Hi Baptiste,
Thanks for referring that. I was hoping there was some way of picking a
specific captured header (X-Forwarded-For in this case) and use it, but it
seems %hr just gives you everything and puts it inside {}. In my case I'd just
like to use the X-Forwarded-For as the client IP, if it exists, or use the
default %ci in case it doesn't.
But no harm done, it's not that big of an issue. :-)
Thanks,
Pedro.
On 10 May 2013, at 07:18, Baptiste <[email protected]> wrote:
> Hi Pedro,
>
> You can use the log-format statement available in HAProxy 1.5.
> Everything is explained in the doc.
> If you need more help, please let us know.
>
> Baptiste
>
> On Thu, May 9, 2013 at 3:21 PM, Pedro Mata-Mouros
> <[email protected]> wrote:
>> Hi,
>>
>> Picking up this old thread, is there a way of actually replacing the
>> client_ip in the logs with this captured header X-Forwarded-For? I'm using
>> AWS and the current setup uses AWS LBs to deliver traffic to my HAProxy box,
>> and this way every single client_ip I'm seeing in the logs is from the LB
>> internal IP address - which is kind of wasted space...
>>
>> Thanks,
>>
>> Pedro.
>>
>> On 5 Jul 2011, at 21:25, Julien Vehent <[email protected]> wrote:
>>
>> On Tue, 05 Jul 2011 16:17:24 +0100, Hugo Silva wrote:
>>
>> I just finished setting up apache+mod_security in front of haproxy:
>>
>> user--> apache+modsec --> haproxy --> webservers --> fastcgi
>>
>> The reasoning being that if apache was behind haproxy, then the backend
>> (nginx+php) servers wouldn't show on the haproxy admin interface (the
>> apaches would).
>>
>> I'm not 100% sure if this is the best way to go about it, but for the
>> time being that's the approach. Feel free to suggest/discuss alternatives.
>>
>>
>> Because the site is live, I'm doing this in phases. For now the firewall
>> on the load balancers redirects incoming connections from certain IPs to
>> the new apache+modsec setup, while everything else is business as usual.
>>
>> The few connections that go through the test setup get logged by haproxy
>> as coming from 127.0.0.1. This is because the firewall redirects to
>> 127.0.0.1:aaaa (apache) which then ProxyPass'es to haproxy
>> (127.0.0.1:bbbb); therefore haproxy sees an incoming connection from
>> 127.0.0.1.
>>
>> Apache properly sets the X-Forwarded-For header.
>>
>> Question: Can I somehow tell haproxy to log that instead?
>> If it is possible, are there security implications ?
>>
>>
>>
>> x-forwarded-for is a http header. like any other http header, you can ask
>> haproxy to log it by using
>>
>> frontend XYZ
>> [...]
>> option httplog
>> capture request header X-Forwarded-For len 50
>>
>>
>> it will appear in the logs in field #14, enclosed between "{}" characters.
>> http://code.google.com/p/haproxy-docs/wiki/HTTPLogFormat
>>
>>
>>
>> Julien
>>
>>
>>
>
