Hi Jurgen, We can't see your whole configuration, so I assume you're using tunnel mode. So this is a normal behavior of HAProxy: X-forwarded-for can only be inserted in the first request, then everything else on the connection will be seen as payload by HAProxy. 2 solutions: 1. enable "option http-server-close" in your configuration, be careful, since it may break your application if it works on NTLM (windows environment) 2. upgrade to latest HAProxy. From 1.5-dev20, HAProxy's default behavior has changed from "tunnel" mode to "http-keep-alive" mode. Which allows HAProxy to analyse all data from the "tunnel" + modifying headers of each request and response. In this second case, no need to change your configuration, it will work straight forward.
Baptiste On Wed, May 21, 2014 at 8:40 AM, Jeffrey 'jf' Lim <[email protected]> wrote: > On Wed, May 21, 2014 at 2:29 PM, Jürgen Haas <[email protected]> wrote: >> Hi there, >> >> I'm having some issues with the forward-for feature. It seems to be >> working in general but for some reason not consistently. My default >> section in the config file looks like this: >> >> defaults >> log global >> mode http >> option httplog >> option dontlognull >> option forwardfor >> retries 3 >> maxconn 1000 >> timeout connect 5000ms >> timeout client 120s >> timeout server 120s >> default_backend backend_ts1 >> >> The apache config files on all web servers are configured so that they >> use the X-Forwarded-For header field if available: >> >> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" >> \"%{User-Agent}i\"" proxy >> SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded >> CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded >> CustomLog ${APACHE_LOG_DIR}/access.log proxy env=forwarded >> >> However, a lot of requests still get logged with the IP address of the >> proxy instead of the original client. >> >> We are using HA-Proxy version 1.5-dev19 2013/06/17 and I wonder if >> anyone had an idea what the reason for that could be. >> > > > It's been some time since i last looked at the code; but I reckon it > would be the same issue I came across some time back. Do a dump on the > traffic to be sure. The RFC allows for headers with multiple values to > either be represented as repeated headers, each with one value, or as > a single header, with all of the values separated by commas. In either > case, your backend has to be capable / smart enough to be able to deal > with the 2 formats. > > -jf > > -- > He who settles on the idea of the intelligent man as a static entity > only shows himself to be a fool. > > Mensan / Full-Stack Technical Polymath / System Administrator > 12 years over the entire web stack: Performance, Sysadmin, Ruby and Frontend >
