Hi,
I have other problem. I want to only allow some ip access my website. Please
show me how to allow some IP by domain name.
I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn } !{
src x.x.x.x x.x.x.y } but it’s not work. I get error message:
keyword 'hdr' which is incompatible with 'frontend
tcp-request connection rule'
I try with some other keyword but not successful.
-----Original Message-----
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: Monday, January 14, 2019 5:20 PM
To: Vũ Xuân Học <ho...@thaison.vn>; haproxy@formilux.org; 'PiBa-NL'
<piba.nl....@gmail.com>
Subject: Re: Get client IP
Hi.
Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
> Hi,
>
>
>
> I don’t know how to use ssl in http mode. I have many site with many
> certificate.
>
> As you see:
>
> …
>
> bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP
> 192.168.0.4)
>
> …
>
> # Define hosts
>
> acl host_1 req.ssl_sni -i ebh.vn
>
> acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
>
> … (many acl like above)
>
>
> use_backend eBH if host_1
>
> use_backend einvoice443 if host_2
You can use maps for this.
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
The openshift router have a complex but usable solution. Don't get confused
with the golang template stuff in there.
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198
Regards
Aleks
> *From:* Aleksandar Lazic <al-hapr...@none.at>
> *Sent:* Monday, January 14, 2019 8:45 AM
> *To:* haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL'
> <piba.nl....@gmail.com>
> *Subject:* RE: Get client IP
>
>
>
> Hi.
>
> As you use IIS I strongly suggest to terminate the https on haproxy
> and use mode http instead of tcp.
>
> Here is a blog post about basic setup of haproxy with ssl
>
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
>
> I assume that haproxy have the client ip as the setup works in the http
> config.
>
> Best regards
> Aleks
>
> ----------------------------------------------------------------------
> ----------
>
> *Von:*"Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn>>
> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
> *An:* 'PiBa-NL' <piba.nl....@gmail.com
> <mailto:piba.nl....@gmail.com>>, 'Aleksandar Lazic'
> <al-hapr...@none.at <mailto:al-hapr...@none.at>>, haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Betreff:* RE: Get client IP
>
>
>
> Thanks for your help
>
>
>
> I try config HAProxy with accept-proxy like this:
>
> frontend ivan
>
>
>
> bind 192.168.0.4:443 accept-proxy
>
> mode tcp
>
> option tcplog
>
>
>
> #option forwardfor
>
>
>
> reqadd X-Forwarded-Proto:\ https
>
>
>
> then my website can not access.
>
> I use IIS as webserver and I don’t know how to accept proxy, I only
> know config X-Forwarded-For like this
>
> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
>
>
>
>
>
> *From:* PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>>
> *Sent:* Sunday, January 13, 2019 10:06 PM
> *To:* Aleksandar Lazic <al-hapr...@none.at
> <mailto:al-hapr...@none.at>>; Vũ Xuân Học <ho...@thaison.vn
> <mailto:ho...@thaison.vn>>; haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Subject:* Re: Get client IP
>
>
>
> Hi,
>
> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
>
> Hi.
>
>
>
> Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
>
> Hi,
>
>
>
> Please help me to solve this problem.
>
>
>
> I use HAProxy version 1.5.18, SSL transparent mode and I can
> not get client IP
>
> in my .net mvc website. With mode http, I can use option
> forwardfor to catch
>
> client ip but with tcp mode, my web read X_Forwarded_For is null.
>
>
>
>
>
>
>
> My diagram:
>
>
>
> Client => Firewall => HAProxy => Web
>
>
>
>
>
>
>
> I read HAProxy document, try to use send-proxy. But when use
> send-proxy, I can
>
> access my web.
>
>
>
> This is my config:
>
>
>
> frontend test2233
>
>
>
> bind *:2233
>
>
>
> option forwardfor
>
>
>
>
>
>
>
> default_backend testecus
>
>
>
> backend testecus
>
>
>
> mode http
>
>
>
> server web1 192.168.0.151:2233 check
>
>
>
> Above config work, and I can get the client IP
>
>
>
> That's good as it's `mode http` therefore haproxy can see the http
> traffic.
>
> Indeed it can insert the http forwardfor header with 'mode http'.
>
>
>
>
>
> Config with SSL:
>
>
>
> frontend ivan
>
>
>
> bind 192.168.0.4:443
>
> mode tcp
>
> option tcplog
>
>
>
> #option forwardfor
>
>
>
> reqadd X-Forwarded-Proto:\ https
>
>
>
> This can't work as you use `mode tcp` and therefore haproxy can't
> see the http
>
> traffic.
>
>
>
> From my point of view have you now 2 options.
>
>
>
> * use https termination on haproxy. Then you can add this http header.
>
> Thats one option indeed.
>
>
>
> * use accept-proxy in the bind line. This option requires that the
> firewall is
>
> able to send the PROXY PROTOCOL header to haproxy.
>
>
> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-acce
> pt-proxy
>
> I dont expect a firewall to send such a header. And if i understand
> correctly the 'webserver' would need to be configured to accept
> proxy-protocol.
> The modification to make in haproxy would be to configure
> send-proxy[-v2-ssl-cn]
> http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#
> 5.2-send-proxy And how to configure it with for example nginx:
> https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx
>
>
>
>
>
> The different modes are described in the doc
>
>
> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
>
>
>
> Here is a blog post about basic setup of haproxy with ssl
>
>
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
>
>
>
> acl tls req.ssl_hello_type 1
>
>
>
> tcp-request inspect-delay 5s
>
>
>
> tcp-request content accept if tls
>
>
>
>
>
>
>
> # Define hosts
>
>
>
> acl host_1 req.ssl_sni -i ebh.vn
>
>
>
> acl host_2 req.ssl_sni hdr_end(host) -i
> einvoice.com.vn
>
>
>
>
>
>
>
> use_backend eBH if host_1
>
>
>
> use_backend einvoice443 if host_2
>
>
>
>
>
>
>
> backend eBH
>
>
>
> mode tcp
>
>
>
> balance roundrobin
>
>
>
> option ssl-hello-chk
>
>
>
> server web1 192.168.0.153:443 maxconn 30000 check
> #cookie web1
>
>
>
> server web1 192.168.0.154:443 maxconn 30000 check
> #cookie web2
>
>
>
>
>
>
>
> Above config doesn’t work, and I can not get the client ip. I
> try server web1
>
> 192.168.0.153:443 send-proxy and try server web1
> 192.168.0.153:443 send-proxy-v2
>
> but I can’t access my web.
>
>
>
> This is expected as the Firewall does not send the PROXY PROTOCOL
> header and the
>
> bind line is not configured for that.
>
> Firewall's by themselves will never use proxy-protocol at all. That it
> doesn't work with send-proxy on the haproxy server line is likely
> because the webservice that is receiving the traffic isn't configured
> to accept the proxy protocol. How to configure a ".net mvc website" to
> accept that is something i don't know if it is even possible at all..
>
>
>
>
>
> Many thanks,
>
>
>
> Best regards
>
> Aleks
>
>
>
> Thanks & Best Regards!
>
> ****************************
>
> * VU XUAN HOC
>
>
>
> Regards,
> PiBa-NL (Pieter)
>
