Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
Please help me to solve this problem.
I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP
in my .net mvc website. With mode http, I can use option forwardfor to catch
client ip but with tcp mode, my web read X_Forwarded_For is null.
Client => Firewall => HAProxy => Web
I read HAProxy document, try to use send-proxy. But when use send-proxy, I can
access my web.
This is my config:
server web1 192.168.0.151:2233 check
Above config work, and I can get the client IP
That's good as it's `mode http` therefore haproxy can see the http traffic.
Indeed it can insert the http forwardfor header with 'mode http'.
Config with SSL:
reqadd X-Forwarded-Proto:\ https
This can't work as you use `mode tcp` and therefore haproxy can't see the http
From my point of view have you now 2 options.
* use https termination on haproxy. Then you can add this http header.
Thats one option indeed.
* use accept-proxy in the bind line. This option requires that the firewall is
able to send the PROXY PROTOCOL header to haproxy.
I dont expect a firewall to send such a header. And if i understand
correctly the 'webserver' would need to be configured to accept
The modification to make in haproxy would be to configure
And how to configure it with for example nginx:
Firewall's by themselves will never use proxy-protocol at all. That it
doesn't work with send-proxy on the haproxy server line is likely
because the webservice that is receiving the traffic isn't configured to
accept the proxy protocol. How to configure a ".net mvc website" to
accept that is something i don't know if it is even possible at all..
The different modes are described in the doc
Here is a blog post about basic setup of haproxy with ssl
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
# Define hosts
acl host_1 req.ssl_sni -i ebh.vn
acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
use_backend eBH if host_1
use_backend einvoice443 if host_2
server web1 192.168.0.153:443 maxconn 30000 check #cookie web1
server web1 192.168.0.154:443 maxconn 30000 check #cookie web2
Above config doesn’t work, and I can not get the client ip. I try server web1
192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2
but I can’t access my web.
This is expected as the Firewall does not send the PROXY PROTOCOL header and the
bind line is not configured for that.
Thanks & Best Regards!
* VU XUAN HOC