Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:

Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:

Please help me to solve this problem.

I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP
in my .net mvc website. With mode http, I can use option forwardfor to catch
client ip but with tcp mode, my web read X_Forwarded_For is null.

My diagram:

Client => Firewall => HAProxy => Web

I read HAProxy document, try to use send-proxy. But when use send-proxy, I can
access my web.

This is my config:

frontend test2233

         bind *:2233

         option forwardfor

         default_backend testecus

backend testecus

         mode http

         server web1 check

Above config work, and I can get the client IP
That's good as it's `mode http` therefore haproxy can see the http traffic.
Indeed it can insert the http forwardfor header with 'mode http'.

Config with SSL:

frontend ivan

         mode tcp
         option tcplog

#option forwardfor

     reqadd X-Forwarded-Proto:\ https
This can't work as you use `mode tcp` and therefore haproxy can't see the http

 From my point of view have you now 2 options.

* use https termination on haproxy. Then you can add this http header.
Thats one option indeed.
* use accept-proxy in the bind line. This option requires that the firewall is
able to send the PROXY PROTOCOL header to haproxy.

I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn]
And how to configure it with for example nginx:

The different modes are described in the doc

Here is a blog post about basic setup of haproxy with ssl

     acl tls req.ssl_hello_type 1

     tcp-request inspect-delay 5s

     tcp-request content accept if tls

         # Define hosts

         acl host_1 req.ssl_sni -i ebh.vn

         acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn

        use_backend eBH if host_1

        use_backend einvoice443 if host_2

backend eBH

         mode tcp

         balance roundrobin

         option ssl-hello-chk

        server web1 maxconn 30000 check #cookie web1

        server web1 maxconn 30000 check #cookie web2

Above config doesn’t work, and I can not get the client ip. I try server web1 send-proxy and try server web1 send-proxy-v2
but I can’t access my web.
This is expected as the Firewall does not send the PROXY PROTOCOL header and the
bind line is not configured for that.
Firewall's by themselves will never use proxy-protocol at all. That it doesn't work with send-proxy on the haproxy server line is likely because the webservice that is receiving the traffic isn't configured to accept the proxy protocol. How to configure a ".net mvc website" to accept that is something i don't know if it is even possible at all..

Many thanks,
Best regards

Thanks & Best Regards!

PiBa-NL (Pieter)

Reply via email to