Hello,
Some quick background; My current setup is haproxy in front of
Apache on the same host. If I send a request to haproxy, I see the
x-forwarded-for entry in Apache's logs and also with tcpdump
tcpdump -i any -nn -A
- -s 'host x.x.x.51 and port 8880' | egrep 'X-F'
X-Forwarded-For: x.x.x.207
X-Forwarded-Port: 443
X-Forwarded-Proto: https
We also have hardware LB in a non in-line configuration in-front
of HAP. Its configured to send x-forwarded onto haproxy.
My issue is, if I bypass the hardware LB, I see the
X-Forwarded-For header, if I go via the the Hardware LB to haproxy
and onto Apache, I don't see any x-forwarded-for headers in
Apaches log files.
If on the other hand I go via the hardware LB directly to Apache
(by passing haproxy) I see the x-forwarded-for header. Any ideas
what I am missing in my config file (i'm testing against
privatetest.dom.net
snippet of my haproxy config file looks like this
global
log 127.0.0.1 local0
log-send-hostname app04
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /tmp/haproxy mode 600 level admin
tune.ssl.default-dh-param 1024
ssl-server-verify none
defaults
log global
mode http # Default to L7 proxy service
option httplog # HTTP log format
option dontlognull # Do not log connections with no
requests
option contstats # Enable continuous traffic statistics
updates
option redispatch # Try another server in case of
connection failure
option http-server-close # Force client side keepalives.
retries 3
maxconn 2000
timeout connect 5s
timeout client 605s # GM: uploads take a while to process
in PHP
timeout server 600s # GM: (as above)
timeout http-keep-alive 1s
timeout http-request 10s # slowloris protection
frontend http-in
## ACL Statements
acl is_privatetest hdr(host) -i privatetest.dom.net
privatetest2.dom.net
bind *:80
use_backend private if is_privatetest
default_backend dom_net
frontend https-in-private
capture request header X-Forwarded-For len 50
# Use General Purpose Couter (gpc) 0 in SC1 as a global
abuse counter
# Monitors the number of request sent by an IP over a period
of 20 seconds
stick-table type ip size 1m expire 20s store
gpc0,http_req_rate(500s)
tcp-request connection track-sc1 src
# refuses a new connection from an abuser
tcp-request content reject if { src_get_gpc0 gt 0 }
# returns a 403 for requests in an established connection
http-request deny if { src_get_gpc0 gt 0 }
acl secure dst_port eq 443
bind 119.82.1.51:443 ssl crt /etc/haproxy/certs/dom_net.pem
name private
reqadd X-Forwarded-Proto:\ https
rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains;\ preload if secure
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
# Do not allow this site to be displayed in iframes
rspadd X-Frame-Options:\ SAMEORIGIN
# Do not permit Content-Type sniffing.
rspadd X-XSS-Protection:\ 1;\ mode=block
rspadd X-Content-Type-Options:\ nosniff
use_backend private
# Backend
backend private
# If the source IP sent 10 or more http request over the
defined period,
# flag the IP as abuser on the frontend
acl abuse src_http_req_rate(https-in-private) ge 500
acl flag_abuser src_inc_gpc0(https-in-private) ge 0
# Returns a 403 to the abuser
tcp-request content reject if abuse flag_abuser
http-request deny if abuse flag_abuser
#
balance leastconn
cookie SERVERID insert nocache indirect
option httpchk HEAD /
HTTP/1.1\r\nHost:localhost\r\nUser-agent:\ HAP-Check
option httpclose
option forwardfor except x.x.x.195
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc
}
http-request set-header X-Forwarded-Proto http if !{ ssl_fc
}
server app04 x.x.x.51:8880 cookie sydapp04 check maxconn 20
redirect scheme https if !{ ssl_fc }
listen stats 127.0.0.1:1936