Re: Get real source IP
Hi Maxime, On Mon, Nov 15, 2010 at 02:09:42PM -0500, Maxime Ducharme wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Then your checks are not performed on the correct occurrence of the header. Just like any header defined as a list, you should determine which one is the most suited for you. Haproxy takes care of always appending it, so that you know that the last occurrence is haproxy's. Your application should look at this one. As someone else suggested it, you can also remove the header first (reqidel ^X-Forwarded-For) and be fine with that. You can also decide to name the header differently, but that's going to be hard to maintain. Regards, Willy
RE: Get real source IP
Hi Angelo Thanks for reply Can you enlighten me on how to remove a specific header ? example : we will use X-MySrc-Ip as header name, I would like to ensure people cannot spoof it. Can we configure haproxy to remove any X-MySrc-Ip headers before adding the source IP ? -- Maxime Ducharme Systems Architect On Mon, 2010-11-15 at 21:06 +, Angelo Höngens wrote: Or you could remove the client’s xff header, and always use your own. Then you are sure you can trust your own xff header, and the client can’t bypass. -- With kind regards, Angelo Höngens Systems Administrator -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg T: +31 (0)13 5811088 F: +31 (0)13 5821239 mailto:a.hong...@netmatch.nl http://www.netmatch.nl -- From: Graeme Donaldson [mailto:gra...@donaldson.za.net] Sent: maandag 15 november 2010 20:17 To: Maxime Ducharme Cc: haproxy@formilux.org Subject: Re: Get real source IP On 15 November 2010 21:09, Maxime Ducharme m...@techboom.com wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Is there other way to send real IP to our web servers ? Another way to do this is to use HAproxy in transparent proxy mode. I have not used it personally, but unless I'm mistaken it functions more like a NAT/routing device instead of a proxy. Here's a short howto if you'd like to try it out: http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/ Regards, Graeme.
RE: Get real source IP
Read Willy's response from earlier today, he showed the command.. (I use another product in front of haproxy that removes the header in my case). -- With kind regards, Angelo Höngens Systems Administrator -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg T: +31 (0)13 5811088 F: +31 (0)13 5821239 mailto:a.hong...@netmatch.nl http://www.netmatch.nl -- -Original Message- From: Maxime Ducharme [mailto:m...@techboom.com] Sent: dinsdag 16 november 2010 16:52 To: Angelo Höngens Cc: 'Graeme Donaldson'; 'haproxy@formilux.org' Subject: RE: Get real source IP Hi Angelo Thanks for reply Can you enlighten me on how to remove a specific header ? example : we will use X-MySrc-Ip as header name, I would like to ensure people cannot spoof it. Can we configure haproxy to remove any X-MySrc-Ip headers before adding the source IP ? -- Maxime Ducharme Systems Architect On Mon, 2010-11-15 at 21:06 +, Angelo Höngens wrote: Or you could remove the client’s xff header, and always use your own. Then you are sure you can trust your own xff header, and the client can’t bypass. -- With kind regards, Angelo Höngens Systems Administrator -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg T: +31 (0)13 5811088 F: +31 (0)13 5821239 mailto:a.hong...@netmatch.nl http://www.netmatch.nl -- From: Graeme Donaldson [mailto:gra...@donaldson.za.net] Sent: maandag 15 november 2010 20:17 To: Maxime Ducharme Cc: haproxy@formilux.org Subject: Re: Get real source IP On 15 November 2010 21:09, Maxime Ducharme m...@techboom.com wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Is there other way to send real IP to our web servers ? Another way to do this is to use HAproxy in transparent proxy mode. I have not used it personally, but unless I'm mistaken it functions more like a NAT/routing device instead of a proxy. Here's a short howto if you'd like to try it out: http://blog.loadbalancer.org/configure-haproxy-with-tproxy- kernel-for-full-transparent-proxy/ Regards, Graeme.
Re: Get real source IP
Thanks Willy and Angelo ! Sorry I did not read all posts before replying :P Trying this, have a nice day -- Maxime Ducharme Systems Architect On Tue, 2010-11-16 at 12:06 +0100, Willy Tarreau wrote: Hi Maxime, On Mon, Nov 15, 2010 at 02:09:42PM -0500, Maxime Ducharme wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Then your checks are not performed on the correct occurrence of the header. Just like any header defined as a list, you should determine which one is the most suited for you. Haproxy takes care of always appending it, so that you know that the last occurrence is haproxy's. Your application should look at this one. As someone else suggested it, you can also remove the header first (reqidel ^X-Forwarded-For) and be fine with that. You can also decide to name the header differently, but that's going to be hard to maintain. Regards, Willy
Re: Get real source IP
On 15 November 2010 21:09, Maxime Ducharme m...@techboom.com wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Is there other way to send real IP to our web servers ? Another way to do this is to use HAproxy in transparent proxy mode. I have not used it personally, but unless I'm mistaken it functions more like a NAT/routing device instead of a proxy. Here's a short howto if you'd like to try it out: http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/ Regards, Graeme.
RE: Get real source IP
Or you could remove the client's xff header, and always use your own. Then you are sure you can trust your own xff header, and the client can't bypass. -- With kind regards, Angelo Höngens Systems Administrator -- NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg T: +31 (0)13 5811088 F: +31 (0)13 5821239 mailto:a.hong...@netmatch.nl http://www.netmatch.nl -- From: Graeme Donaldson [mailto:gra...@donaldson.za.net] Sent: maandag 15 november 2010 20:17 To: Maxime Ducharme Cc: haproxy@formilux.org Subject: Re: Get real source IP On 15 November 2010 21:09, Maxime Ducharme m...@techboom.commailto:m...@techboom.com wrote: Hi guys We are looking for a way to get real source IP that is connecting to our web services. We currently use option forwardfor, but some people are using this to bypass our checks. Is there other way to send real IP to our web servers ? Another way to do this is to use HAproxy in transparent proxy mode. I have not used it personally, but unless I'm mistaken it functions more like a NAT/routing device instead of a proxy. Here's a short howto if you'd like to try it out: http://blog.loadbalancer.org/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/ Regards, Graeme.