Hi,
I don’t know how to use ssl in http mode. I have many site with many certificate. As you see: … bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP 192.168.0.4) … # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn … (many acl like above) use_backend eBH if host_1 use_backend einvoice443 if host_2 From: Aleksandar Lazic <al-hapr...@none.at> Sent: Monday, January 14, 2019 8:45 AM To: haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL' <piba.nl....@gmail.com> Subject: RE: Get client IP Hi. As you use IIS I strongly suggest to terminate the https on haproxy and use mode http instead of tcp. Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ I assume that haproxy have the client ip as the setup works in the http config. Best regards Aleks _____ Von: "Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn> > Gesendet: 14. Jänner 2019 02:17:23 MEZ An: 'PiBa-NL' <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com> >, 'Aleksandar Lazic' <al-hapr...@none.at <mailto:al-hapr...@none.at> >, haproxy@formilux.org <mailto:haproxy@formilux.org> Betreff: RE: Get client IP Thanks for your help I try config HAProxy with accept-proxy like this: frontend ivan bind 192.168.0.4:443 accept-proxy mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https then my website can not access. I use IIS as webserver and I don’t know how to accept proxy, I only know config X-Forwarded-For like this http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ From: PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com> > Sent: Sunday, January 13, 2019 10:06 PM To: Aleksandar Lazic <al-hapr...@none.at <mailto:al-hapr...@none.at> >; Vũ Xuân Học <ho...@thaison.vn <mailto:ho...@thaison.vn> >; haproxy@formilux.org <mailto:haproxy@formilux.org> Subject: Re: Get client IP Hi, Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. Indeed it can insert the http forwardfor header with 'mode http'. Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. >From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. Thats one option indeed. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn] http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy And how to configure it with for example nginx: https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 30000 check #cookie web1 server web1 192.168.0.154:443 maxconn 30000 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2 but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. Firewall's by themselves will never use proxy-protocol at all. That it doesn't work with send-proxy on the haproxy server line is likely because the webservice that is receiving the traffic isn't configured to accept the proxy protocol. How to configure a ".net mvc website" to accept that is something i don't know if it is even possible at all.. Many thanks, Best regards Aleks Thanks & Best Regards! **************************** * VU XUAN HOC Regards, PiBa-NL (Pieter)