Hi.

As you use IIS I strongly suggest to terminate the https on haproxy and use 
mode http instead of tcp.

Here is a blog post about basic setup of haproxy with ssl

https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/

I assume that haproxy have the client ip as the setup works in the http config.

Best regards
Aleks


-------- Ursprüngliche Nachricht --------
Von: "Vũ Xuân Học" <ho...@thaison.vn>
Gesendet: 14. Jänner 2019 02:17:23 MEZ
An: 'PiBa-NL' <piba.nl....@gmail.com>, 'Aleksandar Lazic' <al-hapr...@none.at>, 
haproxy@formilux.org
Betreff: RE: Get client IP

Thanks for your help

 

I try config HAProxy with accept-proxy like this:

frontend ivan
 
        bind 192.168.0.4:443 accept-proxy
        mode tcp
        option tcplog
 
#option forwardfor
 
    reqadd X-Forwarded-Proto:\ https
 

then my website can not access. 

I use IIS as webserver and I don’t know how to accept proxy, I only know config 
X-Forwarded-For like this

http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ 

 

 

From: PiBa-NL <piba.nl....@gmail.com> 
Sent: Sunday, January 13, 2019 10:06 PM
To: Aleksandar Lazic <al-hapr...@none.at>; Vũ Xuân Học <ho...@thaison.vn>; 
haproxy@formilux.org
Subject: Re: Get client IP

 

Hi,

Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:

Hi.
 
Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:

Hi,
 
Please help me to solve this problem.
 
I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP
in my .net mvc website. With mode http, I can use option forwardfor to catch
client ip but with tcp mode, my web read X_Forwarded_For is null.
 
 
 
My diagram:
 
Client => Firewall => HAProxy => Web
 
 
 
I read HAProxy document, try to use send-proxy. But when use send-proxy, I can
access my web.
 
This is my config:
 
frontend test2233
 
        bind *:2233
 
        option forwardfor
 
 
 
        default_backend testecus
 
backend testecus
 
        mode http
 
        server web1 192.168.0.151:2233 check
 
Above config work, and I can get the client IP

 
That's good as it's `mode http` therefore haproxy can see the http traffic.

Indeed it can insert the http forwardfor header with 'mode http'.



 
 

Config with SSL:
 
frontend ivan
 
        bind 192.168.0.4:443
        mode tcp
        option tcplog
 
#option forwardfor
 
    reqadd X-Forwarded-Proto:\ https

 
This can't work as you use `mode tcp` and therefore haproxy can't see the http
traffic.
 
From my point of view have you now 2 options.
 
* use https termination on haproxy. Then you can add this http header.

Thats one option indeed.



 
* use accept-proxy in the bind line. This option requires that the firewall is
able to send the PROXY PROTOCOL header to haproxy.
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy

I dont expect a firewall to send such a header. And if i understand correctly 
the 'webserver' would need to be configured to accept proxy-protocol.
The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn]
http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy
And how to configure it with for example nginx:
https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx

 
 
The different modes are described in the doc
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
 
Here is a blog post about basic setup of haproxy with ssl
https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 

    acl tls req.ssl_hello_type 1
 
    tcp-request inspect-delay 5s
 
    tcp-request content accept if tls
 
 
 
        # Define hosts
 
        acl host_1 req.ssl_sni -i ebh.vn
 
        acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
 
    
 
       use_backend eBH if host_1
 
       use_backend einvoice443 if host_2
 
     
 
backend eBH
 
        mode tcp
 
        balance roundrobin
 
        option ssl-hello-chk
 
       server web1 192.168.0.153:443 maxconn 30000 check #cookie web1
 
       server web1 192.168.0.154:443 maxconn 30000 check #cookie web2
 
 
 
Above config doesn’t work, and I can not get the client ip. I try server web1
192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2
but I can’t access my web.

 
This is expected as the Firewall does not send the PROXY PROTOCOL header and the
bind line is not configured for that.

Firewall's by themselves will never use proxy-protocol at all. That it doesn't 
work with send-proxy on the haproxy server line is likely because the 
webservice that is receiving the traffic isn't configured to accept the proxy 
protocol. How to configure a ".net mvc website" to accept that is something i 
don't know if it is even possible at all..



 
 

Many thanks,

 
Best regards
Aleks
 

Thanks & Best Regards! 
****************************
* VU XUAN HOC
 

Regards,
PiBa-NL (Pieter)

Reply via email to