Hello:
am testing NGINX behind HAP 1.5.11 and having trouble to understand how
send-proxy should be used with a combination of x-forward-for. What I so far
in my haproxy.cfg is as follows:
frontend frontend-web-http
mode http
bind 192.168.8.70:80
default_backend backend-web-http
option forwardfor except 127.0.0.0/8
option http-server-close
option httplog
frontend frontend-web-https
mode tcp
bind 192.168.8.70:443
default_backend backend-web-https
backend backend-web-http
mode http
stick-table type string len 64 size 100k expire 15m
stick store-response res.cook(PHPSESSID)
stick match req.cook(PHPSESSID)
option forwardfor
option http-server-close
server web01 192.168.10.70:80 check send-proxy
server web02 192.168.10.71:80 check send-proxy backup
backend backend-web-https
mode tcp
server web01.gos.innovot.com 192.168.10.70:443 check send-proxy
server web02.gos.innovot.com 192.168.10.71:443 check send-proxy backup
and within NGINX:
# HAProxy
set_real_ip_from 192.168.8.70;
# Fastly Proxy Networks
set_real_ip_from 23.235.32.0/20;
set_real_ip_from 43.249.72.0/22;
set_real_ip_from 103.244.50.0/24;
set_real_ip_from 103.245.222.0/23;
set_real_ip_from 103.245.224.0/24;
set_real_ip_from 104.156.80.0/20;
set_real_ip_from 185.31.16.0/22;
set_real_ip_from 199.27.72.0/21;
set_real_ip_from 202.21.128.0/24;
set_real_ip_from 203.57.145.0/24;
set_real_ip_from 10.1.8.0/24;
real_ip_header proxy_protocol;
the issue is that if I go to the web site via HTTPS, which does not pass
through a CDN, then the correct client IP is being passed through but if I go
via HTTP its the CDN's IP which is being presented. When I was using
real_ip_header x-forward-for then it would work fine, but that broke the HTTPS
side of things. Some how need to get the x-forward-for IP, if its present,
into the proxy_protol one. Is that possible ?
Thanks, Phil
(null)
(null)
