|
Hello, Some quick background; My current setup is haproxy in front of Apache on the same host. If I send a request to haproxy, I see the x-forwarded-for entry in Apache's logs and also with tcpdump tcpdump -i any -nn -A -vvvv -s 9999 'host x.x.x.51 and port 8880' | egrep 'X-F' X-Forwarded-For: x.x.x.207 X-Forwarded-Port: 443 X-Forwarded-Proto: https We also have hardware LB in a non in-line configuration in-front of HAP. Its configured to send x-forwarded onto haproxy. My issue is, if I bypass the hardware LB, I see the X-Forwarded-For header, if I go via the the Hardware LB to haproxy and onto Apache, I don't see any x-forwarded-for headers in Apaches log files. If on the other hand I go via the hardware LB directly to Apache (by passing haproxy) I see the x-forwarded-for header. Any ideas what I am missing in my config file (i'm testing against privatetest.dom.net snippet of my haproxy config file looks like this global log 127.0.0.1 local0 log-send-hostname app04 maxconn 4096 user haproxy group haproxy daemon stats socket /tmp/haproxy mode 600 level admin tune.ssl.default-dh-param 1024 ssl-server-verify none defaults log global mode http # Default to L7 proxy service option httplog # HTTP log format option dontlognull # Do not log connections with no requests option contstats # Enable continuous traffic statistics updates option redispatch # Try another server in case of connection failure option http-server-close # Force client side keepalives. retries 3 maxconn 2000 timeout connect 5s timeout client 605s # GM: uploads take a while to process in PHP timeout server 600s # GM: (as above) timeout http-keep-alive 1s timeout http-request 10s # slowloris protection frontend http-in ## ACL Statements acl is_privatetest hdr(host) -i privatetest.dom.net privatetest2.dom.net bind *:80 use_backend private if is_privatetest default_backend dom_net frontend https-in-private capture request header X-Forwarded-For len 50 # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter # Monitors the number of request sent by an IP over a period of 20 seconds stick-table type ip size 1m expire 20s store gpc0,http_req_rate(500s) tcp-request connection track-sc1 src # refuses a new connection from an abuser tcp-request content reject if { src_get_gpc0 gt 0 } # returns a 403 for requests in an established connection http-request deny if { src_get_gpc0 gt 0 } acl secure dst_port eq 443 bind 119.82.1.51:443 ssl crt /etc/haproxy/certs/dom_net.pem name private reqadd X-Forwarded-Proto:\ https rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload if secure rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure # Do not allow this site to be displayed in iframes rspadd X-Frame-Options:\ SAMEORIGIN # Do not permit Content-Type sniffing. rspadd X-XSS-Protection:\ 1;\ mode=block rspadd X-Content-Type-Options:\ nosniff use_backend private # Backend backend private # If the source IP sent 10 or more http request over the defined period, # flag the IP as abuser on the frontend acl abuse src_http_req_rate(https-in-private) ge 500 acl flag_abuser src_inc_gpc0(https-in-private) ge 0 # Returns a 403 to the abuser tcp-request content reject if abuse flag_abuser http-request deny if abuse flag_abuser # balance leastconn cookie SERVERID insert nocache indirect option httpchk HEAD / HTTP/1.1\r\nHost:localhost\r\nUser-agent:\ HAP-Check option httpclose option forwardfor except x.x.x.195 http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server app04 x.x.x.51:8880 cookie sydapp04 check maxconn 20 redirect scheme https if !{ ssl_fc } listen stats 127.0.0.1:1936 stats enable stats uri / stats hide-version stats auth zzzzzz:zzzzzz |
- x-forwarded-for help Travis Fitch
- Re: x-forwarded-for help Daren Sefcik
- Re: x-forwarded-for help Aleksandar Lazic
