haproxy x-forward-for use during fail2ban

Wed, 25 Sep 2013 21:01:39 -0700 

i was trying to add fail2ban on my ubuntu 10.04 LTS app servers and i realized 
that fail2ban is blocking my load balancer IP whenever a bad request is formed, 
so i have some questions on my implementation of the x-forward-for

in my apache access log i see this entry when i try to hit an incorrect URL

apache/access.log
- - - [25/Sep/2013:23:47:42 -0400] "OPTIONS /product/data.php HTTP/1.1" 200 
3477 "-" "-"


why is it missing the public IP of the client server?

while if a request comes in from wordpress i see the public ip in the access.log

apache/access.log

<PUBLIC_IP> - - [25/Sep/2013:23:45:21 -0400] "GET 
/wp-content/themes/test/lib/scripts/cluetip/jquery.cluetip.js?ver=3.1 HTTP/1.1" 
304 - "https://xxx/our-apps/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; 
rv:24.0) Gecko/20100101 Firefox/24.0"


in my haproxy.cfg, i do have entries relevant for x-forward for

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option http-server-close
        option forwardfor except 10.0.0.1 # set the client's IP in 
X-Forwarded-For.
        option redispatch
        timeout connect 5s
        timeout client 180s
        timeout server 180s
        timeout http-request 5s    # A complete request may never take that 
long.
        errorfile 503 /etc/haproxy/errors/503.http

frontend http-in
        bind <public_IP>:80 name http
        bind <private_IP>:8000 name https # forwared by stunnel

        option forwardfor
        acl host_d1 hdr_beg(host) -i d1.xx.com
        use_backend d1 if host_demo1
        acl host_d2 hdr_beg(host) -i d2.xx.com
        use_backend d2 if host_setdemo
        acl host_d3 hdr_beg(host) -i d3.xx.com
        use_backend d3 if host_d3
        default_backend d4

backend d2
        acl secure dst_port eq 8000
        stats enable
        stats auth admin:admin
        stats uri  /admin?stats
        balance roundrobin
        cookie BALANCEID insert indirect nocache
        option http-server-close
        option forwardfor except 10.0.0.1   # set the client's IP in 
X-Forwarded-For.
        option httpchk OPTIONS /check.php HTTP/1.1\r\nHost:\ www
        server 2-app <private_IP>:80 cookie B weight 5 check inter 20000 
maxconn 30
        server 3-app <IP>:80 cookie C weight 5 check inter 20000 maxconn 30 
backup
        redirect prefix d2.xx.com if !secure


does anything look be amiss in this setup?
why would i get public ip from wordpress but not from my php application?

Thanks in advance

Reply via email to