thos config do not works. I took your working config anf add mu global sand default section
global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats # set default parameters to the modern configuration # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets tune.ssl.default-dh-param 2048 ssl-server-verify none #--------------------------------------------------------------------- # HTTP section defaults, frontends and backends #--------------------------------------------------------------------- defaults HTTP mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s timeout tunnel 3600s maxconn 3000 default-server inter 15s rise 2 fall 2 #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- listen fe_http_main bind :80 bind :443 ssl crt /home/certs/haproxy/combined/ mode http tcp-request inspect-delay 5s tcp-request content accept if HTTP timeout connect 1s timeout server 5s timeout client 5s http-response set-header X-Server-IP %[dst] http-response set-header X-Server-Port %[dst_port] http-response set-header X-Client-IP %[src] http-response set-header X-Client-Port %[src_port] server www 127.0.0.1:8000 listen srv mode http bind 127.0.0.1:8000 http-request deny deny_status 200 > On 5 Jul 2019, at 22:55, Peter Hudec <pe...@home.hudecof.net> wrote: > > There’s not problem with nginx/php. > > If I add this lines in my config > > http-response set-header X-Server-IP %[dst] > http-response set-header X-Server-Port %[dst_port] > http-response set-header X-Client-IP %[src] > http-response set-header X-Client-Port %[src_port] > > see exactly the same. > > Peter > >> On 5 Jul 2019, at 22:53, Christopher Faulet <cfau...@haproxy.com >> <mailto:cfau...@haproxy.com>> wrote: >> >> Le 05/07/2019 à 21:55, Peter Hudec a écrit : >>> Hi Jarno, >>> thanks for answer. >>> I tried to run the haproxy in debug mode, but I do not see the request >>> headers for the upstream in the log. >>> But I have found some new facts. >>> Test these 2 scenarios, at this moment there is no valid certs >>> http://web01.test.host.sk/test.php <http://web01.test.host.sk/test.php> >>> https://web01.test.host.sk/test.php >>> look for the >>> X_SERVER_IP >>> X_SERVER_PORT >>> X_CLIENT_IP >>> X_CLIENT_PORT >>> See the difference? >>> For the HTTP, the values are correct, for HTTPS not. >>> I’m running RH SCL HAPROXY. I could try to compile newer version or are >>> there any for CentOS7? >> >> I don't know how your nginx/php is configured. But try to replace nginx by a >> ncat. Something like that: >> >> printf "HTTP/1.1 200 ok\r\nContent-length: 0\r\n\r\n" | nc -l -p {PORT} >> >> You will see the request from the server point of view. If it still fails, >> share the smallest HAProxy configuration to reproduce the bug. >> >> -- >> Christopher Faulet >