Hello:

am testing NGINX behind HAP 1.5.11 and having trouble to understand how 
send-proxy should be used with a combination of x-forward-for.  What I so far 
in my haproxy.cfg is as follows:

frontend frontend-web-http
        mode http
        bind 192.168.8.70:80
        default_backend backend-web-http
        option forwardfor except 127.0.0.0/8
        option http-server-close
        option httplog

frontend frontend-web-https
        mode tcp
        bind 192.168.8.70:443
        default_backend backend-web-https

backend backend-web-http
        mode http
        stick-table type string len 64 size 100k expire 15m
        stick store-response res.cook(PHPSESSID)
        stick match req.cook(PHPSESSID)
        option forwardfor
        option http-server-close
        server web01 192.168.10.70:80 check send-proxy
        server web02 192.168.10.71:80 check send-proxy backup

backend backend-web-https
        mode tcp
        server web01.gos.innovot.com 192.168.10.70:443 check send-proxy
        server web02.gos.innovot.com 192.168.10.71:443 check send-proxy backup

and within NGINX:

    # HAProxy
    set_real_ip_from 192.168.8.70;

    # Fastly Proxy Networks
    set_real_ip_from 23.235.32.0/20;
    set_real_ip_from 43.249.72.0/22;
    set_real_ip_from 103.244.50.0/24;
    set_real_ip_from 103.245.222.0/23;
    set_real_ip_from 103.245.224.0/24;
    set_real_ip_from 104.156.80.0/20;
    set_real_ip_from 185.31.16.0/22;
    set_real_ip_from 199.27.72.0/21;
    set_real_ip_from 202.21.128.0/24;
    set_real_ip_from 203.57.145.0/24;
    set_real_ip_from 10.1.8.0/24;

    real_ip_header proxy_protocol;

the issue is that if I go to the web site via HTTPS, which does not pass 
through a CDN, then the correct client IP is being passed through but if I go 
via HTTP its the CDN's IP which is being presented.  When I was using 
real_ip_header x-forward-for then it would work fine, but that broke the HTTPS 
side of things.  Some how need to get the x-forward-for IP, if its present, 
into the proxy_protol one.  Is that possible ?

Thanks, Phil


(null)
(null)

Reply via email to