subject:"Re\: Get http connection client\/server ip\/port"

Re: Get http connection client/server ip/port

2019-07-08 Thread Lukas Tribus

Hello,

as confirmed in the github issue and for the record here as well (so
that we have the solution in the archives):

This is not a haproxy bug, but turned out to be a kernel/conntrack
thing. Disabling nf_conntrack_tcp_loose fixes this:

https://www.spinics.net/lists/netdev/msg546371.html


cheers,
lukas

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

just to be sure I have tried another kernel, with the same result

0 : CentOS Linux (5.1.16-1.el7.elrepo.x86_64) 7 (Core)
1 : CentOS Linux (4.4.184-1.el7.elrepo.x86_64) 7 (Core)
2 : CentOS Linux (3.10.0-957.21.3.el7.x86_64) 7 (Core)



> On 5 Jul 2019, at 23:23, Peter Hudec  wrote:
> 
> There was no IPv6..
> 
> If I change BIND from
> 
> bind :80
> bind :443 ssl crt /home/certs/haproxy/combined/
> 
> to
> 
> bind :::80 v4v6
> bind :::443 v4v6 ssl crt /home/certs/haproxy/combined/
> 
> the IPv4 and IPv6 are working as expected.
> 
> But in this setup IPv4 is wrongIPv6 is OK
> 
> bind :::80
> bind :::443 ssl crt /home/certs/haproxy/combined/
> bind :80
> bind :443 ssl crt /home/certs/haproxy/combined/
> 
> 
>   regards
>   Peter
> 
>> On 5 Jul 2019, at 23:12, Peter Hudec > > wrote:
>> 
>> it works on localhost, but not on public ip
>> 
>> curl -k -v https://2.57.64.11 
>> curl -k -v http://2.57.64.11 
>> 
>> or try IPv6 2a09:d4c0::11
>> 
>>  Peter
>> 
>>> On 5 Jul 2019, at 23:02, Peter Hudec >> > wrote:
>>> 
>>> thos config do not works.
>>> I took your working config anf add mu global sand default section
>>> 
>>> global
>>> log 127.0.0.1 local2
>>> 
>>> chroot  /var/lib/haproxy
>>> pidfile /var/run/haproxy.pid
>>> maxconn 4000
>>> userhaproxy
>>> group   haproxy
>>> daemon
>>> 
>>> # turn on stats unix socket
>>> stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats
>>> 
>>> # set default parameters to the modern configuration
>>> # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 
>>> 
>>> 
>>> ssl-default-bind-ciphers 
>>> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>>> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>>> ssl-default-server-ciphers 
>>> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>>> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>>> tune.ssl.default-dh-param 2048
>>> ssl-server-verify none
>>> 
>>> #-
>>> # HTTP section defaults, frontends and backends
>>> #-
>>> 
>>> defaults HTTP
>>> modehttp
>>> log global
>>> option  httplog
>>> option  dontlognull
>>> option http-server-close
>>> option forwardfor   except 127.0.0.0/8
>>> option  redispatch
>>> retries 3
>>> timeout http-request10s
>>> timeout queue   1m
>>> timeout connect 10s
>>> timeout client  1m
>>> timeout server  1m
>>> timeout http-keep-alive 10s
>>> timeout check   10s
>>> timeout tunnel  3600s
>>> maxconn 3000
>>> default-server inter 15s rise 2 fall 2
>>> 
>>> 
>>> #-
>>> # main frontend which proxys to the backends
>>> #-
>>> listen fe_http_main
>>> bind :80
>>> bind :443 ssl crt /home/certs/haproxy/combined/
>>> mode http
>>> 
>>> tcp-request inspect-delay 5s
>>> tcp-request content accept if HTTP
>>> 
>>> timeout connect 1s
>>> timeout server  5s
>>> timeout client  5s
>>> 
>>> http-response set-header X-Server-IP %[dst]
>>> http-response set-header X-Server-Port %[dst_port]
>>> http-response set-header X-Client-IP %[src]
>>> http-response set-header X-Client-Port %[src_port]
>>> server www  127.0.0.1:8000
>>> 
>>> listen srv
>>> mode http
>>> bind 127.0.0.1:8000
>>> http-request deny deny_status 200
>>> 
>>> 
 On 5 Jul 2019, at 22:55, Peter Hudec >>> > wrote:
 
 There’s not problem with nginx/php.
 
 If I add this lines in my config
 
 http-response set-header X-Server-IP %[dst]
 http-response set-header X-Server-Port %[dst_port]
 http-response set-header X-Client-IP %[src]
 http-response set-header X-Client-Port %[src_port]
 
 see exactly the same.
 
Peter
 
> On 5 Jul 2019, at 22:53, Christopher Faulet

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

There was no IPv6..

If I change BIND from

bind :80
bind :443 ssl crt /home/certs/haproxy/combined/

to

bind :::80 v4v6
bind :::443 v4v6 ssl crt /home/certs/haproxy/combined/

the IPv4 and IPv6 are working as expected.

But in this setup IPv4 is wrongIPv6 is OK

bind :::80
bind :::443 ssl crt /home/certs/haproxy/combined/
bind :80
bind :443 ssl crt /home/certs/haproxy/combined/


regards
Peter

> On 5 Jul 2019, at 23:12, Peter Hudec  wrote:
> 
> it works on localhost, but not on public ip
> 
> curl -k -v https://2.57.64.11 
> curl -k -v http://2.57.64.11 
> 
> or try IPv6 2a09:d4c0::11
> 
>   Peter
> 
>> On 5 Jul 2019, at 23:02, Peter Hudec > > wrote:
>> 
>> thos config do not works.
>> I took your working config anf add mu global sand default section
>> 
>> global
>> log 127.0.0.1 local2
>> 
>> chroot  /var/lib/haproxy
>> pidfile /var/run/haproxy.pid
>> maxconn 4000
>> userhaproxy
>> group   haproxy
>> daemon
>> 
>> # turn on stats unix socket
>> stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats
>> 
>> # set default parameters to the modern configuration
>> # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 
>> 
>> 
>> ssl-default-bind-ciphers 
>> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>> ssl-default-server-ciphers 
>> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
>> tune.ssl.default-dh-param 2048
>> ssl-server-verify none
>> 
>> #-
>> # HTTP section defaults, frontends and backends
>> #-
>> 
>> defaults HTTP
>> modehttp
>> log global
>> option  httplog
>> option  dontlognull
>> option http-server-close
>> option forwardfor   except 127.0.0.0/8
>> option  redispatch
>> retries 3
>> timeout http-request10s
>> timeout queue   1m
>> timeout connect 10s
>> timeout client  1m
>> timeout server  1m
>> timeout http-keep-alive 10s
>> timeout check   10s
>> timeout tunnel  3600s
>> maxconn 3000
>> default-server inter 15s rise 2 fall 2
>> 
>> 
>> #-
>> # main frontend which proxys to the backends
>> #-
>> listen fe_http_main
>> bind :80
>> bind :443 ssl crt /home/certs/haproxy/combined/
>> mode http
>> 
>> tcp-request inspect-delay 5s
>> tcp-request content accept if HTTP
>> 
>> timeout connect 1s
>> timeout server  5s
>> timeout client  5s
>> 
>> http-response set-header X-Server-IP %[dst]
>> http-response set-header X-Server-Port %[dst_port]
>> http-response set-header X-Client-IP %[src]
>> http-response set-header X-Client-Port %[src_port]
>> server www  127.0.0.1:8000
>> 
>> listen srv
>> mode http
>> bind 127.0.0.1:8000
>> http-request deny deny_status 200
>> 
>> 
>>> On 5 Jul 2019, at 22:55, Peter Hudec >> > wrote:
>>> 
>>> There’s not problem with nginx/php.
>>> 
>>> If I add this lines in my config
>>> 
>>> http-response set-header X-Server-IP %[dst]
>>> http-response set-header X-Server-Port %[dst_port]
>>> http-response set-header X-Client-IP %[src]
>>> http-response set-header X-Client-Port %[src_port]
>>> 
>>> see exactly the same.
>>> 
>>> Peter
>>> 
 On 5 Jul 2019, at 22:53, Christopher Faulet >>> > wrote:
 
 Le 05/07/2019 à 21:55, Peter Hudec a écrit :
> Hi Jarno,
> thanks for answer.
> I tried to run the haproxy in debug mode, but I do not see the request 
> headers for the upstream in the log.
> But I have found some new facts.
> Test these 2 scenarios, at this moment there is no valid certs
> http://web01.test.host.sk/test.php 
>

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

it works on localhost, but not on public ip

curl -k -v https://2.57.64.11 
curl -k -v http://2.57.64.11

or try IPv6 2a09:d4c0::11

Peter

> On 5 Jul 2019, at 23:02, Peter Hudec  wrote:
> 
> thos config do not works.
> I took your working config anf add mu global sand default section
> 
> global
> log 127.0.0.1 local2
> 
> chroot  /var/lib/haproxy
> pidfile /var/run/haproxy.pid
> maxconn 4000
> userhaproxy
> group   haproxy
> daemon
> 
> # turn on stats unix socket
> stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats
> 
> # set default parameters to the modern configuration
> # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 
> 
> 
> ssl-default-bind-ciphers 
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> ssl-default-server-ciphers 
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
> tune.ssl.default-dh-param 2048
> ssl-server-verify none
> 
> #-
> # HTTP section defaults, frontends and backends
> #-
> 
> defaults HTTP
> modehttp
> log global
> option  httplog
> option  dontlognull
> option http-server-close
> option forwardfor   except 127.0.0.0/8
> option  redispatch
> retries 3
> timeout http-request10s
> timeout queue   1m
> timeout connect 10s
> timeout client  1m
> timeout server  1m
> timeout http-keep-alive 10s
> timeout check   10s
> timeout tunnel  3600s
> maxconn 3000
> default-server inter 15s rise 2 fall 2
> 
> 
> #-
> # main frontend which proxys to the backends
> #-
> listen fe_http_main
> bind :80
> bind :443 ssl crt /home/certs/haproxy/combined/
> mode http
> 
> tcp-request inspect-delay 5s
> tcp-request content accept if HTTP
> 
> timeout connect 1s
> timeout server  5s
> timeout client  5s
> 
> http-response set-header X-Server-IP %[dst]
> http-response set-header X-Server-Port %[dst_port]
> http-response set-header X-Client-IP %[src]
> http-response set-header X-Client-Port %[src_port]
> server www  127.0.0.1:8000
> 
> listen srv
> mode http
> bind 127.0.0.1:8000
> http-request deny deny_status 200
> 
> 
>> On 5 Jul 2019, at 22:55, Peter Hudec > > wrote:
>> 
>> There’s not problem with nginx/php.
>> 
>> If I add this lines in my config
>> 
>> http-response set-header X-Server-IP %[dst]
>> http-response set-header X-Server-Port %[dst_port]
>> http-response set-header X-Client-IP %[src]
>> http-response set-header X-Client-Port %[src_port]
>> 
>> see exactly the same.
>> 
>>  Peter
>> 
>>> On 5 Jul 2019, at 22:53, Christopher Faulet >> > wrote:
>>> 
>>> Le 05/07/2019 à 21:55, Peter Hudec a écrit :
 Hi Jarno,
 thanks for answer.
 I tried to run the haproxy in debug mode, but I do not see the request 
 headers for the upstream in the log.
 But I have found some new facts.
 Test these 2 scenarios, at this moment there is no valid certs
 http://web01.test.host.sk/test.php 
 https://web01.test.host.sk/test.php 
 look for the
 X_SERVER_IP
 X_SERVER_PORT
 X_CLIENT_IP
 X_CLIENT_PORT
 See the difference?
 For the HTTP, the values are correct, for HTTPS not.
 I’m running RH SCL HAPROXY. I could try to compile newer version or are 
 there any for CentOS7?
>>> 
>>> I don't know how your nginx/php is configured. But try to replace nginx by 
>>> a ncat. Something like that:
>>> 
>>>  printf "HTTP/1.1 200 ok\r\nContent-length: 0\r\n\r\n" | nc -l -p  {PORT}
>>> 
>>> You will see the request from the server point of view. If it still fails, 
>>> share the smallest HAProxy configuration to reproduce the bug.
>>>

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

thos config do not works.
I took your working config anf add mu global sand default section

global
log 127.0.0.1 local2

chroot  /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
userhaproxy
group   haproxy
daemon

# turn on stats unix socket
stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats

# set default parameters to the modern configuration
# https://mozilla.github.io/server-side-tls/ssl-config-generator/

ssl-default-bind-ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-server-verify none

#-
# HTTP section defaults, frontends and backends
#-

defaults HTTP
modehttp
log global
option  httplog
option  dontlognull
option http-server-close
option forwardfor   except 127.0.0.0/8
option  redispatch
retries 3
timeout http-request10s
timeout queue   1m
timeout connect 10s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s
timeout tunnel  3600s
maxconn 3000
default-server inter 15s rise 2 fall 2


#-
# main frontend which proxys to the backends
#-
listen fe_http_main
bind :80
bind :443 ssl crt /home/certs/haproxy/combined/
mode http

tcp-request inspect-delay 5s
tcp-request content accept if HTTP

timeout connect 1s
timeout server  5s
timeout client  5s

http-response set-header X-Server-IP %[dst]
http-response set-header X-Server-Port %[dst_port]
http-response set-header X-Client-IP %[src]
http-response set-header X-Client-Port %[src_port]
server www  127.0.0.1:8000

listen srv
mode http
bind 127.0.0.1:8000
http-request deny deny_status 200


> On 5 Jul 2019, at 22:55, Peter Hudec  wrote:
> 
> There’s not problem with nginx/php.
> 
> If I add this lines in my config
> 
> http-response set-header X-Server-IP %[dst]
> http-response set-header X-Server-Port %[dst_port]
> http-response set-header X-Client-IP %[src]
> http-response set-header X-Client-Port %[src_port]
> 
> see exactly the same.
> 
>   Peter
> 
>> On 5 Jul 2019, at 22:53, Christopher Faulet > > wrote:
>> 
>> Le 05/07/2019 à 21:55, Peter Hudec a écrit :
>>> Hi Jarno,
>>> thanks for answer.
>>> I tried to run the haproxy in debug mode, but I do not see the request 
>>> headers for the upstream in the log.
>>> But I have found some new facts.
>>> Test these 2 scenarios, at this moment there is no valid certs
>>> http://web01.test.host.sk/test.php 
>>> https://web01.test.host.sk/test.php
>>> look for the
>>> X_SERVER_IP
>>> X_SERVER_PORT
>>> X_CLIENT_IP
>>> X_CLIENT_PORT
>>> See the difference?
>>> For the HTTP, the values are correct, for HTTPS not.
>>> I’m running RH SCL HAPROXY. I could try to compile newer version or are 
>>> there any for CentOS7?
>> 
>> I don't know how your nginx/php is configured. But try to replace nginx by a 
>> ncat. Something like that:
>> 
>>  printf "HTTP/1.1 200 ok\r\nContent-length: 0\r\n\r\n" | nc -l -p  {PORT}
>> 
>> You will see the request from the server point of view. If it still fails, 
>> share the smallest HAProxy configuration to reproduce the bug.
>> 
>> -- 
>> Christopher Faulet
>

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

There’s not problem with nginx/php.

If I add this lines in my config

http-response set-header X-Server-IP %[dst]
http-response set-header X-Server-Port %[dst_port]
http-response set-header X-Client-IP %[src]
http-response set-header X-Client-Port %[src_port]

see exactly the same.

Peter

> On 5 Jul 2019, at 22:53, Christopher Faulet  wrote:
> 
> Le 05/07/2019 à 21:55, Peter Hudec a écrit :
>> Hi Jarno,
>> thanks for answer.
>> I tried to run the haproxy in debug mode, but I do not see the request 
>> headers for the upstream in the log.
>> But I have found some new facts.
>> Test these 2 scenarios, at this moment there is no valid certs
>> http://web01.test.host.sk/test.php
>> https://web01.test.host.sk/test.php
>> look for the
>> X_SERVER_IP
>> X_SERVER_PORT
>> X_CLIENT_IP
>> X_CLIENT_PORT
>> See the difference?
>> For the HTTP, the values are correct, for HTTPS not.
>> I’m running RH SCL HAPROXY. I could try to compile newer version or are 
>> there any for CentOS7?
> 
> I don't know how your nginx/php is configured. But try to replace nginx by a 
> ncat. Something like that:
> 
>  printf "HTTP/1.1 200 ok\r\nContent-length: 0\r\n\r\n" | nc -l -p  {PORT}
> 
> You will see the request from the server point of view. If it still fails, 
> share the smallest HAProxy configuration to reproduce the bug.
> 
> -- 
> Christopher Faulet

Re: Get http connection client/server ip/port

2019-07-05 Thread Christopher Faulet


Le 05/07/2019 à 21:55, Peter Hudec a écrit :

Hi Jarno,

thanks for answer.
I tried to run the haproxy in debug mode, but I do not see the request headers 
for the upstream in the log.


But I have found some new facts.

Test these 2 scenarios, at this moment there is no valid certs

http://web01.test.host.sk/test.php
https://web01.test.host.sk/test.php

look for the
X_SERVER_IP
X_SERVER_PORT
X_CLIENT_IP
X_CLIENT_PORT

See the difference?
For the HTTP, the values are correct, for HTTPS not.

I’m running RH SCL HAPROXY. I could try to compile newer version or are there 
any for CentOS7?




I don't know how your nginx/php is configured. But try to replace nginx by a 
ncat. Something like that:


  printf "HTTP/1.1 200 ok\r\nContent-length: 0\r\n\r\n" | nc -l -p  {PORT}

You will see the request from the server point of view. If it still fails, share 
the smallest HAProxy configuration to reproduce the bug.


--
Christopher Faulet

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

Hi,

still could be problem on my side, but I have the same result with version
1.8.20
1.9.8
2.0.1

Peter

> On 5 Jul 2019, at 21:55, Peter Hudec  wrote:
> 
> Hi Jarno,
> 
> thanks for answer.
> I tried to run the haproxy in debug mode, but I do not see the request 
> headers for the upstream in the log.
> 
> But I have found some new facts.
> 
> Test these 2 scenarios, at this moment there is no valid certs
> 
> http://web01.test.host.sk/test.php 
> https://web01.test.host.sk/test.php 
> 
> look for the
> X_SERVER_IP
> X_SERVER_PORT
> X_CLIENT_IP
> X_CLIENT_PORT
> 
> See the difference?
> For the HTTP, the values are correct, for HTTPS not.
> 
> I’m running RH SCL HAPROXY. I could try to compile newer version or are there 
> any for CentOS7?
> 
>   regards
>   Peter
> 
> 
> 
> 
>> On 4 Jul 2019, at 18:42, Jarno Huuskonen > > wrote:
>> 
>> Hi,
>> 
>> On Thu, Jul 04, Peter Hudec wrote:
>>> I have maybe found some bug in haproxy, submitted as 
>>> https://github.com/haproxy/haproxy/issues/154 
>>> .
>> 
>> 1.8.4 is fairly old, can you reproduce on more recent 1.8.x or latest 2.0.x ?
>> 
>>> The variables dst, dst_port are identical with the src, src_port.
>>> 
>>> Is there any other way how to get these /in this case dst/ values ??
>>> 
>>> What do I need is ..
>>> 
>>>http-request set-header X-Server-IP %[dst]
>>>http-request set-header X-Server-Port %[dst_port]
>>>http-request set-header X-Client-IP %[src]
>>>http-request set-header X-Client-Port %[src_port]
>>> 
>>> result is ;(
>>> 
>>>  'HTTP_X_CLIENT_PORT' => '22696',
>>>  'HTTP_X_CLIENT_IP' => '217.73.20.190',
>>>  'HTTP_X_SERVER_PORT' => '22696',
>>>  'HTTP_X_SERVER_IP' => '217.73.20.190’,
>> 
>> With this simple test config dst, dst_port etc. seem to work for me, does
>> this config work for you ?
>> 
>> global
>>  stats socket /tmp/stats level admin
>> 
>> defaults
>>  mode http
>>  log global
>>  option httplog
>> 
>> frontend test
>>  bind :8080
>> 
>>  default_backend test_be
>> 
>> backend test_be
>>http-request set-header X-Server-IP %[dst]
>>http-request set-header X-Server-Port %[dst_port]
>>http-request set-header X-Client-IP %[src]
>>http-request set-header X-Client-Port %[src_port]
>> 
>>  server srv1 127.0.0.1:9000 id 1
>> 
>> listen yeah
>>  bind ipv4@127.0.0.1 :9000
>>  http-request deny deny_status 200
>> 
>> run with for example haproxy -d -f tmp.conf and
>> curl http://127.0.0.1:8080  and you should see the 
>> headers from haproxy debug
>> output.
>> 
>> -Jarno
>> 
>> -- 
>> Jarno Huuskonen
>

Re: Get http connection client/server ip/port

2019-07-05 Thread Peter Hudec

Hi Jarno,

thanks for answer.
I tried to run the haproxy in debug mode, but I do not see the request headers 
for the upstream in the log.

But I have found some new facts.

Test these 2 scenarios, at this moment there is no valid certs

http://web01.test.host.sk/test.php 
https://web01.test.host.sk/test.php

look for the
X_SERVER_IP
X_SERVER_PORT
X_CLIENT_IP
X_CLIENT_PORT

See the difference?
For the HTTP, the values are correct, for HTTPS not.

I’m running RH SCL HAPROXY. I could try to compile newer version or are there 
any for CentOS7?

regards
Peter




> On 4 Jul 2019, at 18:42, Jarno Huuskonen  wrote:
> 
> Hi,
> 
> On Thu, Jul 04, Peter Hudec wrote:
>> I have maybe found some bug in haproxy, submitted as 
>> https://github.com/haproxy/haproxy/issues/154 
>> .
> 
> 1.8.4 is fairly old, can you reproduce on more recent 1.8.x or latest 2.0.x ?
> 
>> The variables dst, dst_port are identical with the src, src_port.
>> 
>> Is there any other way how to get these /in this case dst/ values ??
>> 
>> What do I need is ..
>> 
>>http-request set-header X-Server-IP %[dst]
>>http-request set-header X-Server-Port %[dst_port]
>>http-request set-header X-Client-IP %[src]
>>http-request set-header X-Client-Port %[src_port]
>> 
>> result is ;(
>> 
>>  'HTTP_X_CLIENT_PORT' => '22696',
>>  'HTTP_X_CLIENT_IP' => '217.73.20.190',
>>  'HTTP_X_SERVER_PORT' => '22696',
>>  'HTTP_X_SERVER_IP' => '217.73.20.190’,
> 
> With this simple test config dst, dst_port etc. seem to work for me, does
> this config work for you ?
> 
> global
>   stats socket /tmp/stats level admin
> 
> defaults
>   mode http
>   log global
>   option httplog
> 
> frontend test
>   bind :8080
> 
>   default_backend test_be
> 
> backend test_be
>http-request set-header X-Server-IP %[dst]
>http-request set-header X-Server-Port %[dst_port]
>http-request set-header X-Client-IP %[src]
>http-request set-header X-Client-Port %[src_port]
> 
>   server srv1 127.0.0.1:9000 id 1
> 
> listen yeah
>   bind ipv4@127.0.0.1 :9000
>   http-request deny deny_status 200
> 
> run with for example haproxy -d -f tmp.conf and
> curl http://127.0.0.1:8080  and you should see the 
> headers from haproxy debug
> output.
> 
> -Jarno
> 
> -- 
> Jarno Huuskonen

Re: Get http connection client/server ip/port

2019-07-05 Thread Christopher Faulet


Le 04/07/2019 à 15:16, Peter Hudec a écrit :

Hi,

I have maybe found some bug in haproxy, submitted as 
https://github.com/haproxy/haproxy/issues/154.

The variables dst, dst_port are identical with the src, src_port.

Is there any other way how to get these /in this case dst/ values ??

What do I need is ..

 http-request set-header X-Server-IP %[dst]
 http-request set-header X-Server-Port %[dst_port]
 http-request set-header X-Client-IP %[src]
 http-request set-header X-Client-Port %[src_port]

result is ;(

   'HTTP_X_CLIENT_PORT' => '22696',
   'HTTP_X_CLIENT_IP' => '217.73.20.190',
   'HTTP_X_SERVER_PORT' => '22696',
   'HTTP_X_SERVER_IP' => '217.73.20.190’,



Hi,

For the record, I closed the issue on Github. I guess it is a problem with the 
server. I've made some tests, and the HTTP request's headers are set to the 
right values.


Regards,
--
Christopher Faulet

Re: Get http connection client/server ip/port

2019-07-04 Thread Jarno Huuskonen

Hi,

On Thu, Jul 04, Peter Hudec wrote:
> I have maybe found some bug in haproxy, submitted as 
> https://github.com/haproxy/haproxy/issues/154.

1.8.4 is fairly old, can you reproduce on more recent 1.8.x or latest 2.0.x ?

> The variables dst, dst_port are identical with the src, src_port.
> 
> Is there any other way how to get these /in this case dst/ values ??
> 
> What do I need is ..
> 
> http-request set-header X-Server-IP %[dst]
> http-request set-header X-Server-Port %[dst_port]
> http-request set-header X-Client-IP %[src]
> http-request set-header X-Client-Port %[src_port]
> 
> result is ;(
> 
>   'HTTP_X_CLIENT_PORT' => '22696',
>   'HTTP_X_CLIENT_IP' => '217.73.20.190',
>   'HTTP_X_SERVER_PORT' => '22696',
>   'HTTP_X_SERVER_IP' => '217.73.20.190’,

With this simple test config dst, dst_port etc. seem to work for me, does
this config work for you ?

global
stats socket /tmp/stats level admin

defaults
mode http
log global
option httplog

frontend test
bind :8080

default_backend test_be

backend test_be
http-request set-header X-Server-IP %[dst]
http-request set-header X-Server-Port %[dst_port]
http-request set-header X-Client-IP %[src]
http-request set-header X-Client-Port %[src_port]

server srv1 127.0.0.1:9000 id 1

listen yeah
bind ipv4@127.0.0.1:9000
http-request deny deny_status 200

run with for example haproxy -d -f tmp.conf and
curl http://127.0.0.1:8080 and you should see the headers from haproxy debug
output.

-Jarno

-- 
Jarno Huuskonen

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

Re: Get http connection client/server ip/port

11 matches

Site Navigation

Mail list logo

Footer information