Duplicate X-Forwarded-For

2012-02-01 Thread habeeb rahman 
Hi All,

The backend application depends on the X-Forwarded-For value and today we
noticed an interesting problem.
I have enabled 'option forwardfor' and it works fine when no
X-Forwarded-For header is added by the client.

When there is X-Forwarded-For added by the client(I used chrome rest
client) I can see haproxy is sending two X-Forwarded-For to the backend
instead of appending the values.
One is client sent and the other one is the one haproxy created newly.To
make sure I took capture and I see the duplicate one.
Is this is bug or am I missing something?

From client end:-


From haproxy LB:-


From Backend:-


-Habeeb

Re: Duplicate X-Forwarded-For

2012-02-01 Thread habeeb rahman 
(Thanks Holger for quick response)
I know that apache comma separates the values for X-Forwarded-For and I
thought haproxy behaves the same.
We do not want to delete X-Forwarded-Forand then add
X-Forwarded-For because the developers want to look at the proxy chain.

Having said that I am still not be able to understand the scenario
mentioned in the clause below to what we are seeing.

Multiple message-header fields with the same field-name MAY be
 present in a message if and only if the entire field-value for
 that header field is defined as a comma-separated list [i.e.,
 #(values)]

Our scenario is client app adds say X-Forwarded-For:10.10.10.10 and then
haproxy also adds another header X-Forwarded-For:192.168.1.1

so at the backend we can see

X-Forwarded-For:10.10.10.10
X-Forwarded-For:192.168.1.1

Does this match the clause mentioned?
Just trying to make sure I understood it right :)

-Habeeb

On Wed, Feb 1, 2012 at 10:22 PM, Holger Just hapr...@meine-er.de wrote:

 Hey,

 On 2012-02-01 17:41, habeeb rahman wrote:
  When there is X-Forwarded-For added by the client(I used chrome rest
  client) I can see haproxy is sending two X-Forwarded-For to the backend
  instead of appending the values.
  One is client sent and the other one is the one haproxy created newly.To
  make sure I took capture and I see the duplicate one.
  Is this is bug or am I missing something?

 You are missing something :) To cite from RFC 2616 (HTTP/1.1):

  Multiple message-header fields with the same field-name MAY be
  present in a message if and only if the entire field-value for
  that header field is defined as a comma-separated list [i.e.,
  #(values)]. It MUST be possible to combine the multiple header
  fields into one field-name: field-value pair, without changing
  the semantics of the message, by appending each subsequent
  field-value to the first, each separated by a comma. The order in
  which header fields with the same field-name are received is
  therefore significant to the interpretation of the combined field
  value, and thus a proxy MUST NOT change the order of these field
  values when a message is forwarded.


 As both forms (comma separated and exploded into multiple headers) are
 thus equivalent, HAProxy chooses the simplest implementation and just
 appends a new header at the bottom of the headers list. Implementations
 are expected to handle this the same as if it were a single header with
 comma separated values.

 Generally, it is a good idea to only trust those headers that you know
 are trustworthy (e.g. set byHAProxy itself). Thus, a common
 configuration is to delete all existing X-Forwarded-For headers on
 arrival and just setting the single new header using something like

 reqidel ^X-Forwarded-For:.*
 option forwardfor

 If you need the client-supplied list, you would have to merge the list
 at your final HTTP server nevertheless.

 --Holger

haproxy status and graphing

2011-10-27 Thread habeeb rahman 
Hello All,

It would be great if someone could clarify following. This is regarding the
haproxy-status page.

current conns means the number TCP connections in the ESTABLISHED state or
its all TCP connections from client and to backend?
Errors resp means http non 200 from backend?

Also what is the best way to graph haproxy status(like a graph of concurrent
conns)?  Googled and could see people suggesting collected et all but like
to hear from the masters.

-Habeeb

Best way to find the version

2011-08-01 Thread habeeb rahman 
Hi All,

Just wondering what is the best way to find the haproxy version. This is
rightscale AMI so I was not the one who installed it.
Eithor yum list installed|grep haproxy or rpm -qa|grep haproxy helped.

Anyhelp would be great. Also keep the awesome work guys!

-Habeeb

Re: Help on SSL termination and balance source

2011-06-09 Thread habeeb rahman 
James,

Thanks for your points. Rewrite rule was set up by some other guys and is
being used for some time now and works well with round robin.
Anyhow I will look at mod_proxy in detail. Not sure how SSL termination can
be done with it and moreover how haproxy gonna balance based on client IP.
Any insight?

Anyone else has any thoughts or insights to share?

-Habeeb

On Thu, Jun 9, 2011 at 7:11 PM, James Bardin jbar...@bu.edu wrote:

 On Thu, Jun 9, 2011 at 7:33 AM, habeeb rahman pk.h...@gmail.com wrote:

  apache rewrite rule:
   RewriteRule ^/(.*)$ http://127.0.0.1:2443%{REQUEST_URI} [P,QSA,L]


 Why are you using a rewrite instead of mod_proxy?
 ProxyPass does some nice things by default, like adding the
 X-Forwarded-For header which will provide the address of the client.
 Otherwise, you will need to do this manually with rewrite rules.

 -jim