 - - > --VN 1/1/0/1/0 0/0 {} "GET /css/niftyCorners.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.805] sslsite sslsite/vexft04 > 3/0/1/11/16 200 28961 - - > --VN 1/1/0/1/0 0/0 {} "GET /script/aculous/prototype.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43922[05/Aug/2011:11:23:54.832] sslsite sslsite/vexft04 > 0/0/0/1/1 200 2071 - - > --VN 4/4/3/4/0 0/0 {10.147.28.20} "GET /script/espace-pro.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:54.831] sslsite sslsite/vexft04 > 0/0/0/2/2 200 1811 - - > --VN 4/4/2/3/0 0/0 {10.147.28.20} "GET /script/niftyCorners.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43924[05/Aug/2011:11:23:54.832] sslsite sslsite/vexft04 > 0/0/0/2/2 200 739 - - > --VN 6/6/3/4/0 0/0 {10.147.28.20} "GET /script/niftyDeclare.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43928[05/Aug/2011:11:23:54.834] sslsite sslsite/vexft04 > 0/0/0/1/1 200 604 - - > --VN 6/6/2/3/0 0/0 {10.147.28.20} "GET /script/admin/menu_admin.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.821] sslsite sslsite/vexft04 > 7/0/0/7/14 200 13798 - - > --VN 6/6/2/3/0 0/0 {} "GET /script/aculous/lightwindow.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43926[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 > 0/0/0/3/3 200 2640 - - > --VN 6/6/1/2/0 0/0 {10.147.28.20} "GET /script/espace-admin.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43922[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 > 2/0/0/1/3 200 945 - - > --VN 6/6/2/3/0 0/0 {} "GET /script/recherche/SearchLightWindow.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43924[05/Aug/2011:11:23:54.835] sslsite sslsite/vexft04 > 2/0/1/1/4 200 810 - - > --VN 6/6/2/3/0 0/0 {} "GET /css/admin/typo.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43928[05/Aug/2011:11:23:54.835] sslsite sslsite/vexft04 > 2/0/0/1/3 200 1138 - - > --VN 6/6/2/3/0 0/0 {} "GET /css/admin/lists.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:54.833] sslsite sslsite/vexft04 > 3/0/1/1/5 200 1617 - - > --VN 6/6/2/3/0 0/0 {} "GET /css/admin/layout.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43926[05/Aug/2011:11:23:54.837] sslsite sslsite/vexft04 > 2/0/0/1/3 200 2914 - - > --VN 6/6/2/3/0 0/0 {} "GET /css/admin/navbar.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43922[05/Aug/2011:11:23:54.837] sslsite sslsiteo/vexft04 > 2/0/0/1/3 200 1726 - - > --VN 6/6/1/2/0 0/0 {} "GET /css/admin/forms.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43924[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 > 2/0/0/1/3 200 669 - - > --VN 6/6/3/4/0 0/0 {} "GET /css/niftyDeclare.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43889[05/Aug/2011:11:23:54.836] sslsite sslsite/vexft04 > 4/0/1/1/6 200 1740 - - > --VN 6/6/3/4/0 0/0 {} "GET /css/admin/ventre_general.css HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43928[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 > 2/0/1/1/4 200 1662 - - > --VN 6/6/2/3/0 0/0 {} "GET /script/aculous/scriptaculous.js?load=effects > HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43922[05/Aug/2011:11:23:54.841] sslsite sslsite/vexft04 > 1/0/0/1/2 200 767 - - > --VN 6/6/1/2/0 0/0 {} "GET /script/sifr-config.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:54.839] sslsite sslsite/vexft04 > 2/0/0/4/7 200 10291 - - > --VN 6/6/0/1/0 0/0 {} "GET /script/sifr.js HTTP/1.1" > Aug 5 11:23:54 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:54.847] sslsite sslsite/vexft04 > 107/0/1/3/112 200 9179 - > - --VN 6/6/0/1/0 0/0 {} "GET /script/aculous/effects.js HTTP/1.1" > Aug 5 11:23:55 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:54.959] sslsite sslsite/vexft04 > 325/0/0/2/328 200 16587 - > - --VN 6/6/0/1/0 0/0 {} "GET /swf/futura.swf HTTP/1.1" > Aug 5 11:23:55 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:55.286] sslsite sslsite/vexft04 > 568/0/0/1/569 200 774 - - > --VN 6/6/0/1/0 0/0 {} "GET /css/sIFR-print.css HTTP/1.1" > Aug 5 11:23:55 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:55.856] sslsite sslsite/vexft04 > 23/0/0/1/24 200 330 - - > --VN 6/6/0/1/0 0/0 {} "GET /css/niftyPrint.css HTTP/1.1" > Aug 5 11:23:56 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:55.881] sslsite sslsite/vexft04 > 167/0/1/0/168 200 1392 - > - --VN 6/6/0/1/0 0/0 {} "GET /favicon.ico HTTP/1.1" > Aug 5 11:24:00 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:23:56.049] sslsite sslsite/vexft04 > 4550/0/1/1/4552 403 439 - > - --VN 6/6/0/1/0 0/0 {} "GET /admin/ HTTP/1.1" > Aug 5 11:24:02 haproxy[8423]: > 192.168.134.222:43920[05/Aug/2011:11:24:00.601] sslsite sslsite/vexft04 > 1753/0/1/11/1765 200 3800 > - - --VN 6/6/0/1/0 0/0 {} "GET /admin/AdmInscriptionPro.shtml HTTP/1.1" > > (the apache log on vexft04 confirmed : some time there is 2 IP in the > X-Forwarded-For, most of the time there is only 192.168.134.222 the IP of > haproxy) > > Got no error for patch only some warning in compilation/building : > "dpkg-shlibdeps: warning: dependency on libdl.so.2 could be avoided if > "debian/stunnel4/usr/bin/stunnel4 > debian/stunnel4/usr/lib/stunnel/libstunnel.so" were not uselessly linked > against it (they use none of its symbols)." > > What is done wrong ? > > Thank you. > > Best regards, > > -- > Damien > > > > > > > > -- > Guillaume Bourque, B.Sc., > consultant, infrastructures technologiques libres !514 576-7638, > http://ca.linkedin.com/in/GuillaumeBourque/fr > >
