Hello,
Find attached two small patches to improve documentation on "option
forwardfor" and "http-request set-src".
I'm using gmail so I add to attach patches and was not able to send them
directly. If format is wrong, tell me :)
Olivier
From efbc320861c9c5a43219983cfc1073070b3e6622 Mon Sep 17 00:00:00 2001
From: Olivier Doucet <odou...@oxeva.fr>
Date: Mon, 20 Apr 2020 19:39:27 +0200
Subject: [DOC] This patch adds example on how to use "http-request
set-src" with "option forwardfor".
---
doc/configuration.txt | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git doc/configuration.txt doc/configuration.txt
index 5d01835d7..ddfabcd92 100644
--- doc/configuration.txt
+++ doc/configuration.txt
@@ -6735,7 +6735,8 @@ option forwardfor [ except <network> ] [ header <name> ]
[ if-none ]
header for a known source address or network by adding the "except" keyword
followed by the network address. In this case, any source IP matching the
network will not cause an addition of this header. Most common uses are with
- private networks or 127.0.0.1.
+ private networks or 127.0.0.1. Another way to do it is to tell HAProxy to
+ trust a custom header with "http-request set-src".
Alternatively, the keyword "if-none" states that the header will only be
added if it is not present. This should only be used in perfectly trusted
@@ -6760,6 +6761,14 @@ option forwardfor [ except <network> ] [ header <name> ]
[ if-none ]
mode http
option forwardfor header X-Client
+ Example :
+ # Trust a specific header and use it as origin IP.
+ # If not found, source IP will be used.
+ frontend www
+ mode http
+ http-request set-src CF-Connecting-IP
+ option forwardfor
+
See also : "option httpclose", "option http-server-close",
"option http-keep-alive"
--
2.18.0.windows.1
From 34efa737cf09753301787dde7dc77df2041b3288 Mon Sep 17 00:00:00 2001
From: Olivier Doucet <oliv...@oxeva.fr>
Date: Mon, 20 Apr 2020 19:59:43 +0200
Subject: [DOC] add useful informations on "http-request set-src"
---
doc/configuration.txt | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git doc/configuration.txt doc/configuration.txt
index ddfabcd92..49324fa53 100644
--- doc/configuration.txt
+++ doc/configuration.txt
@@ -5114,7 +5114,8 @@ http-request set-src <expr> [ { if | unless } <condition>
]
This is used to set the source IP address to the value of specified
expression. Useful when a proxy in front of HAProxy rewrites source IP, but
provides the correct IP in a HTTP header; or you want to mask source IP for
- privacy.
+ privacy. All subsequent calls to src field will return this value
+ (see example).
Arguments :
<expr> Is a standard HAProxy expression formed by a sample-fetch followed
@@ -5124,6 +5125,11 @@ http-request set-src <expr> [ { if | unless }
<condition> ]
http-request set-src hdr(x-forwarded-for)
http-request set-src src,ipmask(24)
+ Example:
+ # This will track connection based on header IP
+ http-request set-src hdr(x-forwarded-for)
+ http-request track-sc0 src
+
When possible, set-src preserves the original source port as long as the
address family allows it, otherwise the source port is set to 0.
--
2.18.0.windows.1
