Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: > Hi, > > Please help me to solve this problem. > > I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP > in my .net mvc website. With mode http, I can use option forwardfor to catch > client ip but with tcp mode, my web read X_Forwarded_For is null. > > > > My diagram: > > Client => Firewall => HAProxy => Web > > > > I read HAProxy document, try to use send-proxy. But when use send-proxy, I can > access my web. > > This is my config: > > frontend test2233 > > bind *:2233 > > option forwardfor > > > > default_backend testecus > > backend testecus > > mode http > > server web1 192.168.0.151:2233 check > > Above config work, and I can get the client IP
That's good as it's `mode http` therefore haproxy can see the http traffic. > Config with SSL: > > frontend ivan > > bind 192.168.0.4:443 > mode tcp > option tcplog > > #option forwardfor > > reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. >From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > acl tls req.ssl_hello_type 1 > > tcp-request inspect-delay 5s > > tcp-request content accept if tls > > > > # Define hosts > > acl host_1 req.ssl_sni -i ebh.vn > > acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn > > > > use_backend eBH if host_1 > > use_backend einvoice443 if host_2 > > > > backend eBH > > mode tcp > > balance roundrobin > > option ssl-hello-chk > > server web1 192.168.0.153:443 maxconn 30000 check #cookie web1 > > server web1 192.168.0.154:443 maxconn 30000 check #cookie web2 > > > > Above config doesn’t work, and I can not get the client ip. I try server web1 > 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 > send-proxy-v2 > but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. > Many thanks, Best regards Aleks > Thanks & Best Regards! > **************************** > * VU XUAN HOC > Mobile: 0169.8081005 > **cid:image001.jpg@01D102DF.ABB9D420 > THAISON TECHNOLOGY DEVELOPMENT COMPANY > * Add * :* 11 Dang Thuy Tram, Hoang Quoc Viet, Cau Giay, Ha Noi > Tel *: *+84.4.37545222 > Fax * : *+84.4.37545223 > Email * : *ho...@thaison.vn <mailto:ho...@thaison.vn>* > * Web * :*http://www.thaison.vn; http://www.einvoice.vn; > http://www.etax.vn; http://www.ebh.vn > > >
