Re: Chained HA proxy with proxy protocol not working
Hi Tim, On Fri, 24 May 2019 at 13:36, Tim Düsterhus wrote: > > Lukas, > > Am 24.05.19 um 11:27 schrieb Lukas Tribus: > > FYI this was double posted and has already been looked at here: > > > > https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/ > > > > I'm not signed up in Discourse, thus here on the list. > > I believe when `accept-proxy` is configured on HAProxy B there should be > another `send-proxy` in the `server` line of HAProxy B, no? Correct, 'accept-proxy' on haproxy B is a wrong and irrelevant configuration, it was wrongly used for testing purposes (and confirms that the backend server expects plain SSL instead of PROXY+SSL). The point is that unless the source IP is needed on haproxy B, the PROXY protocol can be passed transparently to the backend server, without accepting and rewriting it on the backend. Lukas
Re: Chained HA proxy with proxy protocol not working
Lukas, Am 24.05.19 um 11:27 schrieb Lukas Tribus: > FYI this was double posted and has already been looked at here: > > https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/ > I'm not signed up in Discourse, thus here on the list. I believe when `accept-proxy` is configured on HAProxy B there should be another `send-proxy` in the `server` line of HAProxy B, no? Best regards Tim Düsterhus
Re: Chained HA proxy with proxy protocol not working
Hello, On Wed, 22 May 2019 at 14:03, praveen kumar wrote: > > have a haproxy setup as follow: > > Client --> Haproxy (LOCATION A)--> HAProxy(LOCATION B)> Server FYI this was double posted and has already been looked at here: https://discourse.haproxy.org/t/chained-haproxy-in-tcp-mode-with-proxy-protocol-enabled-not-working/3843/ Lukas
Re: Chained HA proxy with proxy protocol not working
You need to add `accept-proxy` keyword in receiving haproxy bind line. https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-accept-proxy Hth Aleks Wed May 22 14:03:26 GMT+02:00 2019 praveen kumar : > > have a haproxy setup as follow: > > Client --> Haproxy (LOCATION A)--> HAProxy(LOCATION B)> Server > > Both HA Proxy are running in TCP mode in both frontend and backend. My server > wants to see actual client ip connecting to it, so I have enabled send-proxy > on location A haproxy and sending it haproxy at location B. I can proxy > header on my server. I can see initial ssl handshake between haproxy at > location B and server, but no data is being sent and response not received at > the client end. > > Location A config : > > global > log 127.0.0.1:514 [http://127.0.0.1:514] local0 info > log 127.0.0.1:514 [http://127.0.0.1:514] local0 debug > #log 127.0.0.1:514 [http://127.0.0.1:514] local1 notice > #log loghost local0 info > maxconn 4096 > #chroot /usr/share/haproxy > #user haproxy > #group haproxy > daemon > debug > #quiet > #ssl-server-verify none > defaults > mode tcp > log global > option httplog > option dontlognull > option http-server-close > option redispatch > retries 3 > timeout http-request 10s > timeout queue 1m > timeout connect 10s > timeout client 1m > timeout server 1m > timeout http-keep-alive 10s > timeout check 10s > maxconn 3000 > > frontend https_in > bind *:443 > mode tcp > option tcplog > timeout client 1m > default_backend https > > backend https > mode tcp > option tcplog > option log-health-checks > #option redispatch > server halocb x.x.x.x:443 check send-proxy-v2 > > Location B config : > > global > log 127.0.0.1:514 [http://127.0.0.1:514] local0 info > log 127.0.0.1:514 [http://127.0.0.1:514] local0 debug > #log 127.0.0.1:514 [http://127.0.0.1:514] local1 notice > #log loghost local0 info > maxconn 4096 > #chroot /usr/share/haproxy > #user haproxy > #group haproxy > daemon > debug > #quiet > #ssl-server-verify none > defaults > mode tcp > log global > option httplog > option dontlognull > option http-server-close > option redispatch > retries 3 > timeout http-request 10s > timeout queue 1m > timeout connect 10s > timeout client 1m > timeout server 1m > timeout http-keep-alive 10s > timeout check 10s > maxconn 3000 > > frontend https_in > bind *:443 > mode tcp > option tcplog > timeout client 1m > default_backend https > > backend https > mode tcp > option tcplog > option log-health-checks > #option redispatch > server halocb mysite.ul.com:443 [http://mysite.ul.com:443] check ssl verify > none > > > -- > V.PRAVEEN KUMAR >
