Hi Amol. HAProxy is a reverse proxy and by default it uses a local server ip address to get connected on the backend server. This is layer 3 and 4.
HAProxy uses HTTP, layer 7, to forward the client IP to the server, in a header called X-Forwarded-For. Your webserver relies on layer 7 information while fail2ban relies on layer 3 and 4. Simply move your fail2ban on haproxy servet :) Or turn haproxy in transparent proxy mode. Baptiste Le 26 sept. 2013 06:01, "Amol" <[email protected]> a écrit : > i was trying to add fail2ban on my ubuntu 10.04 LTS app servers and i > realized that fail2ban is blocking my load balancer IP whenever a bad > request is formed, so i have some questions on my implementation of the > x-forward-for > > in my apache access log i see this entry when i try to hit an incorrect URL > > apache/access.log > - - - [25/Sep/2013:23:47:42 -0400] "OPTIONS /product/data.php HTTP/1.1" > 200 3477 "-" "-" > > why is it missing the public IP of the client server? > > while if a request comes in from wordpress i see the public ip in the > access.log > > apache/access.log > <PUBLIC_IP> - - [25/Sep/2013:23:45:21 -0400] "GET > /wp-content/themes/test/lib/scripts/cluetip/jquery.cluetip.js?ver=3.1 > HTTP/1.1" 304 - "https://xxx/our-apps/"; "Mozilla/5.0 (Macintosh; Intel > Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0" > > > in my haproxy.cfg, i do have entries relevant for x-forward for > > defaults > log global > mode http > option httplog > option dontlognull > retries 3 > option http-server-close > option forwardfor except 10.0.0.1 # set the client's IP in > X-Forwarded-For. > option redispatch > timeout connect 5s > timeout client 180s > timeout server 180s > timeout http-request 5s # A complete request may never take > that long. > errorfile 503 /etc/haproxy/errors/503.http > > frontend http-in > bind <public_IP>:80 name http > bind <private_IP>:8000 name https # forwared by stunnel > > option forwardfor > acl host_d1 hdr_beg(host) -i d1.xx.com > use_backend d1 if host_demo1 > acl host_d2 hdr_beg(host) -i d2.xx.com > use_backend d2 if host_setdemo > acl host_d3 hdr_beg(host) -i d3.xx.com > use_backend d3 if host_d3 > default_backend d4 > > backend d2 > acl secure dst_port eq 8000 > stats enable > stats auth admin:admin > stats uri /admin?stats > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option forwardfor except 10.0.0.1 # set the client's IP in > X-Forwarded-For. > option httpchk OPTIONS /check.php HTTP/1.1\r\nHost:\ www > server 2-app <private_IP>:80 cookie B weight 5 check inter 20000 > maxconn 30 > server 3-app <IP>:80 cookie C weight 5 check inter 20000 maxconn > 30 backup > redirect prefix d2.xx.com if !secure > > > does anything look be amiss in this setup? > why would i get public ip from wordpress but not from my php application? > > Thanks in advance >
