Hi,
I don’t know how to use ssl in http mode. I have many site with many
certificate.
As you see:
…
bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP 192.168.0.4)
…
# Define hosts
acl host_1 req.ssl_sni -i ebh.vn
acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
… (many acl like above)
use_backend eBH if host_1
use_backend einvoice443 if host_2
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: Monday, January 14, 2019 8:45 AM
To: haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL'
<piba.nl....@gmail.com>
Subject: RE: Get client IP
Hi.
As you use IIS I strongly suggest to terminate the https on haproxy and use
mode http instead of tcp.
Here is a blog post about basic setup of haproxy with ssl
https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
I assume that haproxy have the client ip as the setup works in the http config.
Best regards
Aleks
_____
Von: "Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn> >
Gesendet: 14. Jänner 2019 02:17:23 MEZ
An: 'PiBa-NL' <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com> >,
'Aleksandar Lazic' <al-hapr...@none.at <mailto:al-hapr...@none.at> >,
haproxy@formilux.org <mailto:haproxy@formilux.org>
Betreff: RE: Get client IP
Thanks for your help
I try config HAProxy with accept-proxy like this:
frontend ivan
bind 192.168.0.4:443 accept-proxy
mode tcp
option tcplog
#option forwardfor
reqadd X-Forwarded-Proto:\ https
then my website can not access.
I use IIS as webserver and I don’t know how to accept proxy, I only know config
X-Forwarded-For like this
http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
From: PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com> >
Sent: Sunday, January 13, 2019 10:06 PM
To: Aleksandar Lazic <al-hapr...@none.at <mailto:al-hapr...@none.at> >; Vũ Xuân
Học <ho...@thaison.vn <mailto:ho...@thaison.vn> >; haproxy@formilux.org
<mailto:haproxy@formilux.org>
Subject: Re: Get client IP
Hi,
Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
Hi.
Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
Hi,
Please help me to solve this problem.
I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP
in my .net mvc website. With mode http, I can use option forwardfor to catch
client ip but with tcp mode, my web read X_Forwarded_For is null.
My diagram:
Client => Firewall => HAProxy => Web
I read HAProxy document, try to use send-proxy. But when use send-proxy, I can
access my web.
This is my config:
frontend test2233
bind *:2233
option forwardfor
default_backend testecus
backend testecus
mode http
server web1 192.168.0.151:2233 check
Above config work, and I can get the client IP
That's good as it's `mode http` therefore haproxy can see the http traffic.
Indeed it can insert the http forwardfor header with 'mode http'.
Config with SSL:
frontend ivan
bind 192.168.0.4:443
mode tcp
option tcplog
#option forwardfor
reqadd X-Forwarded-Proto:\ https
This can't work as you use `mode tcp` and therefore haproxy can't see the http
traffic.
>From my point of view have you now 2 options.
* use https termination on haproxy. Then you can add this http header.
Thats one option indeed.
* use accept-proxy in the bind line. This option requires that the firewall is
able to send the PROXY PROTOCOL header to haproxy.
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy
I dont expect a firewall to send such a header. And if i understand correctly
the 'webserver' would need to be configured to accept proxy-protocol.
The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn]
http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy
And how to configure it with for example nginx:
https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx
The different modes are described in the doc
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
Here is a blog post about basic setup of haproxy with ssl
https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
# Define hosts
acl host_1 req.ssl_sni -i ebh.vn
acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
use_backend eBH if host_1
use_backend einvoice443 if host_2
backend eBH
mode tcp
balance roundrobin
option ssl-hello-chk
server web1 192.168.0.153:443 maxconn 30000 check #cookie web1
server web1 192.168.0.154:443 maxconn 30000 check #cookie web2
Above config doesn’t work, and I can not get the client ip. I try server web1
192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2
but I can’t access my web.
This is expected as the Firewall does not send the PROXY PROTOCOL header and the
bind line is not configured for that.
Firewall's by themselves will never use proxy-protocol at all. That it doesn't
work with send-proxy on the haproxy server line is likely because the
webservice that is receiving the traffic isn't configured to accept the proxy
protocol. How to configure a ".net mvc website" to accept that is something i
don't know if it is even possible at all..
Many thanks,
Best regards
Aleks
Thanks & Best Regards!
****************************
* VU XUAN HOC
Regards,
PiBa-NL (Pieter)
