Re: Get client IP
Hi.
Am 16.01.2019 um 06:43 schrieb Vũ Xuân Học:
> Dear,
>
> I fixed it. I use { src x.x.x.x ... } in use_backend and it worked.
>
> Many thanks,
Great ;-).
How about the origin issue with the ssl, how is the solution now?
Best regards
Aleks
> -Original Message-
> From: Vũ Xuân Học
> Sent: Wednesday, January 16, 2019 10:37 AM
> To: 'Aleksandar Lazic' ; 'haproxy@formilux.org'
> ; 'PiBa-NL'
> Subject: RE: Get client IP
>
> Hi,
>
> I have other problem. I want to only allow some ip access my website. Please
> show me how to allow some IP by domain name.
>
> I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn }
> !{ src x.x.x.x x.x.x.y } but it’s not work. I get error message:
>
> keyword 'hdr' which is incompatible with 'frontend
> tcp-request connection rule'
>
> I try with some other keyword but not successful.
>
>
>
>
>
> -Original Message-
> From: Aleksandar Lazic
> Sent: Monday, January 14, 2019 5:20 PM
> To: Vũ Xuân Học ; haproxy@formilux.org; 'PiBa-NL'
>
> Subject: Re: Get client IP
>
> Hi.
>
> Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
>> Hi,
>>
>>
>>
>> I don’t know how to use ssl in http mode. I have many site with many
>> certificate.
>>
>> As you see:
>>
>> …
>>
>> bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP
>> 192.168.0.4)
>>
>> …
>>
>> # Define hosts
>>
>> acl host_1 req.ssl_sni -i ebh.vn
>>
>> acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
>>
>> … (many acl like above)
>>
>>
>> use_backend eBH if host_1
>>
>>use_backend einvoice443 if host_2
>
> You can use maps for this.
> https://www.haproxy.com/blog/introduction-to-haproxy-maps/
>
> The openshift router have a complex but usable solution. Don't get confused
> with the golang template stuff in there.
>
> https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180
>
> https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198
>
> Regards
> Aleks
>
>> *From:* Aleksandar Lazic
>> *Sent:* Monday, January 14, 2019 8:45 AM
>> *To:* haproxy@formilux.org; Vũ Xuân Học ; 'PiBa-NL'
>>
>> *Subject:* RE: Get client IP
>>
>>
>>
>> Hi.
>>
>> As you use IIS I strongly suggest to terminate the https on haproxy
>> and use mode http instead of tcp.
>>
>> Here is a blog post about basic setup of haproxy with ssl
>>
>> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
>> f-stunnel-stud-nginx-or-pound/
>>
>> I assume that haproxy have the client ip as the setup works in the http
>> config.
>>
>> Best regards
>> Aleks
>>
>> --
>> --
>>
>> *Von:*"Vũ Xuân Học" mailto:ho...@thaison.vn>>
>> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
>> *An:* 'PiBa-NL' > <mailto:piba.nl@gmail.com>>, 'Aleksandar Lazic'
>> mailto:al-hapr...@none.at>>, haproxy@formilux.org
>> <mailto:haproxy@formilux.org>
>> *Betreff:* RE: Get client IP
>>
>>
>>
>> Thanks for your help
>>
>>
>>
>> I try config HAProxy with accept-proxy like this:
>>
>> frontend ivan
>>
>>
>>
>> bind 192.168.0.4:443 accept-proxy
>>
>> mode tcp
>>
>> option tcplog
>>
>>
>>
>> #option forwardfor
>>
>>
>>
>> reqadd X-Forwarded-Proto:\ https
>>
>>
>>
>> then my website can not access.
>>
>> I use IIS as webserver and I don’t know how to accept proxy, I only
>> know config X-Forwarded-For like this
>>
>> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
>>
>>
>>
>>
>>
>> *From:* PiBa-NL mailto:piba.nl@gmail.com>>
>> *Sent:* Sunday, January 13, 2019 10:06 PM
>> *To:* Aleksandar Lazic > <mailto:al-hapr...@none.at>>; Vũ Xuân Học > <mailto:ho...@thaison.vn>>; haproxy@formilux.org
>> <mailto:haproxy@formilux.org>
>> *Subject:* Re: Get client IP
>>
>>
>>
>> Hi,
>>
>> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
>>
>> Hi.
>>
>>
>>
>&
RE: Get client IP
Dear,
I fixed it. I use { src x.x.x.x ... } in use_backend and it worked.
Many thanks,
-Original Message-
From: Vũ Xuân Học
Sent: Wednesday, January 16, 2019 10:37 AM
To: 'Aleksandar Lazic' ; 'haproxy@formilux.org'
; 'PiBa-NL'
Subject: RE: Get client IP
Hi,
I have other problem. I want to only allow some ip access my website. Please
show me how to allow some IP by domain name.
I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn } !{
src x.x.x.x x.x.x.y } but it’s not work. I get error message:
keyword 'hdr' which is incompatible with 'frontend
tcp-request connection rule'
I try with some other keyword but not successful.
-Original Message-
From: Aleksandar Lazic
Sent: Monday, January 14, 2019 5:20 PM
To: Vũ Xuân Học ; haproxy@formilux.org; 'PiBa-NL'
Subject: Re: Get client IP
Hi.
Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
> Hi,
>
>
>
> I don’t know how to use ssl in http mode. I have many site with many
> certificate.
>
> As you see:
>
> …
>
> bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP
> 192.168.0.4)
>
> …
>
> # Define hosts
>
> acl host_1 req.ssl_sni -i ebh.vn
>
> acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
>
> … (many acl like above)
>
>
> use_backend eBH if host_1
>
>use_backend einvoice443 if host_2
You can use maps for this.
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
The openshift router have a complex but usable solution. Don't get confused
with the golang template stuff in there.
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198
Regards
Aleks
> *From:* Aleksandar Lazic
> *Sent:* Monday, January 14, 2019 8:45 AM
> *To:* haproxy@formilux.org; Vũ Xuân Học ; 'PiBa-NL'
>
> *Subject:* RE: Get client IP
>
>
>
> Hi.
>
> As you use IIS I strongly suggest to terminate the https on haproxy
> and use mode http instead of tcp.
>
> Here is a blog post about basic setup of haproxy with ssl
>
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
>
> I assume that haproxy have the client ip as the setup works in the http
> config.
>
> Best regards
> Aleks
>
> --
> --
>
> *Von:*"Vũ Xuân Học" mailto:ho...@thaison.vn>>
> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
> *An:* 'PiBa-NL' <mailto:piba.nl@gmail.com>>, 'Aleksandar Lazic'
> mailto:al-hapr...@none.at>>, haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Betreff:* RE: Get client IP
>
>
>
> Thanks for your help
>
>
>
> I try config HAProxy with accept-proxy like this:
>
> frontend ivan
>
>
>
> bind 192.168.0.4:443 accept-proxy
>
> mode tcp
>
> option tcplog
>
>
>
> #option forwardfor
>
>
>
> reqadd X-Forwarded-Proto:\ https
>
>
>
> then my website can not access.
>
> I use IIS as webserver and I don’t know how to accept proxy, I only
> know config X-Forwarded-For like this
>
> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
>
>
>
>
>
> *From:* PiBa-NL mailto:piba.nl@gmail.com>>
> *Sent:* Sunday, January 13, 2019 10:06 PM
> *To:* Aleksandar Lazic <mailto:al-hapr...@none.at>>; Vũ Xuân Học <mailto:ho...@thaison.vn>>; haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Subject:* Re: Get client IP
>
>
>
> Hi,
>
> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
>
> Hi.
>
>
>
> Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
>
> Hi,
>
>
>
> Please help me to solve this problem.
>
>
>
> I use HAProxy version 1.5.18, SSL transparent mode and I can
> not get client IP
>
> in my .net mvc website. With mode http, I can use option
> forwardfor to catch
>
> client ip but with tcp mode, my web read X_Forwarded_For is null.
>
>
>
>
>
>
>
> My diagram:
>
>
>
> Client => Firewall => HAProxy => Web
>
>
>
>
>
>
>
> I read HAProxy document, try to use send-proxy. But when use
> send-proxy, I can
>
> access my web.
>
>
RE: Get client IP
Hi,
I have other problem. I want to only allow some ip access my website. Please
show me how to allow some IP by domain name.
I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn } !{
src x.x.x.x x.x.x.y } but it’s not work. I get error message:
keyword 'hdr' which is incompatible with 'frontend
tcp-request connection rule'
I try with some other keyword but not successful.
-Original Message-
From: Aleksandar Lazic
Sent: Monday, January 14, 2019 5:20 PM
To: Vũ Xuân Học ; haproxy@formilux.org; 'PiBa-NL'
Subject: Re: Get client IP
Hi.
Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học:
> Hi,
>
>
>
> I don’t know how to use ssl in http mode. I have many site with many
> certificate.
>
> As you see:
>
> …
>
> bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP
> 192.168.0.4)
>
> …
>
> # Define hosts
>
> acl host_1 req.ssl_sni -i ebh.vn
>
> acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn
>
> … (many acl like above)
>
>
> use_backend eBH if host_1
>
>use_backend einvoice443 if host_2
You can use maps for this.
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
The openshift router have a complex but usable solution. Don't get confused
with the golang template stuff in there.
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180
https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198
Regards
Aleks
> *From:* Aleksandar Lazic
> *Sent:* Monday, January 14, 2019 8:45 AM
> *To:* haproxy@formilux.org; Vũ Xuân Học ; 'PiBa-NL'
>
> *Subject:* RE: Get client IP
>
>
>
> Hi.
>
> As you use IIS I strongly suggest to terminate the https on haproxy
> and use mode http instead of tcp.
>
> Here is a blog post about basic setup of haproxy with ssl
>
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o
> f-stunnel-stud-nginx-or-pound/
>
> I assume that haproxy have the client ip as the setup works in the http
> config.
>
> Best regards
> Aleks
>
> --
> --
>
> *Von:*"Vũ Xuân Học" mailto:ho...@thaison.vn>>
> *Gesendet:* 14. Jänner 2019 02:17:23 MEZ
> *An:* 'PiBa-NL' <mailto:piba.nl@gmail.com>>, 'Aleksandar Lazic'
> mailto:al-hapr...@none.at>>, haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Betreff:* RE: Get client IP
>
>
>
> Thanks for your help
>
>
>
> I try config HAProxy with accept-proxy like this:
>
> frontend ivan
>
>
>
> bind 192.168.0.4:443 accept-proxy
>
> mode tcp
>
> option tcplog
>
>
>
> #option forwardfor
>
>
>
> reqadd X-Forwarded-Proto:\ https
>
>
>
> then my website can not access.
>
> I use IIS as webserver and I don’t know how to accept proxy, I only
> know config X-Forwarded-For like this
>
> http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/
>
>
>
>
>
> *From:* PiBa-NL mailto:piba.nl@gmail.com>>
> *Sent:* Sunday, January 13, 2019 10:06 PM
> *To:* Aleksandar Lazic <mailto:al-hapr...@none.at>>; Vũ Xuân Học <mailto:ho...@thaison.vn>>; haproxy@formilux.org
> <mailto:haproxy@formilux.org>
> *Subject:* Re: Get client IP
>
>
>
> Hi,
>
> Op 13-1-2019 om 13:11 schreef Aleksandar Lazic:
>
> Hi.
>
>
>
> Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học:
>
> Hi,
>
>
>
> Please help me to solve this problem.
>
>
>
> I use HAProxy version 1.5.18, SSL transparent mode and I can
> not get client IP
>
> in my .net mvc website. With mode http, I can use option
> forwardfor to catch
>
> client ip but with tcp mode, my web read X_Forwarded_For is null.
>
>
>
>
>
>
>
> My diagram:
>
>
>
> Client => Firewall => HAProxy => Web
>
>
>
>
>
>
>
> I read HAProxy document, try to use send-proxy. But when use
> send-proxy, I can
>
> access my web.
>
>
>
> This is my config:
>
>
>
> frontend test2233
>
>
>
> bind *:2233
>
>
>
> option forwardfor
>
>
>
>
Re: Get client IP
Hi. Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học: > Hi, > > > > I don’t know how to use ssl in http mode. I have many site with many > certificate. > > As you see: > > … > > bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP > 192.168.0.4) > > … > > # Define hosts > > acl host_1 req.ssl_sni -i ebh.vn > > acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn > > … (many acl like above) > > > use_backend eBH if host_1 > > use_backend einvoice443 if host_2 You can use maps for this. https://www.haproxy.com/blog/introduction-to-haproxy-maps/ The openshift router have a complex but usable solution. Don't get confused with the golang template stuff in there. https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180 https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198 Regards Aleks > *From:* Aleksandar Lazic > *Sent:* Monday, January 14, 2019 8:45 AM > *To:* haproxy@formilux.org; Vũ Xuân Học ; 'PiBa-NL' > > *Subject:* RE: Get client IP > > > > Hi. > > As you use IIS I strongly suggest to terminate the https on haproxy and use > mode > http instead of tcp. > > Here is a blog post about basic setup of haproxy with ssl > > https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > > I assume that haproxy have the client ip as the setup works in the http > config. > > Best regards > Aleks > > > > *Von:*"Vũ Xuân Học" mailto:ho...@thaison.vn>> > *Gesendet:* 14. Jänner 2019 02:17:23 MEZ > *An:* 'PiBa-NL' mailto:piba.nl@gmail.com>>, > 'Aleksandar Lazic' mailto:al-hapr...@none.at>>, > haproxy@formilux.org <mailto:haproxy@formilux.org> > *Betreff:* RE: Get client IP > > > > Thanks for your help > > > > I try config HAProxy with accept-proxy like this: > > frontend ivan > > > > bind 192.168.0.4:443 accept-proxy > > mode tcp > > option tcplog > > > > #option forwardfor > > > > reqadd X-Forwarded-Proto:\ https > > > > then my website can not access. > > I use IIS as webserver and I don’t know how to accept proxy, I only know > config > X-Forwarded-For like this > > http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ > > > > > > *From:* PiBa-NL mailto:piba.nl@gmail.com>> > *Sent:* Sunday, January 13, 2019 10:06 PM > *To:* Aleksandar Lazic mailto:al-hapr...@none.at>>; Vũ > Xuân > Học mailto:ho...@thaison.vn>>; haproxy@formilux.org > <mailto:haproxy@formilux.org> > *Subject:* Re: Get client IP > > > > Hi, > > Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: > > Hi. > > > > Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: > > Hi, > > > > Please help me to solve this problem. > > > > I use HAProxy version 1.5.18, SSL transparent mode and I can not get > client IP > > in my .net mvc website. With mode http, I can use option forwardfor > to catch > > client ip but with tcp mode, my web read X_Forwarded_For is null. > > > > > > > > My diagram: > > > > Client => Firewall => HAProxy => Web > > > > > > > > I read HAProxy document, try to use send-proxy. But when use > send-proxy, I can > > access my web. > > > > This is my config: > > > > frontend test2233 > > > > bind *:2233 > > > > option forwardfor > > > > > > > > default_backend testecus > > > > backend testecus > > > > mode http > > > > server web1 192.168.0.151:2233 check > > > > Above config work, and I can get the client IP > > > > That's good as it's `mode http` therefore haproxy can see the http > traffic. > > Indeed it can insert the http forwardfor header with 'mode http'. > > > > > > Config with SSL: > >
RE: Get client IP
Hi, I don’t know how to use ssl in http mode. I have many site with many certificate. As you see: … bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP 192.168.0.4) … # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn … (many acl like above) use_backend eBH if host_1 use_backend einvoice443 if host_2 From: Aleksandar Lazic Sent: Monday, January 14, 2019 8:45 AM To: haproxy@formilux.org; Vũ Xuân Học ; 'PiBa-NL' Subject: RE: Get client IP Hi. As you use IIS I strongly suggest to terminate the https on haproxy and use mode http instead of tcp. Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ I assume that haproxy have the client ip as the setup works in the http config. Best regards Aleks _ Von: "Vũ Xuân Học" mailto:ho...@thaison.vn> > Gesendet: 14. Jänner 2019 02:17:23 MEZ An: 'PiBa-NL' mailto:piba.nl@gmail.com> >, 'Aleksandar Lazic' mailto:al-hapr...@none.at> >, haproxy@formilux.org <mailto:haproxy@formilux.org> Betreff: RE: Get client IP Thanks for your help I try config HAProxy with accept-proxy like this: frontend ivan bind 192.168.0.4:443 accept-proxy mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https then my website can not access. I use IIS as webserver and I don’t know how to accept proxy, I only know config X-Forwarded-For like this http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ From: PiBa-NL mailto:piba.nl@gmail.com> > Sent: Sunday, January 13, 2019 10:06 PM To: Aleksandar Lazic mailto:al-hapr...@none.at> >; Vũ Xuân Học mailto:ho...@thaison.vn> >; haproxy@formilux.org <mailto:haproxy@formilux.org> Subject: Re: Get client IP Hi, Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. Indeed it can insert the http forwardfor header with 'mode http'. Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. >From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. Thats one option indeed. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn] http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy And how to configure it with for example nginx: https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 3 check #cookie web1 server web1 192.168.0.154:443 maxconn 3 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and
RE: Get client IP
Hi. As you use IIS I strongly suggest to terminate the https on haproxy and use mode http instead of tcp. Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ I assume that haproxy have the client ip as the setup works in the http config. Best regards Aleks Ursprüngliche Nachricht Von: "Vũ Xuân Học" Gesendet: 14. Jänner 2019 02:17:23 MEZ An: 'PiBa-NL' , 'Aleksandar Lazic' , haproxy@formilux.org Betreff: RE: Get client IP Thanks for your help I try config HAProxy with accept-proxy like this: frontend ivan bind 192.168.0.4:443 accept-proxy mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https then my website can not access. I use IIS as webserver and I don’t know how to accept proxy, I only know config X-Forwarded-For like this http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ From: PiBa-NL Sent: Sunday, January 13, 2019 10:06 PM To: Aleksandar Lazic ; Vũ Xuân Học ; haproxy@formilux.org Subject: Re: Get client IP Hi, Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. Indeed it can insert the http forwardfor header with 'mode http'. Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. Thats one option indeed. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn] http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy And how to configure it with for example nginx: https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 3 check #cookie web1 server web1 192.168.0.154:443 maxconn 3 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2 but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. Firewall's by themselves will never use proxy-protocol at all. That it doesn't work with send-proxy on the haproxy server line is likely because the webservice that is receiving the traffic isn't configured to accept the proxy protocol. How to configure a ".net mvc website" to accept that is something i don't know if it is even possible at all.. Many thanks, Best regards Aleks Thanks & Best Regards! * VU XUAN HOC Regards, PiBa-NL (Pieter)
RE: Get client IP
Thanks for your help I try config HAProxy with accept-proxy like this: frontend ivan bind 192.168.0.4:443 accept-proxy mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https then my website can not access. I use IIS as webserver and I don’t know how to accept proxy, I only know config X-Forwarded-For like this http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ From: PiBa-NL Sent: Sunday, January 13, 2019 10:06 PM To: Aleksandar Lazic ; Vũ Xuân Học ; haproxy@formilux.org Subject: Re: Get client IP Hi, Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. Indeed it can insert the http forwardfor header with 'mode http'. Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. >From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. Thats one option indeed. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn] http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy And how to configure it with for example nginx: https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 3 check #cookie web1 server web1 192.168.0.154:443 maxconn 3 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2 but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. Firewall's by themselves will never use proxy-protocol at all. That it doesn't work with send-proxy on the haproxy server line is likely because the webservice that is receiving the traffic isn't configured to accept the proxy protocol. How to configure a ".net mvc website" to accept that is something i don't know if it is even possible at all.. Many thanks, Best regards Aleks Thanks & Best Regards! * VU XUAN HOC Regards, PiBa-NL (Pieter)
Re: Get client IP
Hi, Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. Indeed it can insert the http forwardfor header with 'mode http'. Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. Thats one option indeed. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy I dont expect a firewall to send such a header. And if i understand correctly the 'webserver' would need to be configured to accept proxy-protocol. The modification to make in haproxy would be to configure send-proxy[-v2-ssl-cn] http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html#5.2-send-proxy And how to configure it with for example nginx: https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 3 check #cookie web1 server web1 192.168.0.154:443 maxconn 3 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2 but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. Firewall's by themselves will never use proxy-protocol at all. That it doesn't work with send-proxy on the haproxy server line is likely because the webservice that is receiving the traffic isn't configured to accept the proxy protocol. How to configure a ".net mvc website" to accept that is something i don't know if it is even possible at all.. Many thanks, Best regards Aleks Thanks & Best Regards! * VU XUAN HOC Regards, PiBa-NL (Pieter)
Re: Get client IP
Hi. Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: > Hi, > > Please help me to solve this problem. > > I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP > in my .net mvc website. With mode http, I can use option forwardfor to catch > client ip but with tcp mode, my web read X_Forwarded_For is null. > > > > My diagram: > > Client => Firewall => HAProxy => Web > > > > I read HAProxy document, try to use send-proxy. But when use send-proxy, I can > access my web. > > This is my config: > > frontend test2233 > > bind *:2233 > > option forwardfor > > > > default_backend testecus > > backend testecus > > mode http > > server web1 192.168.0.151:2233 check > > Above config work, and I can get the client IP That's good as it's `mode http` therefore haproxy can see the http traffic. > Config with SSL: > > frontend ivan > > bind 192.168.0.4:443 > mode tcp > option tcplog > > #option forwardfor > > reqadd X-Forwarded-Proto:\ https This can't work as you use `mode tcp` and therefore haproxy can't see the http traffic. >From my point of view have you now 2 options. * use https termination on haproxy. Then you can add this http header. * use accept-proxy in the bind line. This option requires that the firewall is able to send the PROXY PROTOCOL header to haproxy. https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-accept-proxy The different modes are described in the doc https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode Here is a blog post about basic setup of haproxy with ssl https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ > acl tls req.ssl_hello_type 1 > > tcp-request inspect-delay 5s > > tcp-request content accept if tls > > > > # Define hosts > > acl host_1 req.ssl_sni -i ebh.vn > > acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn > > > > use_backend eBH if host_1 > > use_backend einvoice443 if host_2 > > > > backend eBH > > mode tcp > > balance roundrobin > > option ssl-hello-chk > > server web1 192.168.0.153:443 maxconn 3 check #cookie web1 > > server web1 192.168.0.154:443 maxconn 3 check #cookie web2 > > > > Above config doesn’t work, and I can not get the client ip. I try server web1 > 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 > send-proxy-v2 > but I can’t access my web. This is expected as the Firewall does not send the PROXY PROTOCOL header and the bind line is not configured for that. > Many thanks, Best regards Aleks > Thanks & Best Regards! > > * VU XUAN HOC > Mobile: 0169.8081005 > **cid:image001.jpg@01D102DF.ABB9D420 > THAISON TECHNOLOGY DEVELOPMENT COMPANY > * Add * :* 11 Dang Thuy Tram, Hoang Quoc Viet, Cau Giay, Ha Noi > Tel *: *+84.4.37545222 > Fax * : *+84.4.37545223 > Email * : *ho...@thaison.vn <mailto:ho...@thaison.vn>* > * Web * :*http://www.thaison.vn; http://www.einvoice.vn; > http://www.etax.vn; http://www.ebh.vn > > >
Get client IP
Hi, Please help me to solve this problem. I use HAProxy version 1.5.18, SSL transparent mode and I can not get client IP in my .net mvc website. With mode http, I can use option forwardfor to catch client ip but with tcp mode, my web read X_Forwarded_For is null. My diagram: Client => Firewall => HAProxy => Web I read HAProxy document, try to use send-proxy. But when use send-proxy, I can access my web. This is my config: frontend test2233 bind *:2233 option forwardfor default_backend testecus backend testecus mode http server web1 192.168.0.151:2233 check Above config work, and I can get the client IP Config with SSL: frontend ivan bind 192.168.0.4:443 mode tcp option tcplog #option forwardfor reqadd X-Forwarded-Proto:\ https acl tls req.ssl_hello_type 1 tcp-request inspect-delay 5s tcp-request content accept if tls # Define hosts acl host_1 req.ssl_sni -i ebh.vn acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn use_backend eBH if host_1 use_backend einvoice443 if host_2 backend eBH mode tcp balance roundrobin option ssl-hello-chk server web1 192.168.0.153:443 maxconn 3 check #cookie web1 server web1 192.168.0.154:443 maxconn 3 check #cookie web2 Above config doesn’t work, and I can not get the client ip. I try server web1 192.168.0.153:443 send-proxy and try server web1 192.168.0.153:443 send-proxy-v2 but I can’t access my web. Many thanks, Thanks & Best Regards! VU XUAN HOC Mobile: 0169.8081005 THAISON TECHNOLOGY DEVELOPMENT COMPANY Add : 11 Dang Thuy Tram, Hoang Quoc Viet, Cau Giay, Ha Noi Tel : +84.4.37545222 Fax: +84.4.37545223 Email : <mailto:ho...@thaison.vn> ho...@thaison.vn Web : <http://www.thaison.vn> http://www.thaison.vn ; <http://www.einvoice.vn> http://www.einvoice.vn; <http://www.etax.vn> http://www.etax.vn; <http://www.ebh.vn> http://www.ebh.vn
