Dear,

I fixed it. I use { src x.x.x.x ... } in use_backend and it worked.

Many thanks,



-----Original Message-----
From: Vũ Xuân Học <ho...@thaison.vn> 
Sent: Wednesday, January 16, 2019 10:37 AM
To: 'Aleksandar Lazic' <al-hapr...@none.at>; 'haproxy@formilux.org' 
<haproxy@formilux.org>; 'PiBa-NL' <piba.nl....@gmail.com>
Subject: RE: Get client IP

Hi,

I have other problem. I want to only allow some ip access my website. Please 
show me how to allow some IP by domain name.

I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn } !{ 
src x.x.x.x x.x.x.y } but it’s not work. I get error message: 
                           
                      keyword 'hdr' which is incompatible with 'frontend 
tcp-request connection rule'

I try with some other keyword but not successful.





-----Original Message-----
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: Monday, January 14, 2019 5:20 PM
To: Vũ Xuân Học <ho...@thaison.vn>; haproxy@formilux.org; 'PiBa-NL' 
<piba.nl....@gmail.com>
Subject: Re: Get client IP

Hi.

Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
> Hi,
> 
>  
> 
> I don’t know how to use ssl in http mode. I have many site with many 
> certificate.
> 
> As you see:
> 
> …
> 
> bind 192.168.0.4:443   (I NAT port 443 from firewall to HAProxy IP
> 192.168.0.4)
> 
> …
> 
> # Define hosts
> 
>         acl host_1 req.ssl_sni -i ebh.vn
> 
>         acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
> 
>         … (many acl like above)
> 
> 
>         use_backend eBH if host_1
> 
>        use_backend einvoice443 if host_2

You can use maps for this.
https://www.haproxy.com/blog/introduction-to-haproxy-maps/

The openshift router have a complex but usable solution. Don't get confused 
with the golang template stuff in there.

https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180

https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198

Regards
Aleks

> *From:* Aleksandar Lazic <al-hapr...@none.at>
> *Sent:* Monday, January 14, 2019 8:45 AM
> *To:* haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL'
> <piba.nl....@gmail.com>
> *Subject:* RE: Get client IP
> 
>  
> 
> Hi.
> 
> As you use IIS I strongly suggest to terminate the https on haproxy 
> and use mode http instead of tcp.
> 
> Here is a blog post about basic setup of haproxy with ssl
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
> 
> I assume that haproxy have the client ip as the setup works in the http 
> config.
> 
> Best regards
> Aleks
> 
> ----------------------------------------------------------------------
> ----------
> 
> *Von:*"Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn>>
> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
> *An:* 'PiBa-NL' <piba.nl....@gmail.com 
> <mailto:piba.nl....@gmail.com>>, 'Aleksandar Lazic'
> <al-hapr...@none.at <mailto:al-hapr...@none.at>>, haproxy@formilux.org 
> <mailto:haproxy@formilux.org>
> *Betreff:* RE: Get client IP
> 
>  
> 
> Thanks for your help
> 
>  
> 
> I try config HAProxy with accept-proxy like this:
> 
> frontend ivan
> 
>  
> 
>         bind 192.168.0.4:443 accept-proxy
> 
>         mode tcp
> 
>         option tcplog
> 
>  
> 
> #option forwardfor
> 
>  
> 
>     reqadd X-Forwarded-Proto:\ https
> 
>  
> 
> then my website can not access.
> 
> I use IIS as webserver and I don’t know how to accept proxy, I only 
> know config X-Forwarded-For like this
> 
> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
> 
>  
> 
>  
> 
> *From:* PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>>
> *Sent:* Sunday, January 13, 2019 10:06 PM
> *To:* Aleksandar Lazic <al-hapr...@none.at 
> <mailto:al-hapr...@none.at>>; Vũ Xuân Học <ho...@thaison.vn 
> <mailto:ho...@thaison.vn>>; haproxy@formilux.org 
> <mailto:haproxy@formilux.org>
> *Subject:* Re: Get client IP
> 
>  
> 
> Hi,
> 
> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
> 
>     Hi.
> 
>      
> 
>     Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
> 
>         Hi,
> 
>          
> 
>         Please help me to solve this problem.
> 
>          
> 
>         I use HAProxy version 1.5.18, SSL transparent mode and I can 
> not get client IP
> 
>         in my .net mvc website. With mode http, I can use option 
> forwardfor to catch
> 
>         client ip but with tcp mode, my web read X_Forwarded_For is null.
> 
>          
> 
>          
> 
>          
> 
>         My diagram:
> 
>          
> 
>         Client => Firewall => HAProxy => Web
> 
>          
> 
>          
> 
>          
> 
>         I read HAProxy document, try to use send-proxy. But when use 
> send-proxy, I can
> 
>         access my web.
> 
>          
> 
>         This is my config:
> 
>          
> 
>         frontend test2233
> 
>          
> 
>                 bind *:2233
> 
>          
> 
>                 option forwardfor
> 
>          
> 
>          
> 
>          
> 
>                 default_backend testecus
> 
>          
> 
>         backend testecus
> 
>          
> 
>                 mode http
> 
>          
> 
>                 server web1 192.168.0.151:2233 check
> 
>          
> 
>         Above config work, and I can get the client IP
> 
>      
> 
>     That's good as it's `mode http` therefore haproxy can see the http 
> traffic.
> 
> Indeed it can insert the http forwardfor header with 'mode http'.
> 
>      
> 
>      
> 
>         Config with SSL:
> 
>          
> 
>         frontend ivan
> 
>          
> 
>                 bind 192.168.0.4:443
> 
>                 mode tcp
> 
>                 option tcplog
> 
>          
> 
>         #option forwardfor
> 
>          
> 
>             reqadd X-Forwarded-Proto:\ https
> 
>      
> 
>     This can't work as you use `mode tcp` and therefore haproxy can't 
> see the http
> 
>     traffic.
> 
>      
> 
>     From my point of view have you now 2 options.
> 
>      
> 
>     * use https termination on haproxy. Then you can add this http header.
> 
> Thats one option indeed.
> 
>      
> 
>     * use accept-proxy in the bind line. This option requires that the 
> firewall is
> 
>     able to send the PROXY PROTOCOL header to haproxy.
> 
>     
> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-acce
> pt-proxy
> 
> I dont expect a firewall to send such a header. And if i understand 
> correctly the 'webserver' would need to be configured to accept 
> proxy-protocol.
> The modification to make in haproxy would be to configure 
> send-proxy[-v2-ssl-cn] 
> http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#
> 5.2-send-proxy And how to configure it with for example nginx:
> https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx
> 
>      
> 
>      
> 
>     The different modes are described in the doc
> 
>     
> https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode
> 
>      
> 
>     Here is a blog post about basic setup of haproxy with ssl
> 
>     
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
> 
>      
> 
>             acl tls req.ssl_hello_type 1
> 
>          
> 
>             tcp-request inspect-delay 5s
> 
>          
> 
>             tcp-request content accept if tls
> 
>          
> 
>          
> 
>          
> 
>                 # Define hosts
> 
>          
> 
>                 acl host_1 req.ssl_sni -i ebh.vn
> 
>          
> 
>                 acl host_2 req.ssl_sni hdr_end(host) -i 
> einvoice.com.vn
> 
>          
> 
>             
> 
>          
> 
>                use_backend eBH if host_1
> 
>          
> 
>                use_backend einvoice443 if host_2
> 
>          
> 
>              
> 
>          
> 
>         backend eBH
> 
>          
> 
>                 mode tcp
> 
>          
> 
>                 balance roundrobin
> 
>          
> 
>                 option ssl-hello-chk
> 
>          
> 
>                server web1 192.168.0.153:443 maxconn 30000 check 
> #cookie web1
> 
>          
> 
>                server web1 192.168.0.154:443 maxconn 30000 check 
> #cookie web2
> 
>          
> 
>          
> 
>          
> 
>         Above config doesn’t work, and I can not get the client ip. I 
> try server web1
> 
>         192.168.0.153:443 send-proxy and try server web1
> 192.168.0.153:443 send-proxy-v2
> 
>         but I can’t access my web.
> 
>      
> 
>     This is expected as the Firewall does not send the PROXY PROTOCOL 
> header and the
> 
>     bind line is not configured for that.
> 
> Firewall's by themselves will never use proxy-protocol at all. That it 
> doesn't work with send-proxy on the haproxy server line is likely 
> because the webservice that is receiving the traffic isn't configured 
> to accept the proxy protocol. How to configure a ".net mvc website" to 
> accept that is something i don't know if it is even possible at all..
> 
>      
> 
>      
> 
>         Many thanks,
> 
>      
> 
>     Best regards
> 
>     Aleks
> 
>      
> 
>         Thanks & Best Regards!
> 
>         ****************************
> 
>         * VU XUAN HOC
> 
>          
> 
> Regards,
> PiBa-NL (Pieter)
> 




Reply via email to