Hi everyone,
recently we have separated https and http frontend in order to scale well.
we are using a nbproc > 1 configuration for ssl offloading :
listen web_tls
mode http
bind *:443 ssl crt whatever.pem process 2
bind *:443 ssl crt whatever.pem process 3
../..
server web_plain [email protected] send-proxy-v2-ssl
frontend web_plain
bind *:80 process 1
bind [email protected] process 1 accept-proxy
I have forgotten that in default section i had this :
http-reuse always
Today a user tells us that he had access for one moment to debug tools
of the site. Debug tools are IP protected (bad thing i know but that's
another story ... )
I've searched the log and found this :
11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.080] web_plain forums_connected/proxy12
180/0/0/180/360 200 34197 - \- ---- 1965/1963/9/4/0 0/0
{Mozilla/5.0_(X11;_Linux_x86_64;_rv:50.0)_Gecko/20100101_Firefox/50.0|FR}
"GET /forums/xxx.htm HTTP/1.1"
11:54:39 lb1 haproxy[123278]: yyy.yyy.yyy.yyy:38878
[03/Jan/2017:11:54:39.218] web_tls~ web_tls/web_plain 42/0/0/180/222 200
34192 - \- ---- 91/91/1/2/0 0/0 "GET /forums/xxx.htm HTTP/1.1"
At the same time i have :
11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.440] web_plain nocache_connected/jv-proxy12
6/0/0/3/9 400 452 - \- ---- 1965/1963/2/2/0 0/0
{|like_Gecko)_Version/4.0_Chrome/55.0.2883.91_Mobile_Safari/537.36|FR}
"GET /favicon.ico HTTP/1.1"
11:54:39 lb1 haproxy[123274]: xxx.xxx.xxx.xxx:51139
[03/Jan/2017:11:54:39.450] web_plain cache1/jv-proxy10 26/0/0/13/39 200
1482 - \- ---- 1958/1958/4/4/0 0/0 {||FR} "GET /whatever_url HTTP/1.1"
It seems that the user has made a https request with the IP
yyy.yyy.yyy.yyy, but when the request is forwarded to web_plain frontend
the IP is now xxx.xxx.xxx.xxx ! and thus has access to debug tools
because xxx.xxx.xxx.xxx has access. The user has provided us screenshot
and the IP in the screenshot IS xxx.xxx.xxx.xxx
Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request
has used the xxx.xxx.xxx.xxx connection between https and http frontend
with proxy protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ?
I hope this is it, i have to be sure :)
Thnks !
