On Tue, Jun 3, 2014 at 8:57 AM, Andy Walker <[email protected]> wrote:
> Quick question (after writing the email, I realized that there's nothing > quick about it) about the order of processing for "reqidel" and "option > forwardfor" options. First and foremost, we're running HA-Proxy version > 1.5-dev24-8860dcd 2014/04/26 > > > > There were no problems with that, AFAIK. Now, we have some traffic coming > through Distil, as a test. These, of course, have client IPs that we don't > really care about, but we'd like to trust the X-Forwarded-For header that > Distil is tacking on. I tried using an acl to only remove X-Forwarded-For > if the request isn't coming from Distil, and then use "if-none" for option > forwardfor: > > capture request header X-Forwarded-For len 49 > acl from-distil hdr(X-Distil) some_string_that_we_can_trust > reqidel ^X-Forwarded-For:.* unless from-distil > option forwardfor if-none > > At first glance, this seemed to do the trick -- in all cases, it looks > like Distil is sending X-Forwarded-For headers with only one single IP > address in them, as seen in the haproxy logs: (I redacted the client IP, > and it's shown as 11.22.33.44) > I have a similar setup and it's working well and doesn't add the client-ip if "from-distil" is set -- maybe another "option forwardfor" without the "if-none" was left in a default, frontend or backend? Also, if I were do build the config starting with 1.5, I think that the "http-request set-header" configuration would be the way to go as it should be simpler and more flexible. Something like acl from-distil hdr(X-Distil) some_string_that_we_can_trust http-request set-header X-Forwarded-For %[src] unless from-distil I've not tried that yet but it seems like it should work. -Bryan
