Problem with http-request set-src and send-proxy on 1.6

Fri, 18 Nov 2016 05:29:10 -0800 

Hello,
I think I've found a problem how http-request set-src interacts with
PROXY protocol on backend servers.

Very simple setup:
listen default
  bind :8888
  http-request set-src req.hdr_ip(X-Forwarded-For)
  server localhost 127.0.0.1:80 send-proxy

wget -4 --header='X-Forwarded-For: 192.0.2.1' -O /dev/null -S
http://localhost:8888
gives
PROXY TCP4 192.0.2.1 127.0.0.1 0 8888

wget -6 --header='X-Forwarded-For: 2001:db8::1' -O /dev/null -S
http://localhost:8888
gives
PROXY TCP6 2001:db8::1 ::1 0 8888

but both:
wget -4 --header='X-Forwarded-For: 2001:db8::1' -O /dev/null -S
http://localhost:8888
wget -6 --header='X-Forwarded-For: 192.0.2.1' -O /dev/null -S
http://localhost:8888
give
PROXY UNKNOWN

Log files report correct IPs in all cases. The same problem exists for
frontend listening on UNIX sockets, just in that case I always get
PROXY UNKNOWN.

haproxy -vv:
HA-Proxy version 1.6.9-2 2016/09/28
Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2
-fdebug-prefix-map=/build/haproxy-XsW4aZ/haproxy-1.6.9=. -fPIE
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2
  OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
Running on OpenSSL version : OpenSSL 1.0.2j  26 Sep 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


-- 
Janusz Dziemidowicz

Reply via email to