x-forwarded-for help

2015-10-05 Thread Travis Fitch 

  
  
Hello,

Some quick background; My current setup is haproxy in front of
Apache on the same host. If I send a request to haproxy, I see the
x-forwarded-for entry in Apache's logs and also with tcpdump
  
  tcpdump -i any -nn -A
- -s  'host x.x.x.51 and port 8880' | egrep 'X-F'

X-Forwarded-For: x.x.x.207
X-Forwarded-Port: 443
X-Forwarded-Proto: https
  
  We also have  hardware LB in a non in-line configuration  in-front
  of HAP. Its configured to send x-forwarded onto haproxy.
  
  My issue is, if I bypass the hardware LB, I see the
  X-Forwarded-For header, if I go via the the Hardware LB to haproxy
  and onto Apache, I don't see any x-forwarded-for headers in
  Apaches log files.
  
  If on the other hand I go via the hardware LB directly to Apache
  (by passing haproxy) I see the x-forwarded-for header. Any ideas
  what I am missing in my config file (i'm testing against
  privatetest.dom.net
  
  snippet of my haproxy config file looks like this
  
global
    log 127.0.0.1 local0
    log-send-hostname app04
    maxconn 4096
    user haproxy
    group haproxy
    daemon
    stats socket /tmp/haproxy mode 600 level admin
    tune.ssl.default-dh-param 1024
    ssl-server-verify none

defaults
    log global
    mode http        # Default to L7 proxy service
    option httplog    # HTTP log format
    option dontlognull    # Do not log connections with no
requests
    option contstats    # Enable continuous traffic statistics
updates
    option redispatch    # Try another server in case of
connection failure
    option http-server-close    # Force client side keepalives.
    retries 3
    maxconn 2000
    timeout connect 5s
    timeout client 605s    # GM: uploads take a while to process
in PHP
    timeout server 600s    # GM: (as above)
    timeout http-keep-alive 1s
    timeout http-request 10s    # slowloris protection

frontend http-in
    ## ACL Statements
    acl is_privatetest hdr(host) -i privatetest.dom.net
privatetest2.dom.net

    bind *:80
    use_backend private if is_privatetest
    default_backend dom_net

frontend https-in-private
    capture request header X-Forwarded-For len 50
    # Use General Purpose Couter (gpc) 0 in SC1 as a global
abuse counter
    # Monitors the number of request sent by an IP over a period
of 20 seconds
    stick-table type ip size 1m expire 20s store
gpc0,http_req_rate(500s)
    tcp-request connection track-sc1 src
    # refuses a new connection from an abuser
    tcp-request content reject if { src_get_gpc0 gt 0 }
    # returns a 403 for requests in an established connection
    http-request deny if { src_get_gpc0 gt 0 }
    acl secure dst_port eq 443
    bind 119.82.1.51:443 ssl crt /etc/haproxy/certs/dom_net.pem
name private
    reqadd X-Forwarded-Proto:\ https
    rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains;\ preload if secure
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
    # Do not allow this site to be displayed in iframes
    rspadd X-Frame-Options:\ SAMEORIGIN
    # Do not permit Content-Type sniffing.
    rspadd X-XSS-Protection:\ 1;\ mode=block
    rspadd X-Content-Type-Options:\ nosniff
    use_backend private

# Backend
backend private
    # If the source IP sent 10 or more http request over the
defined period,
    # flag the IP as abuser on the frontend
    acl abuse src_http_req_rate(https-in-private) ge 500
    acl flag_abuser src_inc_gpc0(https-in-private) ge 0
    # Returns a 403 to the abuser
    tcp-request content reject if abuse flag_abuser
    http-request deny if abuse flag_abuser
    #
    balance leastconn
    cookie SERVERID insert nocache indirect
    option httpchk HEAD /
HTTP/1.1\r\nHost:localhost\r\nUser-agent:\ HAP-Check
    option httpclose
    option forwardfor except x.x.x.195
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https if  { ssl_fc
}
    http-request set-header X-Forwarded-Proto http  if !{ ssl_fc
}
    server app04 x.x.x.51:8880 cookie sydapp04 check maxconn 20
    redirect scheme https if !{ ssl_fc }

listen stats 127.0.0.1:1936
   

Re: x-forwarded-for help

2015-10-05 Thread Aleksandar Lazic 

Hi.

Am 05-10-2015 14:29, schrieb Travis Fitch:

Hello,

Some quick background; My current setup is haproxy in front of Apache 
on
the same host. If I send a request to haproxy, I see the 
x-forwarded-for

entry in Apache's logs and also with tcpdump

tcpdump -i any -nn -A - -s  'host x.x.x.51 and port 8880' |
egrep 'X-F'

X-Forwarded-For: x.x.x.207
X-Forwarded-Port: 443
X-Forwarded-Proto: https

We also have  hardware LB in a non in-line configuration  in-front of
HAP. Its configured to send x-forwarded onto haproxy.

My issue is, if I bypass the hardware LB, I see the X-Forwarded-For
header, if I go via the the Hardware LB to haproxy and onto Apache, I
don't see any x-forwarded-for headers in Apaches log files.

If on the other hand I go via the hardware LB directly to Apache (by
passing haproxy) I see the x-forwarded-for header. Any ideas what I am
missing in my config file (i'm testing against privatetest.dom.net

snippet of my haproxy config file looks like this

global
log 127.0.0.1 local0
log-send-hostname app04
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy mode 600 level admin
tune.ssl.default-dh-param 1024
ssl-server-verify none

defaults
log global
mode http# Default to L7 proxy service
option httplog# HTTP log format
option dontlognull# Do not log connections with no requests
option contstats# Enable continuous traffic statistics updates
option redispatch# Try another server in case of connection
failure
option http-server-close# Force client side keepalives.
retries 3
maxconn 2000
timeout connect 5s
timeout client 605s# GM: uploads take a while to process in PHP
timeout server 600s# GM: (as above)
timeout http-keep-alive 1s
timeout http-request 10s# slowloris protection


How about to add "option forwardfor .." in the defaults config or at the 
frontend?


http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4.2-option%20forwardfor


Since this
header is always appended at the end of the existing header list, the 
server
must be configured to always use the last occurrence of this header 
only.



BTW: Please can you also add the output of haproxy -vv thanks.

BR Aleks

Re: x-forwarded-for help

2015-10-05 Thread Daren Sefcik 
On Mon, Oct 5, 2015 at 5:29 AM, Travis Fitch  wrote:

> My issue is, if I bypass the hardware LB, I see the X-Forwarded-For
> header, if I go via the the Hardware LB to haproxy and onto Apache, I don't
> see any x-forwarded-for headers in Apaches log files.


I am new to haproxy but it sounds like maybe haproxy does not know how to
extract the x-forwarded-for header and pass it on, it is only looking at
the x-client header and adding it to the XFF header.