Reading this: http://blog.haproxy.com/2012/06/05/preserve-source-ip-address-despite-reverse-proxies/? about PROXY protocol, what needs to happen for PROXY protocol to be recognized by the web server? Im assuming the haproxy server already does?
Thanks in advance! ________________________________ From: Bryan Talbot <[email protected]> Sent: Thursday, August 20, 2015 2:16 PM To: Rich Vigorito Cc: Baptiste; HAProxy Subject: Re: getting transparent proxy to work. On Wed, Aug 19, 2015 at 3:26 PM, Rich Vigorito <[email protected]<mailto:[email protected]>> wrote: I should also clarify the goal of using this approach was to do TLS from router to haproxy and onto webservers but to preserve the client IP. The other thought I had was to SSL terminate on haproxy box and initiate new TLS handshake from haproxy to webservers. Though Im assuming transparent proxy will mean less work for haproxy server. Is this second approach even possible? to accomplish the goal of TLS all the way through the call all ive seen is the transparent proxy solution which Ive been struggling with. Transparent proxying might be one way to get the client IP onto the backend servers but there are others too as you've mentioned and those might be much easier. Yes, you can terminate SSL on haproxy and make a new SSL connection to the backend. With that, you'd probably need to add the X-Forwarded-For http header (use 'mode http') and configure your webserver to use XFF too. If your webserver or app can support the haproxy "PROXY" protocol, that might also be an option for you and allows you to pass-through the SSL (not terminated at haproxy) to the backend if you need that. -Bryan
